Windows Analysis Report
dlawt.exe

Overview

General Information

Sample Name: dlawt.exe
Analysis ID: 711461
MD5: cf313a27bceba36c7fa863ba1e935676
SHA1: 4ff90062880efe58e6e26ded7f166c5786e201db
SHA256: d4fba0fc4c7c1335a5b6be72e575a2a9a400a5fd9b0aed69389d4bba8fac7527
Infos:

Detection

NanoCore, GuLoader
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected GuLoader
Snort IDS alert for network traffic
Hides threads from debuggers
Writes to foreign memory regions
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
PE / OLE file has an invalid certificate
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Antivirus or Machine Learning detection for unpacked file
Source: 1.2.dlawt.exe.410ea0.1.unpack Avira: Label: ADWARE/Adware.Gen7
Uses 32bit PE files
Source: dlawt.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Source: unknown HTTPS traffic detected: 142.250.186.174:443 -> 192.168.11.20:49840 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.97:443 -> 192.168.11.20:49841 version: TLS 1.2
Source: dlawt.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: caspol.pdbx source: dslmon.exe, 0000000B.00000000.29808664480.0000000000862000.00000002.00000001.01000000.00000009.sdmp, dslmon.exe.3.dr
Source: Binary string: caspol.pdb source: dslmon.exe, 0000000B.00000000.29808664480.0000000000862000.00000002.00000001.01000000.00000009.sdmp, dslmon.exe.3.dr
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_004065C7 FindFirstFileW,FindClose, 1_2_004065C7
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_00405996 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 1_2_00405996
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_00402868 FindFirstFileW, 1_2_00402868
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\Microsoft.NET\Framework\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System\06e54f5fa1f15dd558eaf403cdcacad3\System.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\5085e86702d2182b0d9417971c65ded2\System.Drawing.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\ae952be8fa59744d6333aed90b72f162\System.Windows.Forms.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\Microsoft.NET\ Jump to behavior

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49842 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49842 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49843 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49843 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49844 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49844 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49845 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49845 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49847 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49847 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49848 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49848 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49849 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49849 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49850 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49850 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49851 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49851 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49852 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49852 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49853 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49853 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49854 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49854 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49855 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49855 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49857 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49857 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49858 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49858 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49859 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49859 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49860 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49860 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49861 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49861 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49862 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49862 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49863 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49863 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49864 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49864 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49865 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49865 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49866 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49866 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49867 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49867 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49868 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49868 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49869 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49869 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49870 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49870 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49871 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49871 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49872 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49872 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49874 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 137.63.71.51:3959 -> 192.168.11.20:49874
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49874 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49875 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49875 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49876 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49876 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49877 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49877 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49878 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49878 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49879 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 137.63.71.51:3959 -> 192.168.11.20:49879
