Windows Analysis Report
SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe

Overview

General Information

Sample Name: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe
Analysis ID: 632606
MD5: 09d431a8321ec75d7ff057787c319897
SHA1: b709d7968897d774676194b9708f304a6a472086
SHA256: 1be03967a615254ca0b3eba8b5aaa6b5f5c91c9f03d4fe2692b3675f93c0b26d
Infos:

Detection

AgentTesla, GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Telegram RAT
Yara detected AgentTesla
Yara detected GuLoader
Hides threads from debuggers
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
C2 URLs / IPs found in malware configuration
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Contains functionality to detect virtual machines (SLDT)
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Found malware configuration
Source: 0000000C.00000000.1265287486.0000000000F00000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "http://2.56.57.22/MY%20AIRTEL%20TELEGRAM%20STUB_iHQdRhQNdR56.bin"}
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe.8408.0.memstrmin Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "1972606022", "Chat URL": "https://api.telegram.org/bot1977970812:AAHd8pA2REAwdAB_6eJ-9nZj90oz8OYGjrI/sendDocument"}
Source: CasPol.exe.376.12.memstrmin Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot1977970812:AAHd8pA2REAwdAB_6eJ-9nZj90oz8OYGjrI/sendMessage"}
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe ReversingLabs: Detection: 21%
Uses 32bit PE files
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.UnmanagedMemoryStream\net6.0-Release\System.IO.UnmanagedMemoryStream.pdb source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe, 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe, 00000000.00000002.1923518409.0000000002876000.00000004.00000800.00020000.00000000.sdmp, System.IO.UnmanagedMemoryStream.dll.0.dr
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405D74
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_0040699E FindFirstFileW,FindClose, 0_2_0040699E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://2.56.57.22/MY%20AIRTEL%20TELEGRAM%20STUB_iHQdRhQNdR56.bin
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: CasPol.exe, 0000000C.00000002.6152117405.000000001D5A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: CasPol.exe, 0000000C.00000002.6127221532.000000000126B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://2.56.57.22/MY%20AIRTEL%20TELEGRAM%20STUB_iHQdRhQNdR56.bin
Source: CasPol.exe, 0000000C.00000002.6152117405.000000001D5A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: CasPol.exe, 0000000C.00000002.6153855558.000000001D6F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.telegram.org
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe String found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
Source: CasPol.exe, 0000000C.00000002.6152117405.000000001D5A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://kUYmnxF1L3RMXTOEA.ne
Source: CasPol.exe, 0000000C.00000002.6152117405.000000001D5A1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000C.00000002.6153633788.000000001D6D9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000C.00000003.1443175396.000000001C411000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://kUYmnxF1L3RMXTOEA.net
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe String found in binary or memory: http://repository.certum.pl/ctsca2021.cer0
Source: CasPol.exe, 0000000C.00000002.6153695657.000000001D6DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe String found in binary or memory: http://subca.ocsp-certum.com01
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe String found in binary or memory: http://subca.ocsp-certum.com02
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe String found in binary or memory: http://subca.ocsp-certum.com05
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe String found in binary or memory: http://www.certum.pl/CPS0
Source: CasPol.exe, 0000000C.00000002.6152117405.000000001D5A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://zFeqMl.com
Source: CasPol.exe, 0000000C.00000002.6153695657.000000001D6DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: CasPol.exe, 0000000C.00000002.6153695657.000000001D6DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot1977970812:AAHd8pA2REAwdAB_6eJ-9nZj90oz8OYGjrI/sendDocument
Source: CasPol.exe, 0000000C.00000002.6152117405.000000001D5A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot1977970812:AAHd8pA2REAwdAB_6eJ-9nZj90oz8OYGjrI/sendDocumentdocument-----
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe, 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe, 00000000.00000002.1923518409.0000000002876000.00000004.00000800.00020000.00000000.sdmp, System.IO.UnmanagedMemoryStream.dll.0.dr String found in binary or memory: https://github.com/dotnet/runtime
Source: CasPol.exe, 0000000C.00000002.6152117405.000000001D5A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_00405809 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00405809
Uses 32bit PE files
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403640
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_00406D5F 0_2_00406D5F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_74251BFF 0_2_74251BFF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A43BE 0_2_032A43BE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032B060A 0_2_032B060A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032B1DB7 0_2_032B1DB7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032AA72B 0_2_032AA72B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A2721 0_2_032A2721
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A1F24 0_2_032A1F24
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A5F39 0_2_032A5F39
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A1735 0_2_032A1735
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A1B0A 0_2_032A1B0A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A7308 0_2_032A7308
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A0F0D 0_2_032A0F0D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A0302 0_2_032A0302
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A1705 0_2_032A1705
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A1F6B 0_2_032A1F6B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A6369 0_2_032A6369
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A176F 0_2_032A176F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A2761 0_2_032A2761
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A0F67 0_2_032A0F67
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A0F79 0_2_032A0F79
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A0742 0_2_032A0742
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A0341 0_2_032A0341
