Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe

Overview

General Information

Sample Name:DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe
Analysis ID:798398
MD5:91c0c4710db096a4689d40e2ceb3814d
SHA1:63880c602b960c5f91e55cbe4d5d18c7b8f1d63a
SHA256:a4d4961d124ea4276512c1584f1ebd30951cd469659b3a623594d6361772fae7
Infos:

Detection

Nanocore, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Detected Nanocore Rat
Sigma detected: Scheduled temp file as task from temp location
Multi AV Scanner detection for dropped file
Yara detected GuLoader
Snort IDS alert for network traffic
Writes to foreign memory regions
Tries to detect Any.run
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Uses 32bit PE files
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64native
  • DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe (PID: 2948 cmdline: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe MD5: 91C0C4710DB096A4689D40E2CEB3814D)
    • CasPol.exe (PID: 4376 cmdline: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe MD5: 7BAE06CBE364BB42B8C34FCFB90E3EBD)
    • CasPol.exe (PID: 7876 cmdline: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe MD5: 7BAE06CBE364BB42B8C34FCFB90E3EBD)
      • conhost.exe (PID: 872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • schtasks.exe (PID: 6764 cmdline: schtasks.exe" /create /f /tn "DSL Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp673D.tmp MD5: 478BEAEC1C3A9417272BC8964ADD1CEE)
        • conhost.exe (PID: 1760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • CasPol.exe (PID: 4756 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe 0 MD5: 7BAE06CBE364BB42B8C34FCFB90E3EBD)
    • conhost.exe (PID: 4456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000003.167512023875.0000000039142000.00000004.00000800.00020000.00000000.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
  • 0x2022:$a: NanoCore
  • 0x2047:$a: NanoCore
  • 0x20a0:$a: NanoCore
  • 0x1223d:$a: NanoCore
  • 0x12263:$a: NanoCore
  • 0x122bf:$a: NanoCore
  • 0x1f114:$a: NanoCore
  • 0x1f16d:$a: NanoCore
  • 0x1f1a0:$a: NanoCore
  • 0x1f3cc:$a: NanoCore
  • 0x1f448:$a: NanoCore
  • 0x1fa61:$a: NanoCore
  • 0x1fbaa:$a: NanoCore
  • 0x2007e:$a: NanoCore
  • 0x20365:$a: NanoCore
  • 0x2037c:$a: NanoCore
  • 0x23705:$a: NanoCore
  • 0x24abf:$a: NanoCore
  • 0x24b09:$a: NanoCore
  • 0x25763:$a: NanoCore
  • 0x2ad48:$a: NanoCore
00000008.00000003.167512023875.0000000039142000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Nanocore_d8c4e3c5unknownunknown
  • 0x2047:$a1: NanoCore.ClientPluginHost
  • 0x12263:$a1: NanoCore.ClientPluginHost
  • 0x1f3cc:$a1: NanoCore.ClientPluginHost
  • 0x24abf:$a1: NanoCore.ClientPluginHost
  • 0x2ad48:$a1: NanoCore.ClientPluginHost
  • 0x35357:$a1: NanoCore.ClientPluginHost
  • 0x3f782:$a1: NanoCore.ClientPluginHost
  • 0x4a75f:$a1: NanoCore.ClientPluginHost
  • 0x56501:$a1: NanoCore.ClientPluginHost
  • 0x7b405:$a1: NanoCore.ClientPluginHost
  • 0x8a845:$a1: NanoCore.ClientPluginHost
  • 0x2022:$a2: NanoCore.ClientPlugin
  • 0x1223d:$a2: NanoCore.ClientPlugin
  • 0x1f448:$a2: NanoCore.ClientPlugin
  • 0x24b09:$a2: NanoCore.ClientPlugin
  • 0x2adc2:$a2: NanoCore.ClientPlugin
  • 0x35441:$a2: NanoCore.ClientPlugin
  • 0x3f822:$a2: NanoCore.ClientPlugin
  • 0x4a736:$a2: NanoCore.ClientPlugin
  • 0x564d8:$a2: NanoCore.ClientPlugin
  • 0x7b3dc:$a2: NanoCore.ClientPlugin
00000002.00000002.167511188846.0000000008C46000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    Process Memory Space: CasPol.exe PID: 7876NanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x4e6b:$a: NanoCore
    • 0x4e7f:$a: NanoCore
    • 0x54df:$a: NanoCore
    • 0x6c14:$a: NanoCore
    • 0x6c77:$a: NanoCore
    • 0x32355:$a: NanoCore
    • 0xf71c3:$a: NanoCore
    • 0xf71e8:$a: NanoCore
    • 0xf7241:$a: NanoCore
    • 0xfacdd:$a: NanoCore
    • 0xfad00:$a: NanoCore
    • 0xfad55:$a: NanoCore
    • 0x105e6c:$a: NanoCore
    • 0x105e90:$a: NanoCore
    • 0x105ee8:$a: NanoCore
    • 0x10d35e:$a: NanoCore
    • 0x10d3b7:$a: NanoCore
    • 0x10d3dd:$a: NanoCore
    • 0x10d773:$a: NanoCore
    • 0x10d7b7:$a: NanoCore
    • 0x10d7fa:$a: NanoCore
    Process Memory Space: CasPol.exe PID: 7876Windows_Trojan_Nanocore_d8c4e3c5unknownunknown
    • 0xf71e8:$a1: NanoCore.ClientPluginHost
    • 0xf71c3:$a2: NanoCore.ClientPlugin
    • 0xfab2b:$b1: get_BuilderSettings
    • 0xf71d9:$b4: IClientAppHost
    • 0x10f427:$b7: LogClientException
    • 0x11159d:$b8: PipeExists
    • 0xfeffe:$b9: IClientLoggingHost

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    8.3.CasPol.exe.3914b6be.1.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
    • 0x6da5:$x1: NanoCore.ClientPluginHost
    • 0x6dd2:$x2: IClientNetworkHost
    8.3.CasPol.exe.3914b6be.1.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth (Nextron Systems)
    • 0x6da5:$x2: NanoCore.ClientPluginHost
    • 0x7d74:$s2: FileCommand
    • 0xc776:$s4: PipeCreated
    • 0x6dbf:$s5: IClientLoggingHost
    8.3.CasPol.exe.3914b6be.1.unpackMALWARE_Win_NanoCoreDetects NanoCoreditekSHen
    • 0x6d7f:$x2: NanoCore.ClientPlugin
    • 0x6da5:$x3: NanoCore.ClientPluginHost
    • 0x6d70:$i3: IClientNetwork
    • 0x6d95:$i5: IClientDataHost
    • 0x6dbf:$i6: IClientLoggingHost
    • 0x6dd2:$i7: IClientNetworkHost
    • 0x6de5:$i9: IClientNameObjectCollection
    • 0x6b02:$s1: ClientPlugin
    • 0x6d88:$s1: ClientPlugin
    8.3.CasPol.exe.3914b6be.1.unpackWindows_Trojan_Nanocore_d8c4e3c5unknownunknown
    • 0x6da5:$a1: NanoCore.ClientPluginHost
    • 0x6d7f:$a2: NanoCore.ClientPlugin
    • 0x6dbf:$b9: IClientLoggingHost
    8.3.CasPol.exe.39165717.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
    • 0x3831:$x1: NanoCore.ClientPluginHost
    • 0x386a:$x2: IClientNetworkHost
    Click to see the 12 entries

    Sigma Signatures

    AV Detection

    barindex
    Sigma detected: NanoCore
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe, ProcessId: 7876, TargetFilename: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\run.dat

    E-Banking Fraud

    barindex
    Sigma detected: NanoCore
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe, ProcessId: 7876, TargetFilename: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\run.dat

    Persistence and Installation Behavior

    barindex
    Sigma detected: Scheduled temp file as task from temp location
    Source: Process startedAuthor: Joe Security: Data: Command: schtasks.exe" /create /f /tn "DSL Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp673D.tmp, CommandLine: schtasks.exe" /create /f /tn "DSL Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp673D.tmp, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe, ParentImage: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe, ParentProcessId: 7876, ParentProcessName: CasPol.exe, ProcessCommandLine: schtasks.exe" /create /f /tn "DSL Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp673D.tmp, ProcessId: 6764, ProcessName: schtasks.exe

    Stealing of Sensitive Information

    barindex
    Sigma detected: NanoCore
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe, ProcessId: 7876, TargetFilename: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\run.dat

    Remote Access Functionality

    barindex
    Sigma detected: NanoCore
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe, ProcessId: 7876, TargetFilename: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\run.dat

    Snort Signatures

    Timestamp:91.193.75.146192.168.11.203498498572810451 02/04/23-04:02:00.606308
    SID:2810451
    Source Port:3498
    Destination Port:49857
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.11.2091.193.75.1464985734982816766 02/04/23-04:02:49.236881
    SID:2816766
    Source Port:49857
    Destination Port:3498
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:91.193.75.146192.168.11.203498498572810290 02/04/23-04:02:33.039323
    SID:2810290
    Source Port:3498
    Destination Port:49857
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.11.2091.193.75.1464985734982025019 02/04/23-03:57:12.109194
    SID:2025019
    Source Port:49857
    Destination Port:3498
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:91.193.75.146192.168.11.203498498572841753 02/04/23-04:02:50.692460
    SID:2841753
    Source Port:3498
    Destination Port:49857
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.11.2091.193.75.1464985734982816718 02/04/23-04:02:19.821499
    SID:2816718
    Source Port:49857
    Destination Port:3498
    Protocol:TCP
    Classtype:A Network Trojan was detected