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49879 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49880 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49880 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49881 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49881 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49882 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49882 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49883 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49883 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49884 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49884 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49885 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49885 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49886 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49886 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49887 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49887 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49888 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49888 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49889 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49889 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49890 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49890 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49891 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49891 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49892 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49892 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49893 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49893 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49894 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49894 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49895 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49895 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49896 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49896 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49897 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49897 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49898 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49898 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49899 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49899 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49900 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49900 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49901 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49901 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49902 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 137.63.71.51:3959 -> 192.168.11.20:49902
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49902 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49903 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49903 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49904 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49904 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49905 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49905 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49906 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49906 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49908 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49908 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49909 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49909 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49910 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49910 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49911 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49911 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49912 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49912 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49913 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49913 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49914 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49914 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49915 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49915 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49916 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49916 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49917 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49917 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49918 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49918 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49919 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49919 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49920 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49920 -> 137.63.71.51:3959
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49921 -> 137.63.71.51:3959
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AMANAHA-NEWCA AMANAHA-NEWCA
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=12kdF3UKFZK3CB9va21Q67UlQDNdJJSzV HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/7ccvegr5baur8gb8av4io695h7c3rd6h/1664343150000/14816144373961604306/*/12kdF3UKFZK3CB9va21Q67UlQDNdJJSzV?e=download&uuid=3cf3d666-d660-416c-bcce-539871aa28db HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0g-38-docs.googleusercontent.comConnection: Keep-Alive
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.11.20:49842 -> 137.63.71.51:3959
Source: unknown Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 137.63.71.51
Source: unknown TCP traffic detected without corresponding DNS query: 137.63.71.51
Source: unknown TCP traffic detected without corresponding DNS query: 137.63.71.51
Source: unknown TCP traffic detected without corresponding DNS query: 137.63.71.51
Source: unknown TCP traffic detected without corresponding DNS query: 137.63.71.51
Source: unknown TCP traffic detected without corresponding DNS query: 137.63.71.51
Source: unknown TCP traffic detected without corresponding DNS query: 137.63.71.51
Source: unknown TCP traffic detected without corresponding DNS query: 137.63.71.51
Source: unknown TCP traffic detected without corresponding DNS query: 137.63.71.51
Source: unknown TCP traffic detected without corresponding DNS query: 137.63.71.51
Source: unknown TCP traffic detected without corresponding DNS query: 137.63.71.51
Source: unknown TCP traffic detected without corresponding DNS query: 137.63.71.51
Source: unknown TCP traffic detected without corresponding DNS query: 137.63.71.51
Source: unknown TCP traffic detected without corresponding DNS query: 137.63.71.51