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A1350 0_2_032A1350
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A1B50 0_2_032A1B50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A0FAB 0_2_032A0FAB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A17AC 0_2_032A17AC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A27A6 0_2_032A27A6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A1FA4 0_2_032A1FA4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A1BBA 0_2_032A1BBA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A03B6 0_2_032A03B6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A4BB6 0_2_032A4BB6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A0382 0_2_032A0382
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A0785 0_2_032A0785
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A0B9B 0_2_032A0B9B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A7B96 0_2_032A7B96
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A0FFB 0_2_032A0FFB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A1BFF 0_2_032A1BFF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A17F3 0_2_032A17F3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A27F3 0_2_032A27F3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A03F1 0_2_032A03F1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032AA7D8 0_2_032AA7D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A1FD9 0_2_032A1FD9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A0BD4 0_2_032A0BD4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A1E24 0_2_032A1E24
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A123E 0_2_032A123E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032AA234 0_2_032AA234
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A060D 0_2_032A060D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A1A00 0_2_032A1A00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A1201 0_2_032A1201
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032AAE18 0_2_032AAE18
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A2619 0_2_032A2619
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A7E19 0_2_032A7E19
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A621D 0_2_032A621D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A0A6D 0_2_032A0A6D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A2662 0_2_032A2662
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A3664 0_2_032A3664
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A1E64 0_2_032A1E64
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A167E 0_2_032A167E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A727F 0_2_032A727F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A064F 0_2_032A064F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A1A46 0_2_032A1A46
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A0E44 0_2_032A0E44
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A6657 0_2_032A6657
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A1EB3 0_2_032A1EB3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A068E 0_2_032A068E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A0E8E 0_2_032A0E8E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A1A8E 0_2_032A1A8E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A1283 0_2_032A1283
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032B2E91 0_2_032B2E91
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A7EE6 0_2_032A7EE6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A26E7 0_2_032A26E7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A06FE 0_2_032A06FE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A7AFE 0_2_032A7AFE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A0AF3 0_2_032A0AF3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A06CC 0_2_032A06CC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A1AC3 0_2_032A1AC3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A62C0 0_2_032A62C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A0EC6 0_2_032A0EC6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A12C6 0_2_032A12C6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A9AC7 0_2_032A9AC7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A16C5 0_2_032A16C5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A9AD3 0_2_032A9AD3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A092F 0_2_032A092F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A1121 0_2_032A1121
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A0521 0_2_032A0521
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A2525 0_2_032A2525
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A6139 0_2_032A6139
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A193C 0_2_032A193C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A0133 0_2_032A0133
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A6530 0_2_032A6530
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A190A 0_2_032A190A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A6D0D 0_2_032A6D0D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A6D1B 0_2_032A6D1B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A1D1F 0_2_032A1D1F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032AAD1C 0_2_032AAD1C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A6D13 0_2_032A6D13
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A6111 0_2_032A6111
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A0561 0_2_032A0561
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A0166 0_2_032A0166
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A1D67 0_2_032A1D67
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032AAD65 0_2_032AAD65
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A617B 0_2_032A617B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A0976 0_2_032A0976
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A6D4E 0_2_032A6D4E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032AA95F 0_2_032AA95F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A6552 0_2_032A6552
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A7552 0_2_032A7552
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A1150 0_2_032A1150
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A7D50 0_2_032A7D50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A01AB 0_2_032A01AB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A65AD 0_2_032A65AD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A0DA1 0_2_032A0DA1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A0DA5 0_2_032A0DA5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A09B8 0_2_032A09B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032B29B3 0_2_032B29B3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A118B 0_2_032A118B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A1988 0_2_032A1988