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Multi AV Scanner detection for submitted file
    Source: DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeVirustotal: Detection: 45%Perma Link
    Source: DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeReversingLabs: Detection: 47%
    Multi AV Scanner detection for dropped file
    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Windowss.exeReversingLabs: Detection: 47%
    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Windowss.exeVirustotal: Detection: 45%Perma Link
    Source: DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll
    Source: unknownHTTPS traffic detected: 142.250.185.110:443 -> 192.168.11.20:49855 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.186.161:443 -> 192.168.11.20:49856 version: TLS 1.2
    Source: DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: CasPol.exe, 00000008.00000003.167512023875.0000000039142000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: CasPol.exe, 00000008.00000003.167512023875.0000000039142000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: CasPol.exe, 00000008.00000003.167512023875.0000000039142000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: CasPol.exe, 00000008.00000003.167512023875.0000000039142000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: CasPol.exe, 00000008.00000003.167512023875.0000000039142000.00000004.00000800.00020000.00000000.sdmp
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeCode function: 2_2_00406555 FindFirstFileW,FindClose,
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeCode function: 2_2_00405A03 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeCode function: 2_2_0040287E FindFirstFileW,
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeFile opened: C:\Users\user
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeFile opened: C:\Users\user\AppData
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeFile opened: C:\Users\user\AppData\Roaming
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows

    Networking

    barindex
    Snort IDS alert for network traffic
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49857 -> 91.193.75.146:3498
    Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49857 -> 91.193.75.146:3498
    Source: TrafficSnort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 91.193.75.146:3498 -> 192.168.11.20:49857
    Source: TrafficSnort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.11.20:49857 -> 91.193.75.146:3498
    Source: TrafficSnort IDS: 2810451 ETPRO TROJAN NanoCore RAT Keepalive Response 3 91.193.75.146:3498 -> 192.168.11.20:49857
    Source: TrafficSnort IDS: 2810290 ETPRO TROJAN NanoCore RAT Keepalive Response 1 91.193.75.146:3498 -> 192.168.11.20:49857
    Uses dynamic DNS services
    Source: unknownDNS query: name: masterpat0nms672ns.duckdns.org
    Source: Joe Sandbox ViewASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1GWkPMapRdWHnFBq8NG4QBMUUzbTsJcvy HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/gop7ht5qt6iu260mrr5822id2hevfvup/1675479375000/07900185898442636486/*/1GWkPMapRdWHnFBq8NG4QBMUUzbTsJcvy?e=download&uuid=5cfb3928-a799-4c74-b6f0-f4c0849b8739 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0c-b0-docs.googleusercontent.comConnection: Keep-Alive
    Source: global trafficTCP traffic: 192.168.11.20:49857 -> 91.193.75.146:3498
    Source: unknownNetwork traffic detected: HTTP traffic on port 49856 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49855 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49856
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49855
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: CasPol.exe, 00000008.00000003.167481132146.00000000071B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
    Source: CasPol.exe, 00000008.00000003.167481132146.00000000071B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: CasPol.exe, 00000008.00000003.167512023875.0000000039142000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://google.com
    Source: DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe, Windowss.exe.8.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
    Source: CasPol.exe, 00000008.00000003.167744785159.0000000007194000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://doc-0c-b0-docs.googleusercontent.com/
    Source: CasPol.exe, 00000008.00000003.167744785159.0000000007194000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://doc-0c-b0-docs.googleusercontent.com/H
    Source: CasPol.exe, 00000008.00000003.167744785159.00000000071ED000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000008.00000003.167744785159.0000000007194000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000008.00000003.167481132146.00000000071F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://doc-0c-b0-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/gop7ht5q
    Source: CasPol.exe, 00000008.00000003.167744785159.000000000717A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000008.00000003.167744785159.0000000007162000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
    Source: CasPol.exe, 00000008.00000003.167744785159.0000000007162000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1GWkPMapRdWHnFBq8NG4QBMUUzbTsJcvy
    Source: unknownDNS traffic detected: queries for: drive.google.com
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1GWkPMapRdWHnFBq8NG4QBMUUzbTsJcvy HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/gop7ht5qt6iu260mrr5822id2hevfvup/1675479375000/07900185898442636486/*/1GWkPMapRdWHnFBq8NG4QBMUUzbTsJcvy?e=download&uuid=5cfb3928-a799-4c74-b6f0-f4c0849b8739 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0c-b0-docs.googleusercontent.comConnection: Keep-Alive
    Source: unknownHTTPS traffic detected: 142.250.185.110:443 -> 192.168.11.20:49855 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.186.161:443 -> 192.168.11.20:49856 version: TLS 1.2
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeCode function: 2_2_004054B0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageW,CreatePopupMenu,LdrInitializeThunk,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

    System Summary

    barindex
    Malicious sample detected (through community Yara rule)
    Source: 8.3.CasPol.exe.3914b6be.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 8.3.CasPol.exe.3914b6be.1.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 8.3.CasPol.exe.3914b6be.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 8.3.CasPol.exe.39165717.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 8.3.CasPol.exe.39165717.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 8.3.CasPol.exe.39165717.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 8.3.CasPol.exe.39165717.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 8.3.CasPol.exe.39165717.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 8.3.CasPol.exe.39165717.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 8.3.CasPol.exe.3915fce9.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 8.3.CasPol.exe.3915fce9.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 8.3.CasPol.exe.3915fce9.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 8.3.CasPol.exe.3914b6be.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 8.3.CasPol.exe.3914b6be.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 8.3.CasPol.exe.3914b6be.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000008.00000003.167512023875.0000000039142000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000008.00000003.167512023875.0000000039142000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: Process Memory Space: CasPol.exe PID: 7876, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: CasPol.exe PID: 7876, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: 8.3.CasPol.exe.3914b6be.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 8.3.CasPol.exe.3914b6be.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 8.3.CasPol.exe.3914b6be.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 8.3.CasPol.exe.3914b6be.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 8.3.CasPol.exe.39165717.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 8.3.CasPol.exe.39165717.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 8.3.CasPol.exe.39165717.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 8.3.CasPol.exe.39165717.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 8.3.CasPol.exe.39165717.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 8.3.CasPol.exe.39165717.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 8.3.CasPol.exe.39165717.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 8.3.CasPol.exe.3915fce9.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 8.3.CasPol.exe.3915fce9.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 8.3.CasPol.exe.3915fce9.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 8.3.CasPol.exe.3914b6be.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 8.3.CasPol.exe.3914b6be.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 8.3.CasPol.exe.3914b6be.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000008.00000003.167512023875.0000000039142000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000008.00000003.167512023875.0000000039142000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: Process Memory Space: CasPol.exe PID: 7876, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: CasPol.exe PID: 7876, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeCode function: 2_2_0040344A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeFile created: C:\Windows\resources\0409Jump to behavior
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeCode function: 2_2_004068DA
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeCode function: 2_2_00404CED
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 12_2_019104B0
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 12_2_01910938
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeProcess Stats: CPU usage > 98%
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeSection loaded: edgegdi.dll
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeSection loaded: edgegdi.dll
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeSection loaded: edgegdi.dll
    Source: DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeVirustotal: Detection: 45%
    Source: DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeReversingLabs: Detection: 47%
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeFile read: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeJump to behavior
    Source: DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: unknownProcess created: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DSL Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp673D.tmp
    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe 0
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DSL Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp673D.tmp
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeCode function: 2_2_0040344A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeFile created: C:\Users\user\AppData\Local\Deskriptiv155Jump to behavior
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeFile created: C:\Users\user\AppData\Local\Temp\nsxE303.tmpJump to behavior
    Source: classification engineClassification label: mal100.troj.evad.winEXE@11/16@3/3
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeCode function: 2_2_00402104 LdrInitializeThunk,CoCreateInstance,LdrInitializeThunk,
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeCode function: 2_2_00404771 GetDlgItem,SetWindowTextW,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,LdrInitializeThunk,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\mscorlib.ni.dll
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\mscorlib.ni.dll
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1760:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:872:304:WilStaging_02
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1760:304:WilStaging_02
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4456:304:WilStaging_02
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:872:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4456:120:WilError_03
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{e277811f-20a3-49b6-ae15-cbb22e96ee2f}
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll
    Source: DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: CasPol.exe, 00000008.00000003.167512023875.0000000039142000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: CasPol.exe, 00000008.00000003.167512023875.0000000039142000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: CasPol.exe, 00000008.00000003.167512023875.0000000039142000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: CasPol.exe, 00000008.00000003.167512023875.0000000039142000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: CasPol.exe, 00000008.00000003.167512023875.0000000039142000.00000004.00000800.00020000.00000000.sdmp

    Data Obfuscation

    barindex
    Yara detected GuLoader
    Source: Yara matchFile source: 00000002.00000002.167511188846.0000000008C46000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeCode function: 2_2_10002DE0 push eax; ret
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeCode function: 2_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeFile created: C:\Users\user\AppData\Local\Temp\nssE334.tmp\System.dllJump to dropped file
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile created: C:\Users\user\AppData\Local\Temp\subfolder1\Windowss.exeJump to dropped file

