Windows Analysis Report
Rechung-R1663322504.exe

Overview

General Information

Sample Name:	Rechung-R1663322504.exe
Analysis ID:	829392
MD5:	11b5b208de7a85b46104a0597c5da7dc
SHA1:	c578bc317e666159cbfc191cb4e50de2de03ab79
SHA256:	0a80ba418f561098477e18cc42ddfc31796b2be3166ff6c99967b98388fe4826
Infos:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected BrowserPasswordDump

Yara detected GuLoader

Snort IDS alert for network traffic

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Tries to detect Any.run

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

May check the online IP address of the machine

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

One or more processes crash

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

IP address seen in connection with other malware

Enables debug privileges

AV process strings found (often used to terminate AV products)

Found inlined nop instructions (likely shell or obfuscated code)

Drops PE files

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

PE / OLE file has an invalid certificate

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: Rechung-R1663322504.exe	ReversingLabs: Detection: 30%
Source: Rechung-R1663322504.exe	Virustotal: Detection: 37%			Perma Link

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_370F1C22 CryptUnprotectData,		7_2_370F1C22
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_370F1BF9 CryptUnprotectData,		7_2_370F1BF9

Uses 32bit PE files

Source: Rechung-R1663322504.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 142.250.184.206:443 -> 192.168.11.20:49843 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.16.129:443 -> 192.168.11.20:49844 version: TLS 1.2

Source: Rechung-R1663322504.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Development\Releases\Json\Working\Src\Newtonsoft.Json\bin\Release\DotNet20\7d562147-cd91-4fc9-8abf-f0e85d79adad\Newtonsoft.Json.Net20.pdb source: CasPol.exe, 00000007.00000002.52546988980.0000000035EB7000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.52540526737.0000000034EBB000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.52546988980.0000000035F86000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.52561889914.0000000037600000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\C L A Y\Desktop\BrowserPass-master\BrowserPass\obj\Debug\BrowserPass.pdb source: CasPol.exe, 00000007.00000002.52561610808.0000000037520000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: -Cl#"costura.browserpass.pdb.compressed source: CasPol.exe, 00000007.00000002.52540526737.0000000034D71000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\C L A Y\Desktop\BrowserPass-master\BrowserPass\obj\Debug\BrowserPass.pdbPUjU \U_CorDllMainmscoree.dll source: CasPol.exe, 00000007.00000002.52561610808.0000000037520000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: -Cl-,costura.newtonsoft.json.net20.pdb.compressed,)Cl\| source: CasPol.exe, 00000007.00000002.52540526737.0000000034D71000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Code function: 1_2_00402862 FindFirstFileW,	1_2_00402862
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Code function: 1_2_0040596D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	1_2_0040596D
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Code function: 1_2_004065A2 FindFirstFileW,FindClose,	1_2_004065A2

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts	Jump to behavior
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D2C109h	7_2_00D2BE60
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D2AB79h	7_2_00D2A8D0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D23F79h	7_2_00D23CD0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D20769h	7_2_00D204C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D24C69h	7_2_00D249C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D2B869h	7_2_00D2B5C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D29171h	7_2_00D28EC8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D22599h	7_2_00D222F0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	7_2_00D263FA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D23289h	7_2_00D22FE0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D22E39h	7_2_00D22B90
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D23B29h	7_2_00D23880
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D2A729h	7_2_00D2A480
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D28459h	7_2_00D281B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D21459h	7_2_00D211B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D29E61h	7_2_00D29BB8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D22149h	7_2_00D21EA0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D21CF9h	7_2_00D21A50
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D229E9h	7_2_00D22740
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D2B419h	7_2_00D2B170
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D24819h	7_2_00D24570
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D20319h	7_2_00D20070
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D28D21h	7_2_00D28A78
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D21009h	7_2_00D20D60
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D29A11h	7_2_00D29768
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D20BB9h	7_2_00D20910
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D2BCB9h	7_2_00D2BA10
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D295C1h	7_2_00D29318
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	7_2_00D26400
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D218A9h	7_2_00D21600
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D2A2DAh	7_2_00D2A030
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D236D9h	7_2_00D23430
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D2AFC9h	7_2_00D2AD20
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D243C9h	7_2_00D24120
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D288D1h	7_2_00D28628
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	7_2_00D26729
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 36F2DF29h	7_2_36F2DC70
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 36F2F4B9h	7_2_36F2F200
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 36F22971h	7_2_36F22588
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 36F223E3h	7_2_36F2212B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then mov esp, ebp	7_2_36F2B0F0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then mov esp, ebp	7_2_36F2B0E0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 36F2DBCDh	7_2_36F2CED0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 36F2E379h	7_2_36F2E0C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 36F22971h	7_2_36F228A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 36F2FD59h	7_2_36F2FAAE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 36F2F909h	7_2_36F2F650
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	7_2_36F2CA29
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	7_2_36F2CC08
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	7_2_36F2C3E8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 36F2F069h	7_2_36F2EDB0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 36F22971h	7_2_36F22586
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 36F2EC19h	7_2_36F2E961
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 36F2E7C9h	7_2_36F2E510