Source: unknown TCP traffic detected without corresponding DNS query: 137.63.71.51
Source: unknown TCP traffic detected without corresponding DNS query: 137.63.71.51
Source: unknown TCP traffic detected without corresponding DNS query: 137.63.71.51
Source: unknown TCP traffic detected without corresponding DNS query: 137.63.71.51
Source: unknown TCP traffic detected without corresponding DNS query: 137.63.71.51
Source: unknown TCP traffic detected without corresponding DNS query: 137.63.71.51
Source: unknown TCP traffic detected without corresponding DNS query: 137.63.71.51
Source: unknown TCP traffic detected without corresponding DNS query: 137.63.71.51
Source: unknown TCP traffic detected without corresponding DNS query: 137.63.71.51
Source: unknown TCP traffic detected without corresponding DNS query: 137.63.71.51
Source: unknown TCP traffic detected without corresponding DNS query: 137.63.71.51
Source: unknown TCP traffic detected without corresponding DNS query: 137.63.71.51
Source: unknown TCP traffic detected without corresponding DNS query: 137.63.71.51
Source: unknown TCP traffic detected without corresponding DNS query: 137.63.71.51
Source: unknown TCP traffic detected without corresponding DNS query: 137.63.71.51
Source: unknown TCP traffic detected without corresponding DNS query: 137.63.71.51
Source: unknown TCP traffic detected without corresponding DNS query: 137.63.71.51
Source: unknown TCP traffic detected without corresponding DNS query: 137.63.71.51
Source: unknown TCP traffic detected without corresponding DNS query: 137.63.71.51
Source: unknown TCP traffic detected without corresponding DNS query: 137.63.71.51
Source: unknown TCP traffic detected without corresponding DNS query: 137.63.71.51
Source: unknown TCP traffic detected without corresponding DNS query: 137.63.71.51
Source: unknown TCP traffic detected without corresponding DNS query: 137.63.71.51
Source: unknown TCP traffic detected without corresponding DNS query: 137.63.71.51
Source: unknown TCP traffic detected without corresponding DNS query: 137.63.71.51
Source: unknown TCP traffic detected without corresponding DNS query: 137.63.71.51
Source: unknown TCP traffic detected without corresponding DNS query: 137.63.71.51
Source: unknown TCP traffic detected without corresponding DNS query: 137.63.71.51
Source: unknown TCP traffic detected without corresponding DNS query: 137.63.71.51
Source: unknown TCP traffic detected without corresponding DNS query: 137.63.71.51
Source: unknown TCP traffic detected without corresponding DNS query: 137.63.71.51
Source: unknown TCP traffic detected without corresponding DNS query: 137.63.71.51
Source: unknown TCP traffic detected without corresponding DNS query: 137.63.71.51
Source: unknown TCP traffic detected without corresponding DNS query: 137.63.71.51
Source: unknown TCP traffic detected without corresponding DNS query: 137.63.71.51
Source: unknown TCP traffic detected without corresponding DNS query: 137.63.71.51
Source: dlawt.exe, Supplicatingly.exe.3.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: dlawt.exe, Supplicatingly.exe.3.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: dlawt.exe, Supplicatingly.exe.3.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: folder-download.png.1.dr String found in binary or memory: http://creativecommons.org/licenses/by-sa/4.0/
Source: CasPol.exe, 00000003.00000003.29761275591.00000000013AF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: CasPol.exe, 00000003.00000003.29767350810.00000000013C4000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.29767309570.00000000013BF000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.29761275591.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.30020055841.00000000013C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: dlawt.exe, Supplicatingly.exe.3.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: dlawt.exe, Supplicatingly.exe.3.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: dlawt.exe, Supplicatingly.exe.3.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: text-x-generic.png.1.dr String found in binary or memory: http://jimmac.musichall.czif
Source: dlawt.exe, 00000001.00000003.29438167474.000000000294B000.00000004.00000800.00020000.00000000.sdmp, idxcaption.xsl.1.dr String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: dlawt.exe, Supplicatingly.exe.3.dr String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: dlawt.exe, Supplicatingly.exe.3.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: dlawt.exe, Supplicatingly.exe.3.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: dlawt.exe, Supplicatingly.exe.3.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: dlawt.exe, 00000001.00000003.29438167474.000000000294B000.00000004.00000800.00020000.00000000.sdmp, idxcaption.xsl.1.dr String found in binary or memory: http://openoffice.org/2000/chart
Source: dlawt.exe, 00000001.00000003.29438167474.000000000294B000.00000004.00000800.00020000.00000000.sdmp, idxcaption.xsl.1.dr String found in binary or memory: http://openoffice.org/2000/datastyle
Source: dlawt.exe, 00000001.00000003.29438167474.000000000294B000.00000004.00000800.00020000.00000000.sdmp, idxcaption.xsl.1.dr String found in binary or memory: http://openoffice.org/2000/drawing
Source: dlawt.exe, 00000001.00000003.29438167474.000000000294B000.00000004.00000800.00020000.00000000.sdmp, idxcaption.xsl.1.dr String found in binary or memory: http://openoffice.org/2000/help
Source: dlawt.exe, 00000001.00000003.29438167474.000000000294B000.00000004.00000800.00020000.00000000.sdmp, idxcaption.xsl.1.dr String found in binary or memory: http://openoffice.org/2000/meta
Source: dlawt.exe, 00000001.00000003.29438167474.000000000294B000.00000004.00000800.00020000.00000000.sdmp, idxcaption.xsl.1.dr String found in binary or memory: http://openoffice.org/2000/office
Source: dlawt.exe, 00000001.00000003.29438167474.000000000294B000.00000004.00000800.00020000.00000000.sdmp, idxcaption.xsl.1.dr String found in binary or memory: http://openoffice.org/2000/style
Source: dlawt.exe, 00000001.00000003.29438167474.000000000294B000.00000004.00000800.00020000.00000000.sdmp, idxcaption.xsl.1.dr String found in binary or memory: http://openoffice.org/2000/table
Source: dlawt.exe, 00000001.00000003.29438167474.000000000294B000.00000004.00000800.00020000.00000000.sdmp, idxcaption.xsl.1.dr String found in binary or memory: http://openoffice.org/2000/text