    Boot Survival

    barindex
    Uses schtasks.exe or at.exe to add and modify task schedules
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DSL Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp673D.tmp
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior

    Hooking and other Techniques for Hiding and Protection

    barindex
    Hides that the sample has been downloaded from the Internet (zone.identifier)
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe:Zone.Identifier read attributes | delete
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX

    Malware Analysis System Evasion

    barindex
    Tries to detect Any.run
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeFile opened: C:\Program Files\qga\qga.exe
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Program Files\qga\qga.exe
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 4876Thread sleep time: -1844674407370954s >= -30000s
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 4876Thread sleep time: -74900s >= -30000s
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 7080Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWindow / User API: threadDelayed 1498
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWindow / User API: foregroundWindowGot 562
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWindow / User API: foregroundWindowGot 979
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeCode function: 2_2_00406555 FindFirstFileW,FindClose,
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeCode function: 2_2_00405A03 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeCode function: 2_2_0040287E FindFirstFileW,
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeAPI call chain: ExitProcess graph end node
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeAPI call chain: ExitProcess graph end node
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeFile opened: C:\Users\user
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeFile opened: C:\Users\user\AppData
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeFile opened: C:\Users\user\AppData\Roaming
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
    Source: DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe, 00000002.00000002.167633646699.0000000010059000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
    Source: DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe, 00000002.00000002.167633646699.0000000010059000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
    Source: DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe, 00000002.00000002.167633646699.0000000010059000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicshutdown
    Source: DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe, 00000002.00000002.167633646699.0000000010059000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
    Source: DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe, 00000002.00000002.167633646699.0000000010059000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
    Source: DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe, 00000002.00000002.167633646699.0000000010059000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Time Synchronization Service
    Source: DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe, 00000002.00000002.167633646699.0000000010059000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicvss
    Source: CasPol.exe, 00000008.00000003.167744785159.0000000007194000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000008.00000003.167744785159.0000000007162000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe, 00000002.00000002.167633646699.0000000010059000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service
    Source: DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe, 00000002.00000002.167633646699.0000000010059000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Heartbeat Service
    Source: DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe, 00000002.00000002.167633646699.0000000010059000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface
    Source: DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe, 00000002.00000002.167633646699.0000000010059000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeCode function: 2_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess token adjusted: Debug
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeCode function: 2_2_00405840 CreateDirectoryW,GetLastError,GetLastError,LdrInitializeThunk,SetFileSecurityW,GetLastError,
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeMemory allocated: page read and write | page guard

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Writes to foreign memory regions
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe base: 1160000
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DSL Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp673D.tmp
    Source: CasPol.exe, 00000008.00000003.167669662973.0000000039FEB000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000008.00000003.167530325327.0000000039FEB000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000008.00000003.167529839560.0000000039FEB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
    Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exeCode function: 2_2_0040344A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

    Remote Access Functionality

    barindex
    Detected Nanocore Rat
    Source: CasPol.exe, 00000008.00000003.167512023875.0000000039142000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: CasPol.exe, 00000008.00000003.167512023875.0000000039142000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
    Source: CasPol.exe, 00000008.00000003.167512023875.0000000039142000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
    Source: CasPol.exe, 00000008.00000003.167512023875.0000000039142000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
    Source: CasPol.exe, 00000008.00000003.167512023875.0000000039142000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts1
    Windows Management Instrumentation    		1
    DLL Side-Loading    		1
    DLL Side-Loading    		1
    Disable or Modify Tools    		OS Credential Dumping3
    File and Directory Discovery    		Remote Services1
    Archive Collected Data    		Exfiltration Over Other Network Medium1
    Ingress Tool Transfer    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
    System Shutdown/Reboot
    Default Accounts1
    Native API    		1
    Scheduled Task/Job    		1
    Access Token Manipulation    		1
    Obfuscated Files or Information    		LSASS Memory4
    System Information Discovery    		Remote Desktop Protocol1
    Clipboard Data    		Exfiltration Over Bluetooth11
    Encrypted Channel    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain Accounts1
    Scheduled Task/Job    		1
    Registry Run Keys / Startup Folder    		112
    Process Injection    		1
    DLL Side-Loading    		Security Account Manager211
    Security Software Discovery    		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
    Non-Standard Port    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)1
    Scheduled Task/Job    		11
    Masquerading    		NTDS1
    Process Discovery    		Distributed Component Object ModelInput CaptureScheduled Transfer1
    Remote Access Software    		SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon Script1
    Registry Run Keys / Startup Folder    		121
    Virtualization/Sandbox Evasion    		LSA Secrets121
    Virtualization/Sandbox Evasion    		SSHKeyloggingData Transfer Size Limits2
    Non-Application Layer Protocol    		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.common1
    Access Token Manipulation    		Cached Domain Credentials1
    Application Window Discovery    		VNCGUI Input CaptureExfiltration Over C2 Channel113
    Application Layer Protocol    		Jamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup Items112
    Process Injection    		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
    Hidden Files and Directories    		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 798398 Sample: DPR602859651100125001V11001... Startdate: 04/02/2023 Architecture: WINDOWS Score: 100 38 googlehosted.l.googleusercontent.com 2->38 40 drive.google.com 2->40 42 doc-0c-b0-docs.googleusercontent.com 2->42 56 Snort IDS alert for network traffic 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Multi AV Scanner detection for dropped file 2->60 62 6 other signatures 2->62 9 DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe 3 34 2->9         started        13 CasPol.exe 4 2->13         started        signatures3 process4 file5 36 C:\Users\user\AppData\Local\...\System.dll, PE32 9->36 dropped 64 Writes to foreign memory regions 9->64 66 Tries to detect Any.run 9->66 15 CasPol.exe 1 22 9->15         started        20 CasPol.exe 9->20         started        22 conhost.exe 13->22         started        signatures6 process7 dnsIp8 44 masterpat0nms672ns.duckdns.org 91.193.75.146, 3498, 49857 DAVID_CRAIGGG Serbia 15->44 46 drive.google.com 142.250.185.110, 443, 49855 GOOGLEUS United States 15->46 48 googlehosted.l.googleusercontent.com 142.250.186.161, 443, 49856 GOOGLEUS United States 15->48 30 C:\Users\user\AppData\Local\...\Windowss.exe, PE32 15->30 dropped 32 C:\Users\user\AppData\Roaming\...\run.dat, data 15->32 dropped 34 C:\Users\user\AppData\Local\...\tmp673D.tmp, XML 15->34 dropped 50 Tries to detect Any.run 15->50 52 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->52 24 schtasks.exe 1 15->24         started        26 conhost.exe 15->26         started        54 Uses schtasks.exe or at.exe to add and modify task schedules 20->54 file9 signatures10 process11 process12 28 conhost.exe 24->28         started       

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe46%VirustotalBrowse
    DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe47%ReversingLabsWin32.Trojan.Nsisx

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Local\Temp\nssE334.tmp\System.dll0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\nssE334.tmp\System.dll1%VirustotalBrowse
    C:\Users\user\AppData\Local\Temp\subfolder1\Windowss.exe47%ReversingLabsWin32.Trojan.Nsisx
    C:\Users\user\AppData\Local\Temp\subfolder1\Windowss.exe46%VirustotalBrowse

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    drive.google.com
    		142.250.185.110
    		truefalse
      		high
      masterpat0nms672ns.duckdns.org
      		91.193.75.146
      		truetrue
        		unknown
        googlehosted.l.googleusercontent.com
        		142.250.186.161
        		truefalse
          		high
          doc-0c-b0-docs.googleusercontent.com
          		unknown
          		unknownfalse
            		high

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            https://doc-0c-b0-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/gop7ht5qt6iu260mrr5822id2hevfvup/1675479375000/07900185898442636486/*/1GWkPMapRdWHnFBq8NG4QBMUUzbTsJcvy?e=download&uuid=5cfb3928-a799-4c74-b6f0-f4c0849b8739false
              		high

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://doc-0c-b0-docs.googleusercontent.com/CasPol.exe, 00000008.00000003.167744785159.0000000007194000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                https://doc-0c-b0-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/gop7ht5qCasPol.exe, 00000008.00000003.167744785159.00000000071ED000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000008.00000003.167744785159.0000000007194000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000008.00000003.167481132146.00000000071F4000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  http://nsis.sf.net/NSIS_ErrorErrorDPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe, Windowss.exe.8.drfalse
                    		high
                    http://google.comCasPol.exe, 00000008.00000003.167512023875.0000000039142000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://drive.google.com/CasPol.exe, 00000008.00000003.167744785159.000000000717A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000008.00000003.167744785159.0000000007162000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://doc-0c-b0-docs.googleusercontent.com/HCasPol.exe, 00000008.00000003.167744785159.0000000007194000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          142.250.186.161
                          		googlehosted.l.googleusercontent.comUnited States
                          		15169GOOGLEUSfalse
                          142.250.185.110
                          		drive.google.comUnited States
                          		15169GOOGLEUSfalse
                          91.193.75.146
                          		masterpat0nms672ns.duckdns.orgSerbia
                          		209623DAVID_CRAIGGGtrue