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2039190 ET TROJAN 404/Snake/Matiex Keylogger Style External IP Check 192.168.11.20:49845 -> 158.101.44.242:80

May check the online IP address of the machine

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: ORACLE-BMC-31898US ORACLE-BMC-31898US

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 158.101.44.242 158.101.44.242

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1RhzoPq21Mbz1UprqcH2DXnwFIoRgz7-l HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/eu361v7891419i1as1r1dl2nqlomasvu/1679114250000/12853136832670220481/*/1RhzoPq21Mbz1UprqcH2DXnwFIoRgz7-l?e=download&uuid=687b7ba6-caf7-4f82-8267-8cb96e77380a HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-04-c4-docs.googleusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: CasPol.exe, 00000007.00000002.52540526737.0000000034D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: CasPol.exe, 00000007.00000002.52540526737.0000000034D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Rechung-R1663322504.exe	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: Rechung-R1663322504.exe	String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: Rechung-R1663322504.exe	String found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
Source: CasPol.exe, 00000007.00000003.52341294724.000000000429A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.52522416612.00000000042B3000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000007.00000003.52345673392.00000000042B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: CasPol.exe, 00000007.00000003.52341294724.000000000429A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000007.00000003.52345673392.00000000042AE000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.52522416612.00000000042AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: CasPol.exe, 00000007.00000003.52345673392.0000000004296000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micros
Source: CasPol.exe, 00000007.00000002.52560446262.0000000036F51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.
Source: CasPol.exe, 00000007.00000002.52560446262.0000000036F51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.LinkId=42127
Source: CasPol.exe, 00000007.00000002.52561889914.0000000037600000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: Rechung-R1663322504.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Rechung-R1663322504.exe	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: Rechung-R1663322504.exe	String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: Rechung-R1663322504.exe	String found in binary or memory: http://repository.certum.pl/ctsca2021.cer0
Source: Rechung-R1663322504.exe	String found in binary or memory: http://subca.ocsp-certum.com01
Source: Rechung-R1663322504.exe	String found in binary or memory: http://subca.ocsp-certum.com02
Source: Rechung-R1663322504.exe	String found in binary or memory: http://subca.ocsp-certum.com05
Source: Amcache.hve.LOG1.9.dr, Amcache.hve.9.dr	String found in binary or memory: http://upx.sf.net
Source: Rechung-R1663322504.exe	String found in binary or memory: http://www.certum.pl/CPS0
Source: CasPol.exe, 00000007.00000002.52522416612.0000000004268000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000007.00000003.52345673392.00000000042C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://doc-04-c4-docs.googleusercontent.com/
Source: CasPol.exe, 00000007.00000002.52522416612.00000000042E0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000007.00000003.52341294724.00000000042E4000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000007.00000003.52345673392.00000000042E1000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.52522416612.0000000004283000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://doc-04-c4-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/eu361v78
Source: CasPol.exe, 00000007.00000002.52522416612.000000000422B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: CasPol.exe, 00000007.00000002.52522416612.0000000004268000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.52537250560.0000000033B30000.00000004.00001000.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.52522416612.000000000422B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1RhzoPq21Mbz1UprqcH2DXnwFIoRgz7-l
Source: CasPol.exe, 00000007.00000002.52522416612.0000000004268000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1RhzoPq21Mbz1UprqcH2DXnwFIoRgz7-lf0
Source: CasPol.exe, 00000007.00000002.52522416612.000000000422B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1RhzoPq21Mbz1UprqcH2DXnwFIoRgz7-lha
Source: CasPol.exe, 00000007.00000002.52522416612.0000000004268000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1RhzoPq21Mbz1UprqcH2DXnwFIoRgz7-ltsvcs
Source: CasPol.exe, 00000007.00000002.52540526737.0000000034EBB000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.52540526737.0000000034E3B000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.52540526737.0000000034E46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: CasPol.exe, 00000007.00000002.52540526737.0000000034EBB000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.52540526737.0000000034E3B000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.52540526737.0000000034E46000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.52546988980.0000000036246000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.52546988980.000000003625C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com//
Source: CasPol.exe, 00000007.00000002.52540526737.0000000034EB1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.52540526737.0000000034EBB000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.52540526737.0000000034E3B000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.52540526737.0000000034E46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/https://login.live.com/
Source: CasPol.exe, 00000007.00000002.52546988980.0000000036246000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.52546988980.000000003625C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/https://login.live.com/P
Source: CasPol.exe, 00000007.00000002.52540526737.0000000034EBB000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.52540526737.0000000034E3B000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.52540526737.0000000034E46000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.52546988980.0000000036246000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.52546988980.000000003625C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/v104
Source: CasPol.exe, 00000007.00000002.52540526737.0000000034E46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash

Source: unknown

DNS traffic detected: queries for: drive.google.com

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Code function: 7_2_34B6A09A recv,

7_2_34B6A09A

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1RhzoPq21Mbz1UprqcH2DXnwFIoRgz7-l HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/eu361v7891419i1as1r1dl2nqlomasvu/1679114250000/12853136832670220481/*/1RhzoPq21Mbz1UprqcH2DXnwFIoRgz7-l?e=download&uuid=687b7ba6-caf7-4f82-8267-8cb96e77380a HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-04-c4-docs.googleusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 142.250.184.206:443 -> 192.168.11.20:49843 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.16.129:443 -> 192.168.11.20:49844 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe

Code function: 1_2_00405402 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

1_2_00405402

Uses 32bit PE files

Source: Rechung-R1663322504.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Yara signature match

Source: 7.2.CasPol.exe.37520000.3.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_BrowserPass date = 2020-12-28, author = Arnim Rupp (https://github.com/ruppde), description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/jabiel/BrowserPass, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.CasPol.exe.37520000.3.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_BrowserPass date = 2020-12-28, author = Arnim Rupp (https://github.com/ruppde), description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/jabiel/BrowserPass, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000002.52561610808.0000000037520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_BrowserPass date = 2020-12-28, author = Arnim Rupp (https://github.com/ruppde), description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/jabiel/BrowserPass, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE

One or more processes crash

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2584

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe

Code function: 1_2_00403350 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