Source: dlawt.exe, 00000001.00000003.29438167474.000000000294B000.00000004.00000800.00020000.00000000.sdmp, idxcaption.xsl.1.dr String found in binary or memory: http://sun.com/2000/XMLSearch
Source: dlawt.exe, 00000001.00000003.29438167474.000000000294B000.00000004.00000800.00020000.00000000.sdmp, idxcaption.xsl.1.dr String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: CasPol.exe, 00000003.00000003.29767497242.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.30020617540.000000000135F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://doc-0g-38-docs.googleusercontent.com/
Source: CasPol.exe, 00000003.00000003.30020617540.000000000135F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://doc-0g-38-docs.googleusercontent.com/c
Source: CasPol.exe, 00000003.00000003.29767588712.00000000013E4000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.29761525520.00000000013D7000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.29761726305.00000000013F0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.30020297095.00000000013E2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.30019510096.000000000137C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://doc-0g-38-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/7ccvegr5
Source: CasPol.exe, 00000003.00000003.29767685396.00000000013F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=12kdF3UKFZK3CB9va21Q6
Source: unknown DNS traffic detected: queries for: drive.google.com
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=12kdF3UKFZK3CB9va21Q67UlQDNdJJSzV HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/7ccvegr5baur8gb8av4io695h7c3rd6h/1664343150000/14816144373961604306/*/12kdF3UKFZK3CB9va21Q67UlQDNdJJSzV?e=download&uuid=3cf3d666-d660-416c-bcce-539871aa28db HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0g-38-docs.googleusercontent.comConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 142.250.186.174:443 -> 192.168.11.20:49840 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.97:443 -> 192.168.11.20:49841 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_0040542B GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 1_2_0040542B
Uses 32bit PE files
Source: dlawt.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_00403359 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 1_2_00403359
Detected potential crypto function
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_00404C68 1_2_00404C68
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_0040698E 1_2_0040698E
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_6EC41B63 1_2_6EC41B63
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_03293C79 1_2_03293C79
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_03283723 1_2_03283723
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_0328BF23 1_2_0328BF23
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_03287B06 1_2_03287B06
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_0328936D 1_2_0328936D
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_0329736F 1_2_0329736F
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_03283762 1_2_03283762
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_03284347 1_2_03284347
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_0328438F 1_2_0328438F
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_0328BF9D 1_2_0328BF9D
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_0328379E 1_2_0328379E
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_03294BEE 1_2_03294BEE
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_0328BFF5 1_2_0328BFF5
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_03287BCA 1_2_03287BCA
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_03283628 1_2_03283628
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_03293638 1_2_03293638
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_03289230 1_2_03289230
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_03283602 1_2_03283602
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_03287A61 1_2_03287A61
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_0328BE77 1_2_0328BE77
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_03283653 1_2_03283653
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_0328C2BB 1_2_0328C2BB
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_032836BF 1_2_032836BF
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_0328368D 1_2_0328368D
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_032886EE 1_2_032886EE
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_032836F9 1_2_032836F9
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_0328C2CA 1_2_0328C2CA
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_032892C5 1_2_032892C5
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_03287D25 1_2_03287D25
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_03294926 1_2_03294926
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_0328BD0D 1_2_0328BD0D
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_0328C51F 1_2_0328C51F
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_0328C94D 1_2_0328C94D
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_03289547 1_2_03289547
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_03283956 1_2_03283956
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_032879AF 1_2_032879AF
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_032879A6 1_2_032879A6
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_0328C999 1_2_0328C999
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_0328BD9F 1_2_0328BD9F
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_03283594 1_2_03283594
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_032891E9 1_2_032891E9
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_032839FD 1_2_032839FD
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_03287DCB 1_2_03287DCB
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_032839CC 1_2_032839CC
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_0328BDCD 1_2_0328BDCD
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_032835C5 1_2_032835C5
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_032879C7 1_2_032879C7
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_03288C37 1_2_03288C37
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_0328C008 1_2_0328C008
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_0328380D 1_2_0328380D
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_0328941F 1_2_0328941F
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_03283865 1_2_03283865
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_0328387A 1_2_0328387A