                          General Information

                          Joe Sandbox Version:36.0.0 Rainbow Opal
                          Analysis ID:798398
                          Start date and time:2023-02-04 03:52:29 +01:00
                          Joe Sandbox Product:CloudBasic
                          Overall analysis duration:0h 14m 58s
                          Hypervisor based Inspection enabled:false
                          Report type:light
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                          Run name:Suspected Instruction Hammering
                          Number of analysed new started processes analysed:15
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • HDC enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample file name:DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@11/16@3/3
                          EGA Information:
                          • Successful, ratio: 100%
                          HDC Information:
                          • Successful, ratio: 63.1% (good quality ratio 61.9%)
                          • Quality average: 88.1%
                          • Quality standard deviation: 22.3%
                          HCA Information:
                          • Successful, ratio: 89%
                          • Number of executed functions: 0
                          • Number of non-executed functions: 0
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                          Warnings

                          • Exclude process from analysis (whitelisted): dllhost.exe, backgroundTaskHost.exe, svchost.exe
                          • TCP Packets have been reduced to 100
                          • Excluded domains from analysis (whitelisted): wdcpalt.microsoft.com, client.wns.windows.com, login.live.com, evoke-windowsservices-tas.msedge.net, ctldl.windowsupdate.com, wdcp.microsoft.com, manage.devcenter.microsoft.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtSetInformationFile calls found.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          03:57:03AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\AppData\Local\Temp\subfolder1\Windowss.exe
                          03:57:09Task SchedulerRun new task: DSL Monitor path: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe" s>$(Arg0)
                          03:57:12AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\AppData\Local\Temp\subfolder1\Windowss.exe

                          Joe Sandbox View / Context

                          IPs

                          No context

                          Domains

                          No context

                          ASNs

                          No context

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\Users\user\AppData\Local\Deskriptiv155\Hjertere\Hynde.Una

                          Download File
                          Process:C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe
                          File Type:ASCII text, with very long lines (34794), with no line terminators
                          Category:dropped
                          Size (bytes):34794
                          Entropy (8bit):3.9997795398371228
                          Encrypted:false
                          SSDEEP:768:ccaHQHD7RgNO/PDcbf/CBrmE4Hi1r1scfUos2cX7nhL/djYY2v:iQHDyO4mrei7sqc7BdsYG
                          MD5:DD18A90498456DFCAE95A46AFC33C475
                          SHA1:65AB8F8342AF9C08FE39E7664E3DF9C9646DF211
                          SHA-256:856D7590AB2EFC8C760BC37D652D5AE8A5DE982891ADB7A678E43A91D268DDE9
                          SHA-512:BC6F1AED9B60D3C383E0A65C19E2FF031252DC9B193AE6AD3B5B6F3767EC2F7E6E6E4B3F65D2A3CBD501ED38C838C89A9648D255EAF1110BD7C5A0142F0A6A10
                          Malicious:false
                          Preview:6A34F0604AEE6DB314B378246D35FE80BFC162A6BA9C27C8E16DA2C9AE4B52DFB6BB4D14CCFA23C4B675E918121507BB7243C36C59FB457F64D397E98034F58490327D6C90C000BCD403F4272BEC91D0A33E5A0129628A58358949F71B9E468413A9F921ED449BFDFDFD8B52A2D79EC29D74E20791961A6CBC321812874EFFDA002DA4B6728BAC6F6A19E8DAA48014568DAC10440B68FF4911CE9C39E654E7BD5108097717BE2EF95C1A30EEFB3987C46DF521EAF29935CD47E5E692C36B39093D4C54B8F75D591A0FBE8521B1B811C1D5DE94F2446E4C6E3A52F9AF8CE6352838F7BFA2A9F2E978B6C63E24B131DB84C3D58F2272E6196F60D39BC78BC16F84DBD6729C7BE4C34C92F59F36A74676FEDD70E5E836CF8087A82BD101F899808FB96B6190BA47B820A5BABE361E59EC9FCCD938CFB68F2B3E0A7B59E68314002BFA8EE8E502796C53CD4716076F9F492DF2833BD6AD60228D25C9991C11A6CB28FAA225570F38AE4FC0F98A17CA0400AD9C6D66D92018971C0D79A5062B675A80F3A3E62E9196691C5DC24E022A718CA4F8012CAFE8F14181671A95F9D9650843B5EDCB80A8B14070975B13838161A8EFC0EB2E3233CE381BB0D822E3EA392FBE123D51467413E23E06FFF39AE85E5BAC5549DB7B405C6BEAC058711C90F3D73941BE2013BCBB2FC5FD5660B746D980317AD92DA8

                          C:\Users\user\AppData\Local\Deskriptiv155\Hjertere\Rouleredes.coe

                          Download File
                          Process:C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):223928
                          Entropy (8bit):7.720384553629306
                          Encrypted:false
                          SSDEEP:3072:c5Nv/wHlbfgXh62+XKffH2i5A3Mz3xDD1TiBonOxOo0TUhBj4g2RgYyv:c5NvAbfgsrX6qMFdTiBQhooSBj4g2d4
                          MD5:B32FFE1EC6ECA11009C35A0829450CB1
                          SHA1:146529AFE038064ED79CAE0C62B108A14276D459
                          SHA-256:151A299FCA8F459B7670EA4922931161D6E8024B19F1C723130F6576ACBDBC83
                          SHA-512:CC32C0713B6E3C83D00682A73F2DB20FEAB0EBCD39A2CD768728FA9AD437CE0C24A6EBA7367DEC162447C14533064B93A2EB8422C843186AADADD6BEB99D7E4C
                          Malicious:false
                          Preview:..wh..8..ArM.0).LL....-G..t..N..."V.M.\og..Q].N...i.4...%.VV1.hK.'/..&.*$.U<....@.n..@..H.(.6......C.i....z\uy.R.1.f...u.-..S..f....[5A..:b.....p...'..K..g.2O..A........MGO....j.......l.N^...7W..$.6..D.q.....P&~.b4.Y8.@..n.......p..$.V.;.8|k.\69+.P..Fr1.*.M$.Y.c..?.T...n.....0......%.m%.#J._....<&-...%..v..4P..=..lz.YR.j.2.).j.*t..E.V......U...7.R...G.+..ux.Fmg.n..D....jz7...|...&.]K....A.....`oy..FM...(d:wx.._V....Y.bs..f.^$...Q.MZ.O.0.....x.a.t.nk.d....h3n.J8..R.$7..D2..g..f ... )..c..=8C.. N.....B.a"...z..&...e............'B%-2.Z.*......&.B.....q5/..A.xG.R3B..@.|.V.ss.*Y.P..iM.1.F0>....S..{gSc.^.<.kT..A.....%..w..A.........3..{.3id..?....-trml..O......TH.qU.A.....].a.H.Q4.R.&.Dh.?....8e................0Sf..r......._..S....~..<.i...*0.d...+.^..Ou(.6&.>....,*^.w....-:0..=."......I.....H....T.B.F.(..J.3#...f...8...-1.e...j.....{4....!....AG^%.....L./.$........Qz.T.H.....1.r..?D8*'.n..b>( fo.w......,....&......}/6.(..#UJ0.lWB....

                          C:\Users\user\AppData\Local\Deskriptiv155\Hjertere\checkbox_checked.png

                          Download File
                          Process:C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe
                          File Type:PNG image data, 32 x 32, 2-bit colormap, non-interlaced
                          Category:dropped
                          Size (bytes):147
                          Entropy (8bit):5.579261213353732
                          Encrypted:false
                          SSDEEP:3:yionv//thPl3MrpxyPuReVl/nRwPd/ggZcFmz3iVVyjXrC5RlH1p:6v/lhP6TwOeVV6Pd/MmgEK5RlVp
                          MD5:0CA13C84736F193C4DDC36408B63EB79
                          SHA1:DAF222B1B08D7F2645FDC2E25E63BE2AA50E9B79
                          SHA-256:9B7DA86B40E8FE9DA37BA2A4337C9BCE14B07153A9722DD3DE7772C1C5933DED
                          SHA-512:1F95694E920B1BE5A7D9A4C4F7EABCCDE8326965D8B1E3211085C67E84229F76300AED6AE29E2D79E817857CFE7608919233057FAD6FDA3BF515C59F3604099C
                          Malicious:false
                          Preview:.PNG........IHDR... ... ........g....PLTE.........f.0....tRNS..v..8...7IDATx.c..............(."..@.& .....R;X...D8.....a^......N'\..+....IEND.B`.