1_2_00403350

Creates files inside the system directory

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe

File created: C:\Windows\SysWOW64\Arbejdsglderne

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Code function: 1_2_00404C3F	1_2_00404C3F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D25C78	7_2_00D25C78
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D26778	7_2_00D26778
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D27460	7_2_00D27460
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D2BE60	7_2_00D2BE60
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D24E10	7_2_00D24E10
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D2A8D0	7_2_00D2A8D0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D23CD0	7_2_00D23CD0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D22FD0	7_2_00D22FD0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D204C0	7_2_00D204C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D249C0	7_2_00D249C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D2B5C0	7_2_00D2B5C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D2A8C0	7_2_00D2A8C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D28EC8	7_2_00D28EC8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D23CCE	7_2_00D23CCE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D222F0	7_2_00D222F0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D215F0	7_2_00D215F0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D263FA	7_2_00D263FA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D222E2	7_2_00D222E2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D22FE0	7_2_00D22FE0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D22B90	7_2_00D22B90
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D21E9E	7_2_00D21E9E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D23880	7_2_00D23880
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D2A480	7_2_00D2A480
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D22B80	7_2_00D22B80
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D281B0	7_2_00D281B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D211B0	7_2_00D211B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D249B0	7_2_00D249B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D29BB8	7_2_00D29BB8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D28EB9	7_2_00D28EB9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D204BE	7_2_00D204BE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D2B5BE	7_2_00D2B5BE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D211A0	7_2_00D211A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D21EA0	7_2_00D21EA0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D281A0	7_2_00D281A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D29BA9	7_2_00D29BA9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D20D50	7_2_00D20D50
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D21A50	7_2_00D21A50
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D2BE55	7_2_00D2BE55
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D29759	7_2_00D29759
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D22740	7_2_00D22740
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D21A4E	7_2_00D21A4E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D2B170	7_2_00D2B170
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D24570	7_2_00D24570
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D20070	7_2_00D20070
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D28A76	7_2_00D28A76
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D28A78	7_2_00D28A78
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D2387E	7_2_00D2387E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D2A47E	7_2_00D2A47E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D20D60	7_2_00D20D60
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D2B161	7_2_00D2B161
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D2456A	7_2_00D2456A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D29768	7_2_00D29768
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D25C68	7_2_00D25C68
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D26769	7_2_00D26769
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D20910	7_2_00D20910
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D2BA10	7_2_00D2BA10
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D24110	7_2_00D24110
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D20011	7_2_00D20011
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D2AD16	7_2_00D2AD16
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D29318	7_2_00D29318
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D28619	7_2_00D28619
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D26400	7_2_00D26400
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D21600	7_2_00D21600
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D20906	7_2_00D20906
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D2BA0B	7_2_00D2BA0B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D29309	7_2_00D29309
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D22732	7_2_00D22732
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D2A030	7_2_00D2A030
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D23430	7_2_00D23430
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D2AD20	7_2_00D2AD20
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D24120	7_2_00D24120
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D2A020	7_2_00D2A020
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D2342B	7_2_00D2342B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D28628	7_2_00D28628
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F212E8	7_2_36F212E8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F296A0	7_2_36F296A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F22C83	7_2_36F22C83
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F2DC70	7_2_36F2DC70
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F2F200	7_2_36F2F200
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F265C8	7_2_36F265C8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F2212B	7_2_36F2212B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F264D0	7_2_36F264D0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F2CED0	7_2_36F2CED0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F2E0C0	7_2_36F2E0C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F29ECB	7_2_36F29ECB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F25EA0	7_2_36F25EA0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F214A8	7_2_36F214A8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F2FAAE	7_2_36F2FAAE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F29690	7_2_36F29690
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F25E9E	7_2_36F25E9E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F25A79	7_2_36F25A79
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F2F650	7_2_36F2F650
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F26C19	7_2_36F26C19
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F2B408	7_2_36F2B408
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F2ABF3	7_2_36F2ABF3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F2B3F8	7_2_36F2B3F8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F2C3E8	7_2_36F2C3E8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F2C3DA	7_2_36F2C3DA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F2EDB0	7_2_36F2EDB0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F265B7	7_2_36F265B7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F2E961	7_2_36F2E961
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F2BD40	7_2_36F2BD40
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F2BD30	7_2_36F2BD30
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F2E510	7_2_36F2E510
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F2910F	7_2_36F2910F

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_34B6A67E NtQuerySystemInformation,		7_2_34B6A67E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_34B6A64D NtQuerySystemInformation,		7_2_34B6A64D