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_03287C7D 1_2_03287C7D
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_0328C84D 1_2_0328C84D
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_03293453 1_2_03293453
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_0328C8A6 1_2_0328C8A6
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_032838B7 1_2_032838B7
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_03289490 1_2_03289490
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_032838F7 1_2_032838F7
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_0328BCC2 1_2_0328BCC2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 9_2_010E04B0 9_2_010E04B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 9_2_010E0938 9_2_010E0938
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe Code function: 11_2_051F04B0 11_2_051F04B0
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe Code function: 11_2_051F0938 11_2_051F0938
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe Code function: 13_2_056604B0 13_2_056604B0
Contains functionality to call native functions
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_6EC42A74 NtProtectVirtualMemory,GetLastError, 1_2_6EC42A74
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_03295B52 NtProtectVirtualMemory, 1_2_03295B52
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_03296A86 NtResumeThread, 1_2_03296A86
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_03293C79 LdrLoadDll,NtAllocateVirtualMemory, 1_2_03293C79
Sample file is different than original file name gathered from version info
Source: dlawt.exe, 00000001.00000002.29789700910.0000000000459000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameSerian.exeDVarFileInfo$ vs dlawt.exe
Source: dlawt.exe Binary or memory string: OriginalFilenameSerian.exeDVarFileInfo$ vs dlawt.exe
PE file contains strange resources
Source: dlawt.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\Desktop\dlawt.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe Section loaded: edgegdi.dll Jump to behavior
PE / OLE file has an invalid certificate
Source: dlawt.exe Static PE information: invalid certificate
Source: C:\Users\user\Desktop\dlawt.exe File read: C:\Users\user\Desktop\dlawt.exe Jump to behavior
Source: dlawt.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\dlawt.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\dlawt.exe "C:\Users\user\Desktop\dlawt.exe"
Source: C:\Users\user\Desktop\dlawt.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\dlawt.exe"
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DSL Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp7A08.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DSL Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp7C99.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe 0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Program Files (x86)\DSL Monitor\dslmon.exe "C:\Program Files (x86)\DSL Monitor\dslmon.exe" 0
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Program Files (x86)\DSL Monitor\dslmon.exe "C:\Program Files (x86)\DSL Monitor\dslmon.exe"
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\dlawt.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\dlawt.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DSL Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp7A08.tmp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DSL Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp7C99.tmp Jump to behavior
Source: C:\Users\user\Desktop\dlawt.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_00403359 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 1_2_00403359
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File created: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB Jump to behavior
Source: C:\Users\user\Desktop\dlawt.exe File created: C:\Users\user\AppData\Local\Temp\nsvCC7.tmp Jump to behavior
Source: classification engine Classification label: mal96.troj.evad.winEXE@16/36@2/3
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_00402104 CoCreateInstance, 1_2_00402104
Source: C:\Users\user\Desktop\dlawt.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_004046EC GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 1_2_004046EC
Source: 11.0.dslmon.exe.860000.0.unpack, Microsoft.Tools.Caspol/caspol.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 11.0.dslmon.exe.860000.0.unpack, Microsoft.Tools.Caspol/caspol.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.0.dslmon.exe.860000.0.unpack, Microsoft.Tools.Caspol/caspol.cs Security API names: System.Security.AccessControl.MutexSecurity System.Threading.Mutex::GetAccessControl()
Source: 11.0.dslmon.exe.860000.0.unpack, Microsoft.Tools.Caspol/caspol.cs Security API names: System.Void System.Security.AccessControl.MutexSecurity::AddAccessRule(System.Security.AccessControl.MutexAccessRule)
Source: 11.0.dslmon.exe.860000.0.unpack, Microsoft.Tools.Caspol/caspol.cs Security API names: System.Void System.Threading.Mutex::SetAccessControl(System.Security.AccessControl.MutexSecurity)
Source: dslmon.exe.3.dr, Microsoft.Tools.Caspol/caspol.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: dslmon.exe.3.dr, Microsoft.Tools.Caspol/caspol.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: dslmon.exe.3.dr, Microsoft.Tools.Caspol/caspol.cs Security API names: System.Security.AccessControl.MutexSecurity System.Threading.Mutex::GetAccessControl()
Source: dslmon.exe.3.dr, Microsoft.Tools.Caspol/caspol.cs Security API names: System.Void System.Security.AccessControl.MutexSecurity::AddAccessRule(System.Security.AccessControl.MutexAccessRule)
Source: dslmon.exe.3.dr, Microsoft.Tools.Caspol/caspol.cs Security API names: System.Void System.Threading.Mutex::SetAccessControl(System.Security.AccessControl.MutexSecurity)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5072:304:WilStaging_02
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{c26c2547-6ec8-4b7b-bfb7-7e9e54fc0af3}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5764:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7160:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5764:304:WilStaging_02
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2400:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:888:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7540:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7540:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:888:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7160:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5072:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2400:304:WilStaging_02