                          C:\Users\user\AppData\Local\Deskriptiv155\Hjertere\multimedia-volume-control-symbolic.svg

                          Download File
                          Process:C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe
                          File Type:SVG Scalable Vector Graphics image
                          Category:dropped
                          Size (bytes):651
                          Entropy (8bit):5.228667299529662
                          Encrypted:false
                          SSDEEP:12:t4Cp9xXnlWjoprGDWXYmfM26oprGhyGuC1hz4AeWrGdKdK:t4CpPlWsrGDoY32/rGYG/4AeWrGMQ
                          MD5:367D90E6DF90CE72BAD009701DC3D941
                          SHA1:C2070B79640687DBB8A64BFAC953CFA7625F7FFF
                          SHA-256:2F11A00CC5DD755C1E5054AEF16CE293716532140B3DDB0F0623ABD460F99571
                          SHA-512:F6DA3687D0676C11CD4B3D3F4C71797059DD62B05F09DC981684155671EB7924E6096B084DF43664D09B1A13BFADFE61C1FB678B3323ED7E9984EB8D7A2D19BC
                          Malicious:false
                          Preview:<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16"><g fill="#474747"><path d="M2 5h2.484l2.97-3H8v12h-.475l-3.04-3H2z" style="marker:none" color="#bebebe" overflow="visible"/><path d="M14 8c0-2.166-.739-4.02-2-5h-1v2c.607.789 1 1.76 1 3 0 1.241-.393 2.22-1 3v2h1c1.223-.995 2-2.873 2-5z" style="marker:none" color="#000" overflow="visible"/><path d="M11 8c0-1.257-.312-2.216-1-3H9v6h1c.672-.837 1-1.742 1-3z" style="line-height:normal;-inkscape-font-specification:Sans;text-indent:0;text-align:start;text-decoration-line:none;text-transform:none;marker:none" color="#000" font-weight="400" font-family="Sans" overflow="visible"/></g></svg>

                          C:\Users\user\AppData\Local\Deskriptiv155\Hjertere\phone-symbolic.svg

                          Download File
                          Process:C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe
                          File Type:SVG Scalable Vector Graphics image
                          Category:dropped
                          Size (bytes):629
                          Entropy (8bit):4.45278069770929
                          Encrypted:false
                          SSDEEP:12:TMHdPnnl/nu3tln5CfYUtLLgpvAjmAKWlzmOA/e7/lsEbWlM:2dPnnxu3tlQfjngEmAKvOA/U/lsEbN
                          MD5:DA3858070B89AA5D3B4D5FC724BED12F
                          SHA1:A923CDD523E0519E96147A05DE6D0024135127E4
                          SHA-256:3CC19ADDFE48119EB91D48E7FE510920394DC96F3006C384FFD4F63B92A73480
                          SHA-512:FF7BE5CC591CD146E56DD22BCB9FD82A21272592EA7E807B57F8D33E77DA7FB2C632CA12980B0B8CDA4028C5802EA803BC75A642714B80AAC244538E4819E502
                          Malicious:false
                          Preview:<?xml version="1.0" encoding="UTF-8"?>.<svg height="16px" viewBox="0 0 16 16" width="16px" xmlns="http://www.w3.org/2000/svg">. <g fill="#2e3436">. <path d="m 6 0 c -1.644531 0 -3 1.355469 -3 3 v 10 c 0 1.644531 1.355469 3 3 3 h 4 c 1.644531 0 3 -1.355469 3 -3 v -10 c 0 -1.644531 -1.355469 -3 -3 -3 z m 0 2 h 4 c 0.570312 0 1 0.429688 1 1 v 10 c 0 0.570312 -0.429688 1 -1 1 h -4 c -0.570312 0 -1 -0.429688 -1 -1 v -10 c 0 -0.570312 0.429688 -1 1 -1 z m 0 0"/>. <path d="m 7 1 h 2 c 0.550781 0 1 0.449219 1 1 s -0.449219 1 -1 1 h -2 c -0.550781 0 -1 -0.449219 -1 -1 s 0.449219 -1 1 -1 z m 0 0"/>. </g>.</svg>.

                          C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\caspol.exe.log

                          Download File
                          Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:modified
                          Size (bytes):20
                          Entropy (8bit):3.6841837197791887
                          Encrypted:false
                          SSDEEP:3:QHXMKas:Q3Las
                          MD5:B3AC9D09E3A47D5FD00C37E075A70ECB
                          SHA1:AD14E6D0E07B00BD10D77A06D68841B20675680B
                          SHA-256:7A23C6E7CCD8811ECDF038D3A89D5C7D68ED37324BAE2D4954125D9128FA9432
                          SHA-512:09B609EE1061205AA45B3C954EFC6C1A03C8FD6B3011FF88CF2C060E19B1D7FD51EE0CB9D02A39310125F3A66AA0146261BDEE3D804F472034DF711BC942E316
                          Malicious:false
                          Preview:1,"fusion","GAC",0..

                          C:\Users\user\AppData\Local\Temp\nssE334.tmp\System.dll

                          Download File
                          Process:C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):11776
                          Entropy (8bit):5.656065698421856
                          Encrypted:false
                          SSDEEP:192:eY24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35Ol+Sl:E8QIl975eXqlWBrz7YLOl+
                          MD5:17ED1C86BD67E78ADE4712BE48A7D2BD
                          SHA1:1CC9FE86D6D6030B4DAE45ECDDCE5907991C01A0
                          SHA-256:BD046E6497B304E4EA4AB102CAB2B1F94CE09BDE0EEBBA4C59942A732679E4EB
                          SHA-512:0CBED521E7D6D1F85977B3F7D3CA7AC34E1B5495B69FD8C7BFA1A846BAF53B0ECD06FE1AD02A3599082FFACAF8C71A3BB4E32DEC05F8E24859D736B828092CD5
                          Malicious:false
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 0%
                          • Antivirus: Virustotal, Detection: 1%, Browse
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L.....MX...........!..... ...........'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..S....0.......$..............@..@.data...x....@.......(..............@....reloc..b....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\nsxE304.tmp

                          Download File
                          Process:C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):296163
                          Entropy (8bit):7.470506584929792
                          Encrypted:false
                          SSDEEP:6144:X5NvAbfgsrX6qMFdTiBQhooSBj4g2dgQ20cP7m:JjvTiapwjGdf20cP7m
                          MD5:E0FD6297CF0E89D773C0AE44ED514229
                          SHA1:EE4E3DEC2FFAD8B11887DD600B3A5D75982F0170
                          SHA-256:5511DCF0AEFA2FDE583BEB5703774277C3ECB68B48AFA8B5D7F89F641B1F87F3
                          SHA-512:5911A30953430870D7468C7BD48B57435FD6898800FC81EFA42FD340222E938D1C0889432C413163BC777044B412EF92A72740489FA620FE7220143D0A5A1C56
                          Malicious:false
                          Preview:.^......,...................W...x?.......]......l^..........................................................................................................................................................................................................................................G...X...............j...............................................................................................................................a.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\subfolder1\Windowss.exe

                          Download File
                          Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                          Category:dropped
                          Size (bytes):348136
                          Entropy (8bit):7.836361315282437
                          Encrypted:false
                          SSDEEP:6144:twq3NpWyFr7S0HFwnNHF6pmK2DIuua9ma+T4cX+tTMZP3qtTaPwkYn5inpT4:tzayFfDwNg4RE864c4MZ/c2UinS
                          MD5:91C0C4710DB096A4689D40E2CEB3814D
                          SHA1:63880C602B960C5F91E55CBE4D5D18C7B8F1D63A
                          SHA-256:A4D4961D124EA4276512C1584F1EBD30951CD469659B3A623594D6361772FAE7
                          SHA-512:B5FC41A609EFB2946DDCE21F383B5AE8E70D93B0FD0DEC8E48B27F7660569CCDBAFE806BF56FC0CD7C4E43826B79F065D57CD66DA3C27E865CDCED3CA865EB2A
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 47%
                          • Antivirus: Virustotal, Detection: 46%, Browse
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1..P...P...P..*_...P...P..OP..*_...P..s...P...V...P..Rich.P..........PE..L...8.MX.................b...*......J4............@.......................... ............@.........................................................................................................................................................text....a.......b.................. ..`.rdata...............f..............@..@.data...8............z..............@....ndata...................................rsrc..............................@..@................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\tmp673D.tmp

                          Download File
                          Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):1319
                          Entropy (8bit):5.131285242271578
                          Encrypted:false
                          SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0mnJxtn:cbk4oL600QydbQxIYODOLedq3ZJj
                          MD5:497F298FC157762F192A7C42854C6FB6
                          SHA1:04BEC630F5CC64EA17C0E3E780B3CCF15A35C6E0
                          SHA-256:3462CBE62FBB64FC53A0FCF97E43BAAFE9DD9929204F586A86AFE4B89D8048A6
                          SHA-512:C7C6FD3097F4D1CCD313160FEDF7CB031644E0836B8C3E25481095E5F4B003759BC84FC6EA9421E3A090E66DC2FF875FEC2F394A386691AB178CB164733411B2
                          Malicious:true
                          Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

                          C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\catalog.dat

                          Download File
                          Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):232
                          Entropy (8bit):7.089541637477408
                          Encrypted:false
                          SSDEEP:3:XrURGizD7cnRNGbgCFKRNX/pBK0jCV83ne+VdWPiKgmR7kkmefoeLBizbCuVkqYM:X4LDAnybgCFcps0OafmCYDlizZr/i/Oh
                          MD5:9E7D0351E4DF94A9B0BADCEB6A9DB963
                          SHA1:76C6A69B1C31CEA2014D1FD1E222A3DD1E433005
                          SHA-256:AAFC7B40C5FE680A2BB549C3B90AABAAC63163F74FFFC0B00277C6BBFF88B757
                          SHA-512:93CCF7E046A3C403ECF8BC4F1A8850BA0180FE18926C98B297C5214EB77BC212C8FBCC58412D0307840CF2715B63BE68BACDA95AA98E82835C5C53F17EF38511
                          Malicious:false
                          Preview:Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&

                          C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\run.dat

                          Download File
                          Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):8
                          Entropy (8bit):3.0
                          Encrypted:false
                          SSDEEP:3:7M:I
                          MD5:E605984DC561B9F47F1CB5768EA0DF06
                          SHA1:3CDBC8C449B53F919F51DA02322134F41B7ECB33
                          SHA-256:026CF8CFDE23BEDCC5E60564D808C492580B9046DD1BDE5B1CF9167852986EA8
                          SHA-512:3520CBDECFEC35785DCE152A84253934AAF3F554C1E74089010E556A9EA1D06EDB5E55D9F94CAB17281B2CD430B46C3FE8CE630D3CEB53C89B599928B1D232C4
                          Malicious:true
                          Preview:t...c..H

                          C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\settings.bin

                          Download File
                          Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):40
                          Entropy (8bit):5.153055907333276
                          Encrypted:false
                          SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
                          MD5:4E5E92E2369688041CC82EF9650EDED2
                          SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
                          SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
                          SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
                          Malicious:false
                          Preview:9iH...}Z.4..f.~a........~.~.......3.U.