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032AA585 0_2_032AA585
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A0599 0_2_032A0599
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032AA599 0_2_032AA599
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032AED93 0_2_032AED93
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032AA5EB 0_2_032AA5EB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A1DE8 0_2_032A1DE8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A11FA 0_2_032A11FA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A0DFB 0_2_032A0DFB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A09FF 0_2_032A09FF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A05CA 0_2_032A05CA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A1DCA 0_2_032A1DCA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A11C7 0_2_032A11C7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A25D9 0_2_032A25D9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A19D0 0_2_032A19D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032AA429 0_2_032AA429
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032AA833 0_2_032AA833
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A0808 0_2_032A0808
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A0003 0_2_032A0003
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A6400 0_2_032A6400
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A7C06 0_2_032A7C06
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A041B 0_2_032A041B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A181F 0_2_032A181F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A981D 0_2_032A981D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A2013 0_2_032A2013
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A6013 0_2_032A6013
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A0015 0_2_032A0015
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032AA469 0_2_032AA469
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032B0C6F 0_2_032B0C6F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032AE06D 0_2_032AE06D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A0460 0_2_032A0460
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A1067 0_2_032A1067
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032B2C66 0_2_032B2C66
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A007B 0_2_032A007B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A1C7B 0_2_032A1C7B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A347E 0_2_032A347E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A087D 0_2_032A087D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A184E 0_2_032A184E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A004C 0_2_032A004C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A204C 0_2_032A204C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A1C45 0_2_032A1C45
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032AAC45 0_2_032AAC45
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A1CAC 0_2_032A1CAC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032AA8AC 0_2_032AA8AC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A7CA3 0_2_032A7CA3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A00BA 0_2_032A00BA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A74BB 0_2_032A74BB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A74BF 0_2_032A74BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A64BD 0_2_032A64BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A208A 0_2_032A208A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A5C87 0_2_032A5C87
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A049D 0_2_032A049D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A1892 0_2_032A1892
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A00EB 0_2_032A00EB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A10E8 0_2_032A10E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A24EE 0_2_032A24EE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A08EF 0_2_032A08EF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A1CE3 0_2_032A1CE3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032B0CE1 0_2_032B0CE1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A70CA 0_2_032A70CA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A18C8 0_2_032A18C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A08CF 0_2_032A08CF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A0CCD 0_2_032A0CCD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032AACD9 0_2_032AACD9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A04DE 0_2_032A04DE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A20D0 0_2_032A20D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 12_2_00F12573 12_2_00F12573
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 12_2_00F124A2 12_2_00F124A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 12_2_1D586B62 12_2_1D586B62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 12_2_1D58A160 12_2_1D58A160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 12_2_1D589890 12_2_1D589890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 12_2_1D589548 12_2_1D589548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 12_2_1FC46E10 12_2_1FC46E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 12_2_1FC47D85 12_2_1FC47D85
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 12_2_1FC4AC18 12_2_1FC4AC18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 12_2_1FC44730 12_2_1FC44730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 12_2_1FC4DA18 12_2_1FC4DA18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 12_2_1FC471C0 12_2_1FC471C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 12_2_1FC4D9BA 12_2_1FC4D9BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 12_2_1FC4008B 12_2_1FC4008B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 12_2_1FC40090 12_2_1FC40090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 12_2_205D2C68 12_2_205D2C68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 12_2_205D80F0 12_2_205D80F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 12_2_205DA147 12_2_205DA147
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 12_2_205DF108 12_2_205DF108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 12_2_205D3310 12_2_205D3310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 12_2_205D4CB0 12_2_205D4CB0
Contains functionality to call native functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032B3B34 NtProtectVirtualMemory, 0_2_032B3B34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032B1DB7 NtAllocateVirtualMemory, 0_2_032B1DB7
Abnormal high CPU Usage
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process Stats: CPU usage > 98%