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File created: C:\Program Files (x86)\DSL Monitor Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Source: dlawt.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: caspol.pdbx source: dslmon.exe, 0000000B.00000000.29808664480.0000000000862000.00000002.00000001.01000000.00000009.sdmp, dslmon.exe.3.dr
Source: Binary string: caspol.pdb source: dslmon.exe, 0000000B.00000000.29808664480.0000000000862000.00000002.00000001.01000000.00000009.sdmp, dslmon.exe.3.dr

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000003.00000000.29620428207.0000000000F00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.29792156684.0000000003283000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_6EC42FD0 push eax; ret 1_2_6EC42FFE
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_03286FEC push eax; iretd 1_2_03286FED
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_03286216 pushfd ; retf 1_2_03286242
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_0328AA40 push ebp; ret 1_2_0328AA45
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_0328AA46 push ecx; iretd 1_2_0328AA4C
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_0328DA99 push edi; ret 1_2_0328DAB1
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_0328ED73 push ebx; ret 1_2_0328ED94
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_03285C60 push esi; ret 1_2_03285C62
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_03285C87 push edx; ret 1_2_03285C8E
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_032850FF pushfd ; ret 1_2_0328510E
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_6EC41B63 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 1_2_6EC41B63
Drops PE files
Source: C:\Users\user\Desktop\dlawt.exe File created: C:\Users\user\AppData\Local\Temp\nsb1C0A.tmp\System.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File created: C:\Program Files (x86)\DSL Monitor\dslmon.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DSL Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp7A08.tmp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Funklendes Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Funklendes Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Funklendes Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Funklendes Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\dlawt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect Any.run
Source: C:\Users\user\Desktop\dlawt.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\dlawt.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: dlawt.exe, 00000001.00000002.29791062971.00000000008B8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE0
Source: dlawt.exe, 00000001.00000002.29792339698.0000000003451000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: dlawt.exe, 00000001.00000002.29792339698.0000000003451000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOKERNELBASE.DLLSHELL32ADVAPI32TEMP=WINDIR=\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLL
Source: dlawt.exe, 00000001.00000002.29790604096.0000000000878000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEPL
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 1424 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 7580 Thread sleep time: -40000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 3844 Thread sleep time: -560000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 3472 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe TID: 5604 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe TID: 7968 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_03283723 rdtsc 1_2_03283723
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Window / User API: threadDelayed 391 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Window / User API: threadDelayed 791 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Window / User API: foregroundWindowGot 1423 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_004065C7 FindFirstFileW,FindClose, 1_2_004065C7
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_00405996 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 1_2_00405996
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_00402868 FindFirstFileW, 1_2_00402868
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\DSL Monitor\dslmon.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\dlawt.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\dlawt.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\dlawt.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\Microsoft.NET\Framework\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System\06e54f5fa1f15dd558eaf403cdcacad3\System.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\5085e86702d2182b0d9417971c65ded2\System.Drawing.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\ae952be8fa59744d6333aed90b72f162\System.Windows.Forms.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\Microsoft.NET\ Jump to behavior
Source: dlawt.exe, 00000001.00000002.29792964846.0000000004F19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: dlawt.exe, 00000001.00000002.29791062971.00000000008B8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe0
Source: dlawt.exe, 00000001.00000002.29792964846.0000000004F19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: dlawt.exe, 00000001.00000002.29792339698.0000000003451000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoKERNELBASE.DLLshell32advapi32TEMP=windir=\Microsoft.NET\Framework\v2.0.50727\caspol.exewindir=\syswow64\iertutil.dll
Source: dlawt.exe, 00000001.00000002.29792964846.0000000004F19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicshutdown
Source: dlawt.exe, 00000001.00000002.29792964846.0000000004F19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: dlawt.exe, 00000001.00000002.29792964846.0000000004F19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: dlawt.exe, 00000001.00000002.29792964846.0000000004F19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: dlawt.exe, 00000001.00000002.29792964846.0000000004F19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicvss
Source: CasPol.exe, 00000003.00000003.30019695752.000000000138B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: CasPol.exe, 00000003.00000003.30019695752.000000000138B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWyD
Source: dlawt.exe, 00000001.00000002.29792339698.0000000003451000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: dlawt.exe, 00000001.00000002.29792964846.0000000004F19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: dlawt.exe, 00000001.00000002.29792964846.0000000004F19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: dlawt.exe, 00000001.00000002.29792964846.0000000004F19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: dlawt.exe, 00000001.00000002.29792964846.0000000004F19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicheartbeat
Source: dlawt.exe, 00000001.00000002.29790604096.0000000000878000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exepl

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\dlawt.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread information set: HideFromDebugger Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_6EC41B63 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 1_2_6EC41B63
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_03283723 rdtsc 1_2_03283723
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_0328C375 mov eax, dword ptr fs:[00000030h] 1_2_0328C375
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_03294BEE mov eax, dword ptr fs:[00000030h] 1_2_03294BEE
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_0328C2BB mov eax, dword ptr fs:[00000030h] 1_2_0328C2BB
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_0328C2CA mov eax, dword ptr fs:[00000030h] 1_2_0328C2CA
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_0328C6DF mov eax, dword ptr fs:[00000030h] 1_2_0328C6DF
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_0328C51F mov ebx, dword ptr fs:[00000030h] 1_2_0328C51F
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_0328C51F mov eax, dword ptr fs:[00000030h] 1_2_0328C51F
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_032879AF mov eax, dword ptr fs:[00000030h] 1_2_032879AF
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_03292983 mov eax, dword ptr fs:[00000030h] 1_2_03292983
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_0328C43A mov eax, dword ptr fs:[00000030h] 1_2_0328C43A
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_0328F865 mov eax, dword ptr fs:[00000030h] 1_2_0328F865
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_0328BCC2 mov eax, dword ptr fs:[00000030h] 1_2_0328BCC2
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_0328D4DA mov eax, dword ptr fs:[00000030h] 1_2_0328D4DA
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_0328C4DF mov eax, dword ptr fs:[00000030h] 1_2_0328C4DF
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\dlawt.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_032929AC LdrLoadDll, 1_2_032929AC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\dlawt.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe base: F00000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\dlawt.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\dlawt.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DSL Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp7A08.tmp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DSL Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp7C99.tmp Jump to behavior
Source: CasPol.exe, 00000003.00000003.30411548049.000000001FAD0000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.30996515715.000000001FAD0000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.30148660063.000000001FAD2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: CasPol.exe, 00000003.00000003.31162964457.000000001FAD3000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.30043736498.000000001FAD3000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.29927474176.000000001FAD3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager (x86)\DSL Monitor\dslmon.execaspol.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\dlawt.exe Code function: 1_2_00403359 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 1_2_00403359
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 711461 Sample: dlawt.exe Startdate: 28/09/2022 Architecture: WINDOWS Score: 96 48 googlehosted.l.googleusercontent.com 2->48 50 drive.google.com 2->50 52 doc-0g-38-docs.googleusercontent.com 2->52 60 Snort IDS alert for network traffic 2->60 62 Sigma detected: Scheduled temp file as task from temp location 2->62 64 Sigma detected: NanoCore 2->64 66 2 other signatures 2->66 9 dlawt.exe 61 2->9         started        13 CasPol.exe 4 2->13         started        15 dslmon.exe 4 2->15         started        17 dslmon.exe 3 2->17         started        signatures3 process4 file5 46 C:\Users\user\AppData\Local\...\System.dll, PE32 9->46 dropped 76 Writes to foreign memory regions 9->76 78 Tries to detect Any.run 9->78 80 Hides threads from debuggers 9->80 19 CasPol.exe 2 23 9->19         started        24 conhost.exe 13->24         started        26 conhost.exe 15->26         started        28 conhost.exe 17->28         started        signatures6 process7 dnsIp8 54 137.63.71.51, 3959, 49842, 49843 AMANAHA-NEWCA Seychelles 19->54 56 drive.google.com 142.250.186.174, 443, 49840 GOOGLEUS United States 19->56 58 googlehosted.l.googleusercontent.com 142.250.186.97, 443, 49841 GOOGLEUS United States 19->58 40 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 19->40 dropped 42 C:\Users\user\AppData\Local\...\tmp7A08.tmp, XML 19->42 dropped 44 C:\Program Files (x86)\...\dslmon.exe, PE32 19->44 dropped 68 Uses schtasks.exe or at.exe to add and modify task schedules 19->68 70 Tries to detect Any.run 19->70 72 Hides threads from debuggers 19->72 74 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->74 30 schtasks.exe 1 19->30         started        32 schtasks.exe 1 19->32         started        34 conhost.exe 19->34         started        file9 signatures10 process11 process12 36 conhost.exe 30->36         started        38 conhost.exe 32->38         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
137.63.71.51
 unknown Seychelles
32489 AMANAHA-NEWCA true
142.250.186.174
 drive.google.com United States
15169 GOOGLEUS false
142.250.186.97
 googlehosted.l.googleusercontent.com United States
15169 GOOGLEUS false

Contacted Domains

Name IP Active
drive.google.com 142.250.186.174 true
googlehosted.l.googleusercontent.com 142.250.186.97 true
doc-0g-38-docs.googleusercontent.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://doc-0g-38-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/7ccvegr5baur8gb8av4io695h7c3rd6h/1664343150000/14816144373961604306/*/12kdF3UKFZK3CB9va21Q67UlQDNdJJSzV?e=download&uuid=3cf3d666-d660-416c-bcce-539871aa28db false
    		high