                          C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\storage.dat

                          Download File
                          Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):426832
                          Entropy (8bit):7.999527918131335
                          Encrypted:true
                          SSDEEP:6144:zKfHbamD8WN+JQYrjM7Ei2CsFJjyh9zvgPonV5HqZcPVT4Eb+Z6no3QSzjeMsdF/:zKf137EiDsTjevgArYcPVLoTQS+0iv
                          MD5:653DDDCB6C89F6EC51F3DDC0053C5914
                          SHA1:4CF7E7D42495CE01C261E4C5C4B8BF6CD76CCEE5
                          SHA-256:83B9CAE66800C768887FB270728F6806CBEBDEAD9946FA730F01723847F17FF9
                          SHA-512:27A467F2364C21CD1C6C34EF1CA5FFB09B4C3180FC9C025E293374EB807E4382108617BB4B97F8EBBC27581CD6E5988BB5E21276B3CB829C1C0E49A6FC9463A0
                          Malicious:false
                          Preview:..g&jo...IPg...GM....R>i...o...I.>.&.r{....8...}...E....v.!7.u3e.. .....db...}.......".t(.xC9.cp.B....7...'.......%......w.^.._.......B.W%.<..i.0.{9.xS...5...)..w..$..C..?`F..u.5.T.X.w'Si..z.n{...Y!m...RA...xg....[7...z..9@.K.-...T..+.ACe....R....enO.....AoNMT.\^....}H&..4I...B.:..@..J...v..rI5..kP......2j....B..B.~.T..>.c..emW;Rn<9..[.r.o....R[....@=...:...L.g<.....I..%4[.G^.~.l'......v.p&.........+..S...9d/.{..H.`@.1..........f.\s...X.a.].<.h*...J4*...k.x....%3.......3.c..?%....>.!.}..)(.{...H...3..`'].Q.[sN..JX(.%pH....+......(...v.....H...3..8.a_..J..?4...y.N(..D.*h..g.jD..I...44Q?..N......oX.A......l...n?./..........$.!..;.^9"H........*...OkF....v.m_.e.v..f...."..bq{.....O.-....%R+...-..P.i..t5....2Z# ...#...,L..{..j..heT -=Z.P;...g.m)<owJ].J..../.p..8.u8.&..#.m9...j%..g&....g.x.I,....u.[....>./W...........*X...b*Z...ex.0..x.}.....Tb...[..H_M._.^N.d&...g._."@4N.pDs].GbT.......&p........Nw...%$=.....{..J.1....2....<E{..<!G..

                          C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\task.dat

                          Download File
                          Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):56
                          Entropy (8bit):4.745141646068962
                          Encrypted:false
                          SSDEEP:3:oMty8WbSmm:oMLWumm
                          MD5:F781103B538E4159A8F01E3BE09B1F8D
                          SHA1:27992585DE22A095BABCFD75E8F96710DD921C37
                          SHA-256:BEA91983791C26C19AA411B2870E89AFC250EAF9855B6E1CE7BEA02B74E7F368
                          SHA-512:D50AE0A01E74FC263B704FADE17CDF4993B61E34FD498827D546F090CE2DA5E8F24D4D34FBF360AE7EE5C5E7E3F032F3DDA8AD0C2A2CF0E1DAFEED61258AB4CA
                          Malicious:false
                          Preview:C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe

                          \Device\ConDrv

                          Download File
                          Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):182
                          Entropy (8bit):5.07060597644582
                          Encrypted:false
                          SSDEEP:3:RGXKRjN3Mxm8d/AjhclROXDD9jmKXVM8/FOoDamd9xraWMZ4MKLJFcLEWgJya7:zx3M7ucLOdBXVNYmd9NaWM6MKnH5JyY
                          MD5:B08826036A3E81B44E7D8C1284381013
                          SHA1:96CF7E6BC1B55C69CE33BEC3B78FFF4EB8839B87
                          SHA-256:E7AD5092F56BB2ACA26262C361FE5F83171D21AB134D4E5D2EF47E9BF641B549
                          SHA-512:EB9908F6FB6398EDCE4F3B18AA64ABEE8774D1CA3A5B533617C97AAC5E795627CCB8B1176BE64371E6BEF6352004FC2B4862A388D61A6103D05B5B2D02CD0481
                          Malicious:false
                          Preview:Microsoft (R) .NET Framework CasPol 2.0.50727.9149..Copyright (c) Microsoft Corporation. All rights reserved.....ERROR: Invalid option: 0....For usage information, use 'caspol -?'..

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                          Entropy (8bit):7.836361315282437
                          TrID:
                          • Win32 Executable (generic) a (10002005/4) 99.96%
                          • Generic Win/DOS Executable (2004/3) 0.02%
                          • DOS Executable Generic (2002/1) 0.02%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                          File name:DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe
                          File size:348136
                          MD5:91c0c4710db096a4689d40e2ceb3814d
                          SHA1:63880c602b960c5f91e55cbe4d5d18c7b8f1d63a
                          SHA256:a4d4961d124ea4276512c1584f1ebd30951cd469659b3a623594d6361772fae7
                          SHA512:b5fc41a609efb2946ddce21f383b5ae8e70d93b0fd0dec8e48b27f7660569ccdbafe806bf56fc0cd7c4e43826b79f065d57cd66da3c27e865cdced3ca865eb2a
                          SSDEEP:6144:twq3NpWyFr7S0HFwnNHF6pmK2DIuua9ma+T4cX+tTMZP3qtTaPwkYn5inpT4:tzayFfDwNg4RE864c4MZ/c2UinS
                          TLSH:C6741208B548D9A7C9630932ED628AF67ABDDE613BB1A70733006F7C7D312618F45365
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P..*_...P...P..OP..*_...P...s...P...V...P..Rich.P..........PE..L...8.MX.................b...*......J4............@

                          File Icon

                          Icon Hash:00c4c4dcdcd4d410

                          Static PE Info

                          General

                          Entrypoint:0x40344a
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Time Stamp:0x584DCA38 [Sun Dec 11 21:50:48 2016 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:4ea4df5d94204fc550be1874e1b77ea7

                          Entrypoint Preview

                          Instruction
                          sub esp, 000002D4h
                          push ebx
                          push esi
                          push edi
                          push 00000020h
                          pop edi
                          xor ebx, ebx
                          push 00008001h
                          mov dword ptr [esp+14h], ebx
                          mov dword ptr [esp+10h], 0040A230h
                          mov dword ptr [esp+1Ch], ebx
                          call dword ptr [004080B4h]
                          call dword ptr [004080B0h]
                          cmp ax, 00000006h
                          je 00007F9DD91D3BA3h
                          push ebx
                          call 00007F9DD91D6CFCh
                          cmp eax, ebx
                          je 00007F9DD91D3B99h
                          push 00000C00h
                          call eax
                          mov esi, 004082B8h
                          push esi
                          call 00007F9DD91D6C76h
                          push esi
                          call dword ptr [0040815Ch]
                          lea esi, dword ptr [esi+eax+01h]
                          cmp byte ptr [esi], 00000000h
                          jne 00007F9DD91D3B7Ch
                          push ebp
                          push 00000009h
                          call 00007F9DD91D6CCEh
                          push 00000007h
                          call 00007F9DD91D6CC7h
                          mov dword ptr [0042A244h], eax
                          call dword ptr [0040803Ch]
                          push ebx
                          call dword ptr [004082A4h]
                          mov dword ptr [0042A2F8h], eax
                          push ebx
                          lea eax, dword ptr [esp+34h]
                          push 000002B4h
                          push eax
                          push ebx
                          push 004216E8h
                          call dword ptr [00408188h]
                          push 0040A384h
                          push 00429240h
                          call 00007F9DD91D68B0h
                          call dword ptr [004080ACh]
                          mov ebp, 00435000h
                          push eax
                          push ebp
                          call 00007F9DD91D689Eh
                          push ebx
                          call dword ptr [00408174h]
                          add word ptr [eax], 0000h