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe, 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.IO.UnmanagedMemoryStream.dll@ vs SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe, 00000000.00000002.1923518409.0000000002876000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSystem.IO.UnmanagedMemoryStream.dll@ vs SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: edgegdi.dll Jump to behavior
PE / OLE file has an invalid certificate
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Static PE information: invalid certificate
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe ReversingLabs: Detection: 21%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Jump to behavior
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe File created: C:\Users\user\AppData\Local\Temp\nsj52FD.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@8/10@0/2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_004021AA CoCreateInstance, 0_2_004021AA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_00404AB5 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_00404AB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3384:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3384:304:WilStaging_02
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.UnmanagedMemoryStream\net6.0-Release\System.IO.UnmanagedMemoryStream.pdb source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe, 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe, 00000000.00000002.1923518409.0000000002876000.00000004.00000800.00020000.00000000.sdmp, System.IO.UnmanagedMemoryStream.dll.0.dr

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 0000000C.00000000.1265287486.0000000000F00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_742530C0 push eax; ret 0_2_742530EE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A43BE push FFFFFFECh; retn F381h 0_2_032A478D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032B1DB7 push A8C34522h; ret 0_2_032B21F2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A3C4A push 743CFB60h; retn 8ECCh 0_2_032A3A2F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A3B39 push ebx; iretd 0_2_032A3B3A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A5F08 push A096CC56h; retf 0_2_032A5F19
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A339B push ecx; ret 0_2_032A33AD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A427E push edx; iretd 0_2_032A4288
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A4070 push FFFFFF81h; ret 0_2_032A4093
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A30CA push ebx; retf E547h 0_2_032A316A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 12_2_1FC4CE80 push esp; iretd 12_2_1FC4CE81
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 12_2_205DE04B push eax; ret 12_2_205DE052
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 12_2_205D1479 push ebx; ret 12_2_205D147A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 12_2_205D2871 pushad ; ret 12_2_205D2872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 12_2_205DDC06 push esp; ret 12_2_205DDC07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 12_2_205DE030 push eax; ret 12_2_205DE032
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 12_2_205D1023 push eax; ret 12_2_205D102A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 12_2_205DDCC9 push esp; ret 12_2_205DDCCA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 12_2_205D28C3 pushad ; ret 12_2_205D291A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 12_2_205D18E3 push esi; ret 12_2_205D1932
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 12_2_205DE09D push eax; ret 12_2_205DE0A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 12_2_205D809B pushfd ; ret 12_2_205D80E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 12_2_205D1483 push ebx; ret 12_2_205D14CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 12_2_205DE0BF push eax; ret 12_2_205DE0C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 12_2_205DD951 push edi; ret 12_2_205DD958
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 12_2_205DDD42 push ebx; ret 12_2_205DDD49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 12_2_205DD976 push edi; ret 12_2_205DD978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 12_2_205D193B push esi; ret 12_2_205D1982
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 12_2_205DDD2A push ebx; ret 12_2_205DDD2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 12_2_205DD9D8 push esi; ret 12_2_205DD9DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 12_2_205D19D3 push esi; ret 12_2_205D19DA
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_74251BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_74251BFF
Binary contains a suspicious time stamp
Source: System.IO.UnmanagedMemoryStream.dll.0.dr Static PE information: 0xFD78D1DD [Sat Oct 4 08:54:53 2104 UTC]
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe File created: C:\Users\user\AppData\Local\Temp\nse53CA.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe File created: C:\Users\user\AppData\Local\Temp\System.IO.UnmanagedMemoryStream.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect Any.run
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe, 00000000.00000002.1924437452.00000000033A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: NTDLLUSER32KERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLLWINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLLWINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLL
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe, 00000000.00000002.1924437452.00000000033A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4292 Thread sleep time: -7378697629483816s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\System.IO.UnmanagedMemoryStream.dll Jump to dropped file
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A2721 rdtsc 0_2_032A2721
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Window / User API: threadDelayed 9234 Jump to behavior
Contains functionality to detect virtual machines (SLDT)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 12_2_1D580C40 sldt word ptr [eax] 12_2_1D580C40
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405D74
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_0040699E FindFirstFileW,FindClose, 0_2_0040699E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe API call chain: ExitProcess graph end node
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe, 00000000.00000002.1924797799.0000000004E79000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000C.00000002.6131768096.0000000002D49000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe, 00000000.00000002.1924437452.00000000033A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ntdlluser32kernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\Microsoft.NET\Framework\v4.0.30319\caspol.exewindir=\syswow64\iertutil.dllwindir=\Microsoft.NET\Framework\v4.0.30319\caspol.exewindir=\syswow64\iertutil.dllwindir=\Microsoft.NET\Framework\v4.0.30319\caspol.exewindir=\syswow64\iertutil.dll