                          Rich Headers

                          Programming Language:
                          • [EXP] VC++ 6.0 SP5 build 8804

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x85040xa0.rdata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x680000x19ef0.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b4.rdata
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x10000x61f10x6200False0.6656967474489796data6.477074763411717IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .rdata0x80000x13a40x1400False0.4529296875data5.163001655755973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .data0xa0000x203380x600False0.501953125data3.9745558434885093IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .ndata0x2b0000x3d0000x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .rsrc0x680000x19ef00x1a000False0.8527644230769231data7.543225711963014IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountry
                          RT_ICON0x683a00xbdfcPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                          RT_ICON0x741a00x743aPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                          RT_ICON0x7b5e00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States
                          RT_ICON0x7db880x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States
                          RT_ICON0x7ec300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States
                          RT_ICON0x7fad80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States
                          RT_ICON0x803800x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States
                          RT_ICON0x809e80x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States
                          RT_ICON0x80f500x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States
                          RT_ICON0x813b80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States
                          RT_ICON0x816a00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States
                          RT_DIALOG0x817c80x100dataEnglishUnited States
                          RT_DIALOG0x818c80x11cdataEnglishUnited States
                          RT_DIALOG0x819e80xc4dataEnglishUnited States
                          RT_DIALOG0x81ab00x60dataEnglishUnited States
                          RT_GROUP_ICON0x81b100xa0dataEnglishUnited States
                          RT_MANIFEST0x81bb00x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States

                          Imports

                          DLLImport
                          KERNEL32.dllSetCurrentDirectoryW, GetFileAttributesW, GetFullPathNameW, Sleep, GetTickCount, CreateFileW, GetFileSize, MoveFileW, SetFileAttributesW, GetModuleFileNameW, CopyFileW, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, WaitForSingleObject, GetCurrentProcess, CompareFileTime, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, WriteFile, lstrcpyA, lstrcpyW, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GlobalFree, GlobalAlloc, GetShortPathNameW, SearchPathW, lstrcmpiW, SetFileTime, CloseHandle, ExpandEnvironmentStringsW, lstrcmpW, GetDiskFreeSpaceW, lstrlenW, lstrcpynW, GetExitCodeProcess, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, lstrlenA, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
                          USER32.dllGetSystemMenu, SetClassLongW, IsWindowEnabled, EnableMenuItem, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, wsprintfW, ScreenToClient, GetWindowRect, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, LoadImageW, SetTimer, SetWindowTextW, PostQuitMessage, ShowWindow, GetDlgItem, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, DrawTextW, EndPaint, CreateDialogParamW, SendMessageTimeoutW, SetForegroundWindow
                          GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                          SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
                          ADVAPI32.dllRegDeleteKeyW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegOpenKeyExW, RegEnumValueW, RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
                          COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                          ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                          Possible Origin

                          Language of compilation systemCountry where language is spokenMap
                          EnglishUnited States

                          Network Behavior

                          Snort IDS Alerts

                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                          91.193.75.146192.168.11.203498498572810451 02/04/23-04:02:00.606308TCP2810451ETPRO TROJAN NanoCore RAT Keepalive Response 334984985791.193.75.146192.168.11.20
                          192.168.11.2091.193.75.1464985734982816766 02/04/23-04:02:49.236881TCP2816766ETPRO TROJAN NanoCore RAT CnC 7498573498192.168.11.2091.193.75.146
                          91.193.75.146192.168.11.203498498572810290 02/04/23-04:02:33.039323TCP2810290ETPRO TROJAN NanoCore RAT Keepalive Response 134984985791.193.75.146192.168.11.20
                          192.168.11.2091.193.75.1464985734982025019 02/04/23-03:57:12.109194TCP2025019ET TROJAN Possible NanoCore C2 60B498573498192.168.11.2091.193.75.146
                          91.193.75.146192.168.11.203498498572841753 02/04/23-04:02:50.692460TCP2841753ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)34984985791.193.75.146192.168.11.20
                          192.168.11.2091.193.75.1464985734982816718 02/04/23-04:02:19.821499TCP2816718ETPRO TROJAN NanoCore RAT Keep-Alive Beacon498573498192.168.11.2091.193.75.146

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Feb 4, 2023 03:57:07.247711897 CET49855443192.168.11.20142.250.185.110
                          Feb 4, 2023 03:57:07.247756958 CET44349855142.250.185.110192.168.11.20
                          Feb 4, 2023 03:57:07.248142004 CET49855443192.168.11.20142.250.185.110
                          Feb 4, 2023 03:57:07.266587973 CET49855443192.168.11.20142.250.185.110
                          Feb 4, 2023 03:57:07.266625881 CET44349855142.250.185.110192.168.11.20
                          Feb 4, 2023 03:57:07.325129986 CET44349855142.250.185.110192.168.11.20
                          Feb 4, 2023 03:57:07.325377941 CET49855443192.168.11.20142.250.185.110
                          Feb 4, 2023 03:57:07.325377941 CET49855443192.168.11.20142.250.185.110
                          Feb 4, 2023 03:57:07.327606916 CET44349855142.250.185.110192.168.11.20
                          Feb 4, 2023 03:57:07.327816963 CET49855443192.168.11.20142.250.185.110
                          Feb 4, 2023 03:57:07.395785093 CET49855443192.168.11.20142.250.185.110
                          Feb 4, 2023 03:57:07.395886898 CET44349855142.250.185.110192.168.11.20
                          Feb 4, 2023 03:57:07.397012949 CET44349855142.250.185.110192.168.11.20
                          Feb 4, 2023 03:57:07.397233009 CET49855443192.168.11.20142.250.185.110
                          Feb 4, 2023 03:57:07.400418043 CET49855443192.168.11.20142.250.185.110
                          Feb 4, 2023 03:57:07.444497108 CET44349855142.250.185.110192.168.11.20
                          Feb 4, 2023 03:57:07.941315889 CET44349855142.250.185.110192.168.11.20
                          Feb 4, 2023 03:57:07.941545963 CET49855443192.168.11.20142.250.185.110
                          Feb 4, 2023 03:57:07.941631079 CET44349855142.250.185.110192.168.11.20
                          Feb 4, 2023 03:57:07.941788912 CET49855443192.168.11.20142.250.185.110
                          Feb 4, 2023 03:57:07.941920042 CET49855443192.168.11.20142.250.185.110
                          Feb 4, 2023 03:57:07.942172050 CET44349855142.250.185.110192.168.11.20
                          Feb 4, 2023 03:57:07.942363977 CET49855443192.168.11.20142.250.185.110
                          Feb 4, 2023 03:57:08.066267014 CET49856443192.168.11.20142.250.186.161
                          Feb 4, 2023 03:57:08.066365004 CET44349856142.250.186.161192.168.11.20
                          Feb 4, 2023 03:57:08.066636086 CET49856443192.168.11.20142.250.186.161
                          Feb 4, 2023 03:57:08.066870928 CET49856443192.168.11.20142.250.186.161
                          Feb 4, 2023 03:57:08.066915989 CET44349856142.250.186.161192.168.11.20
                          Feb 4, 2023 03:57:08.109862089 CET44349856142.250.186.161192.168.11.20
                          Feb 4, 2023 03:57:08.110160112 CET49856443192.168.11.20142.250.186.161
                          Feb 4, 2023 03:57:08.110721111 CET44349856142.250.186.161192.168.11.20
                          Feb 4, 2023 03:57:08.110939026 CET49856443192.168.11.20142.250.186.161
                          Feb 4, 2023 03:57:08.110939026 CET49856443192.168.11.20142.250.186.161
                          Feb 4, 2023 03:57:08.114398003 CET49856443192.168.11.20142.250.186.161
                          Feb 4, 2023 03:57:08.114425898 CET44349856142.250.186.161192.168.11.20
                          Feb 4, 2023 03:57:08.114804029 CET44349856142.250.186.161192.168.11.20
                          Feb 4, 2023 03:57:08.114958048 CET49856443192.168.11.20142.250.186.161
                          Feb 4, 2023 03:57:08.115420103 CET49856443192.168.11.20142.250.186.161
                          Feb 4, 2023 03:57:08.156486034 CET44349856142.250.186.161192.168.11.20
                          Feb 4, 2023 03:57:08.428867102 CET44349856142.250.186.161192.168.11.20
                          Feb 4, 2023 03:57:08.429054022 CET49856443192.168.11.20142.250.186.161
                          Feb 4, 2023 03:57:08.429109097 CET49856443192.168.11.20142.250.186.161
                          Feb 4, 2023 03:57:08.429677963 CET44349856142.250.186.161192.168.11.20
                          Feb 4, 2023 03:57:08.429836988 CET49856443192.168.11.20142.250.186.161
                          Feb 4, 2023 03:57:08.429837942 CET49856443192.168.11.20142.250.186.161
                          Feb 4, 2023 03:57:08.430469036 CET44349856142.250.186.161192.168.11.20
                          Feb 4, 2023 03:57:08.430753946 CET49856443192.168.11.20142.250.186.161
                          Feb 4, 2023 03:57:08.431325912 CET44349856142.250.186.161192.168.11.20
                          Feb 4, 2023 03:57:08.431509972 CET49856443192.168.11.20142.250.186.161
                          Feb 4, 2023 03:57:08.431567907 CET44349856142.250.186.161192.168.11.20
                          Feb 4, 2023 03:57:08.431759119 CET49856443192.168.11.20142.250.186.161
                          Feb 4, 2023 03:57:08.433943033 CET44349856142.250.186.161192.168.11.20
                          Feb 4, 2023 03:57:08.434127092 CET49856443192.168.11.20142.250.186.161
                          Feb 4, 2023 03:57:08.434180021 CET44349856142.250.186.161192.168.11.20
                          Feb 4, 2023 03:57:08.434446096 CET49856443192.168.11.20142.250.186.161
                          Feb 4, 2023 03:57:08.436647892 CET44349856142.250.186.161192.168.11.20
                          Feb 4, 2023 03:57:08.436927080 CET49856443192.168.11.20142.250.186.161
                          Feb 4, 2023 03:57:08.437504053 CET44349856142.250.186.161192.168.11.20
                          Feb 4, 2023 03:57:08.437681913 CET49856443192.168.11.20142.250.186.161
                          Feb 4, 2023 03:57:08.437737942 CET44349856142.250.186.161192.168.11.20
                          Feb 4, 2023 03:57:08.437948942 CET49856443192.168.11.20142.250.186.161
                          Feb 4, 2023 03:57:08.438008070 CET44349856142.250.186.161192.168.11.20
                          Feb 4, 2023 03:57:08.438170910 CET44349856142.250.186.161192.168.11.20
                          Feb 4, 2023 03:57:08.438222885 CET49856443192.168.11.20142.250.186.161
                          Feb 4, 2023 03:57:08.438263893 CET44349856142.250.186.161192.168.11.20
                          Feb 4, 2023 03:57:08.438333988 CET49856443192.168.11.20142.250.186.161
                          Feb 4, 2023 03:57:08.438430071 CET49856443192.168.11.20142.250.186.161
                          Feb 4, 2023 03:57:08.438463926 CET44349856142.250.186.161192.168.11.20
                          Feb 4, 2023 03:57:08.438666105 CET49856443192.168.11.20142.250.186.161
                          Feb 4, 2023 03:57:08.438920975 CET44349856142.250.186.161192.168.11.20
                          Feb 4, 2023 03:57:08.439110994 CET49856443192.168.11.20142.250.186.161
                          Feb 4, 2023 03:57:08.439165115 CET44349856142.250.186.161192.168.11.20
                          Feb 4, 2023 03:57:08.439433098 CET49856443192.168.11.20142.250.186.161
                          Feb 4, 2023 03:57:08.439486980 CET44349856142.250.186.161192.168.11.20
                          Feb 4, 2023 03:57:08.439693928 CET49856443192.168.11.20142.250.186.161
                          Feb 4, 2023 03:57:08.439755917 CET44349856142.250.186.161192.168.11.20
                          Feb 4, 2023 03:57:08.439925909 CET49856443192.168.11.20142.250.186.161
                          Feb 4, 2023 03:57:08.439964056 CET44349856142.250.186.161192.168.11.20
                          Feb 4, 2023 03:57:08.440180063 CET49856443192.168.11.20142.250.186.161
                          Feb 4, 2023 03:57:08.440222979 CET44349856142.250.186.161192.168.11.20
                          Feb 4, 2023 03:57:08.440383911 CET49856443192.168.11.20142.250.186.161
                          Feb 4, 2023 03:57:08.440632105 CET44349856142.250.186.161192.168.11.20
                          Feb 4, 2023 03:57:08.440804005 CET49856443192.168.11.20142.250.186.161
                          Feb 4, 2023 03:57:08.440854073 CET44349856142.250.186.161192.168.11.20
                          Feb 4, 2023 03:57:08.441011906 CET49856443192.168.11.20142.250.186.161
                          Feb 4, 2023 03:57:08.441065073 CET44349856142.250.186.161192.168.11.20
                          Feb 4, 2023 03:57:08.441524029 CET49856443192.168.11.20142.250.186.161
                          Feb 4, 2023 03:57:08.441632032 CET44349856142.250.186.161192.168.11.20
                          Feb 4, 2023 03:57:08.441922903 CET44349856142.250.186.161192.168.11.20
                          Feb 4, 2023 03:57:08.441956997 CET49856443192.168.11.20142.250.186.161
                          Feb 4, 2023 03:57:08.442022085 CET44349856142.250.186.161192.168.11.20
                          Feb 4, 2023 03:57:08.442126036 CET49856443192.168.11.20142.250.186.161
                          Feb 4, 2023 03:57:08.442212105 CET49856443192.168.11.20142.250.186.161
                          Feb 4, 2023 03:57:08.442545891 CET44349856142.250.186.161192.168.11.20
                          Feb 4, 2023 03:57:08.442792892 CET49856443192.168.11.20142.250.186.161
                          Feb 4, 2023 03:57:08.442836046 CET44349856142.250.186.161192.168.11.20
                          Feb 4, 2023 03:57:08.442862034 CET44349856142.250.186.161192.168.11.20
                          Feb 4, 2023 03:57:08.443027020 CET49856443192.168.11.20142.250.186.161
                          Feb 4, 2023 03:57:08.443027973 CET49856443192.168.11.20142.250.186.161
                          Feb 4, 2023 03:57:08.443404913 CET44349856142.250.186.161192.168.11.20

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Feb 4, 2023 03:57:07.229824066 CET5132953192.168.11.201.1.1.1
                          Feb 4, 2023 03:57:07.239095926 CET53513291.1.1.1192.168.11.20
                          Feb 4, 2023 03:57:08.025192976 CET5412753192.168.11.201.1.1.1
                          Feb 4, 2023 03:57:08.065241098 CET53541271.1.1.1192.168.11.20
                          Feb 4, 2023 03:57:09.862443924 CET5576653192.168.11.201.1.1.1
                          Feb 4, 2023 03:57:09.968810081 CET53557661.1.1.1192.168.11.20

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                          Feb 4, 2023 03:57:07.229824066 CET192.168.11.201.1.1.10xbccbStandard query (0)drive.google.comA (IP address)IN (0x0001)false
                          Feb 4, 2023 03:57:08.025192976 CET192.168.11.201.1.1.10x6144Standard query (0)doc-0c-b0-docs.googleusercontent.comA (IP address)IN (0x0001)false
                          Feb 4, 2023 03:57:09.862443924 CET192.168.11.201.1.1.10xf9aStandard query (0)masterpat0nms672ns.duckdns.orgA (IP address)IN (0x0001)false

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          Feb 4, 2023 03:57:07.239095926 CET1.1.1.1192.168.11.200xbccbNo error (0)drive.google.com142.250.185.110A (IP address)IN (0x0001)false
                          Feb 4, 2023 03:57:08.065241098 CET1.1.1.1192.168.11.200x6144No error (0)doc-0c-b0-docs.googleusercontent.comgooglehosted.l.googleusercontent.comCNAME (Canonical name)IN (0x0001)false
                          Feb 4, 2023 03:57:08.065241098 CET1.1.1.1192.168.11.200x6144No error (0)googlehosted.l.googleusercontent.com142.250.186.161A (IP address)IN (0x0001)false
                          Feb 4, 2023 03:57:09.968810081 CET1.1.1.1192.168.11.200xf9aNo error (0)masterpat0nms672ns.duckdns.org91.193.75.146A (IP address)IN (0x0001)false

                          HTTP Request Dependency Graph

                          • drive.google.com
                          • doc-0c-b0-docs.googleusercontent.com

                          Statistics

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:2
                          Start time:03:54:23
                          Start date:04/02/2023
                          Path:C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe
                          Imagebase:0x400000
                          File size:348136 bytes
                          MD5 hash:91C0C4710DB096A4689D40E2CEB3814D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.167511188846.0000000008C46000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low

                          General

                          Target ID:7
                          Start time:03:56:47
                          Start date:04/02/2023
                          Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe
                          Imagebase:0x7ff683850000
                          File size:106496 bytes
                          MD5 hash:7BAE06CBE364BB42B8C34FCFB90E3EBD
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:moderate

                          General

                          Target ID:8
                          Start time:03:56:47
                          Start date:04/02/2023
                          Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe
                          Imagebase:0xd80000
                          File size:106496 bytes
                          MD5 hash:7BAE06CBE364BB42B8C34FCFB90E3EBD
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: NanoCore, Description: unknown, Source: 00000008.00000003.167512023875.0000000039142000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000008.00000003.167512023875.0000000039142000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                          Reputation:moderate

                          General

                          Target ID:9
                          Start time:03:56:47
                          Start date:04/02/2023
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff683850000
                          File size:875008 bytes
                          MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:10
                          Start time:03:57:08
                          Start date:04/02/2023
                          Path:C:\Windows\SysWOW64\schtasks.exe
                          Wow64 process (32bit):true
                          Commandline:schtasks.exe" /create /f /tn "DSL Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp673D.tmp
                          Imagebase:0x140000
                          File size:187904 bytes
                          MD5 hash:478BEAEC1C3A9417272BC8964ADD1CEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:moderate

                          General

                          Target ID:11
                          Start time:03:57:08
                          Start date:04/02/2023
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff683850000
                          File size:875008 bytes
                          MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:12
                          Start time:03:57:09
                          Start date:04/02/2023
                          Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe 0
                          Imagebase:0xd10000
                          File size:106496 bytes
                          MD5 hash:7BAE06CBE364BB42B8C34FCFB90E3EBD
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Reputation:moderate

                          General

                          Target ID:13
                          Start time:03:57:09
                          Start date:04/02/2023
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff700660000
                          File size:875008 bytes
                          MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Disassembly

                          No disassembly