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe, 00000000.00000002.1924797799.0000000004E79000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000C.00000002.6131768096.0000000002D49000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: CasPol.exe, 0000000C.00000002.6131768096.0000000002D49000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicshutdown
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe, 00000000.00000002.1924797799.0000000004E79000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000C.00000002.6131768096.0000000002D49000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe, 00000000.00000002.1924797799.0000000004E79000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000C.00000002.6131768096.0000000002D49000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe, 00000000.00000002.1924797799.0000000004E79000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000C.00000002.6131768096.0000000002D49000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: CasPol.exe, 0000000C.00000002.6131768096.0000000002D49000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicvss
Source: CasPol.exe, 0000000C.00000002.6129061557.00000000012C9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: CasPol.exe, 0000000C.00000002.6128128478.00000000012A6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWo@
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe, 00000000.00000002.1924437452.00000000033A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe, 00000000.00000002.1924797799.0000000004E79000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000C.00000002.6131768096.0000000002D49000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe, 00000000.00000002.1924797799.0000000004E79000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000C.00000002.6131768096.0000000002D49000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: CasPol.exe, 0000000C.00000002.6127221532.000000000126B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWh'+
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe, 00000000.00000002.1924797799.0000000004E79000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000C.00000002.6131768096.0000000002D49000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: CasPol.exe, 0000000C.00000002.6131768096.0000000002D49000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicheartbeat

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread information set: HideFromDebugger Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_74251BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_74251BFF
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A2721 rdtsc 0_2_032A2721
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032AABF6 mov eax, dword ptr fs:[00000030h] 0_2_032AABF6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032AAD1C mov ebx, dword ptr fs:[00000030h] 0_2_032AAD1C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032AAD1C mov eax, dword ptr fs:[00000030h] 0_2_032AAD1C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032A6111 mov eax, dword ptr fs:[00000030h] 0_2_032A6111
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032AAD65 mov ebx, dword ptr fs:[00000030h] 0_2_032AAD65
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032B19AA mov eax, dword ptr fs:[00000030h] 0_2_032B19AA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032B11C1 mov eax, dword ptr fs:[00000030h] 0_2_032B11C1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032AA429 mov eax, dword ptr fs:[00000030h] 0_2_032AA429
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032B2C66 mov eax, dword ptr fs:[00000030h] 0_2_032B2C66
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032AAC45 mov eax, dword ptr fs:[00000030h] 0_2_032AAC45
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_032AACD9 mov eax, dword ptr fs:[00000030h] 0_2_032AACD9
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 12_2_205D2690 LdrInitializeThunk, 12_2_205D2690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: F00000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403640

Stealing of Sensitive Information
barindex
Yara detected Telegram RAT
Source: Yara match File source: 0000000C.00000002.6152117405.000000001D5A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 376, type: MEMORYSTR
Yara detected AgentTesla
Source: Yara match File source: 0000000C.00000002.6152117405.000000001D5A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 376, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 0000000C.00000002.6152117405.000000001D5A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 376, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Telegram RAT
Source: Yara match File source: 0000000C.00000002.6152117405.000000001D5A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 376, type: MEMORYSTR
Yara detected AgentTesla
Source: Yara match File source: 0000000C.00000002.6152117405.000000001D5A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 376, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 632606 Sample: SecuriteInfo.com.Gen.Varian... Startdate: 23/05/2022 Architecture: WINDOWS Score: 100 29 Found malware configuration 2->29 31 Multi AV Scanner detection for submitted file 2->31 33 Yara detected GuLoader 2->33 35 4 other signatures 2->35 7 SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe 1 33 2->7         started        process3 file4 21 C:\Users\user\AppData\Local\...\System.dll, PE32 7->21 dropped 23 C:\...\System.IO.UnmanagedMemoryStream.dll, PE32 7->23 dropped 37 Writes to foreign memory regions 7->37 39 Tries to detect Any.run 7->39 41 Hides threads from debuggers 7->41 11 CasPol.exe 15 11 7->11         started        15 CasPol.exe 7->15         started        17 CasPol.exe 7->17         started        signatures5 process6 dnsIp7 25 2.56.57.22 GBTCLOUDUS Netherlands 11->25 27 149.154.167.220 TELEGRAMRU United Kingdom 11->27 43 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->43 45 Tries to steal Mail credentials (via file / registry access) 11->45 47 Tries to harvest and steal ftp login credentials 11->47 53 3 other signatures 11->53 19 conhost.exe 11->19         started        49 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->49 51 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 15->51 signatures8 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 unknown United Kingdom
62041 TELEGRAMRU false
2.56.57.22
 unknown Netherlands
395800 GBTCLOUDUS true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://2.56.57.22/MY%20AIRTEL%20TELEGRAM%20STUB_iHQdRhQNdR56.bin true
  • Avira URL Cloud: safe
 unknown