Tries to load missing DLLs

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: edgegdi.dll			Jump to behavior

PE / OLE file has an invalid certificate

Source: Rechung-R1663322504.exe

Static PE information: invalid certificate

Source: Rechung-R1663322504.exe	ReversingLabs: Detection: 30%
Source: Rechung-R1663322504.exe	Virustotal: Detection: 37%

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe

File read: C:\Users\user\Desktop\Rechung-R1663322504.exe

Jump to behavior

Source: Rechung-R1663322504.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Rechung-R1663322504.exe C:\Users\user\Desktop\Rechung-R1663322504.exe
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Users\user\Desktop\Rechung-R1663322504.exe
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Users\user\Desktop\Rechung-R1663322504.exe
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Users\user\Desktop\Rechung-R1663322504.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2584
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Users\user\Desktop\Rechung-R1663322504.exe	Jump to behavior
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Users\user\Desktop\Rechung-R1663322504.exe	Jump to behavior
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Users\user\Desktop\Rechung-R1663322504.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2584	Jump to behavior

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Code function: 1_2_00403350 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,	1_2_00403350
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_34B6A502 AdjustTokenPrivileges,	7_2_34B6A502
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_34B6A4CB AdjustTokenPrivileges,	7_2_34B6A4CB

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe

File created: C:\Users\user\Socialdirektrer

Jump to behavior

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe

File created: C:\Users\user\AppData\Local\Temp\nsxF7C5.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@10/15@3/3

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe

Code function: 1_2_004020FE CoCreateInstance,

1_2_004020FE

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe

Code function: 1_2_004046C3 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

1_2_004046C3

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5764:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5764:304:WilStaging_02
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

File written: C:\Windows\assembly\Desktop.ini

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: Rechung-R1663322504.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Development\Releases\Json\Working\Src\Newtonsoft.Json\bin\Release\DotNet20\7d562147-cd91-4fc9-8abf-f0e85d79adad\Newtonsoft.Json.Net20.pdb source: CasPol.exe, 00000007.00000002.52546988980.0000000035EB7000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.52540526737.0000000034EBB000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.52546988980.0000000035F86000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.52561889914.0000000037600000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\C L A Y\Desktop\BrowserPass-master\BrowserPass\obj\Debug\BrowserPass.pdb source: CasPol.exe, 00000007.00000002.52561610808.0000000037520000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: -Cl#"costura.browserpass.pdb.compressed source: CasPol.exe, 00000007.00000002.52540526737.0000000034D71000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\C L A Y\Desktop\BrowserPass-master\BrowserPass\obj\Debug\BrowserPass.pdbPUjU \U_CorDllMainmscoree.dll source: CasPol.exe, 00000007.00000002.52561610808.0000000037520000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: -Cl-,costura.newtonsoft.json.net20.pdb.compressed,)Cl\| source: CasPol.exe, 00000007.00000002.52540526737.0000000034D71000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000001.00000002.52371090291.000000000690B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Code function: 1_3_00A8BC82 pushfd ; retf	1_3_00A8BC83
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Code function: 1_3_00A8BEFE push EC8D5275h; retf	1_3_00A8BF03
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Code function: 1_3_00A88800 push eax; retf	1_3_00A88803
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Code function: 1_3_00A87879 pushad ; retf	1_3_00A8787B
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Code function: 1_3_00A8104B push es; ret	1_3_00A8104E
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Code function: 1_3_00A80DBC push es; retf	1_3_00A80EA6
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Code function: 1_3_00A877CD push edi; retf	1_3_00A87823
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Code function: 1_3_00A89B29 push esi; retf	1_3_00A89B4C
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Code function: 1_3_00A8A162 pushad ; retf 0029h	1_3_00A8A163
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Code function: 1_2_10002DE0 push eax; ret	1_2_10002E0E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F2FAA2 push esp; ret	7_2_36F2FAA5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F2203B push ebp; ret	7_2_36F22042
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F22013 push ebx; ret	7_2_36F2201A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F22011 push ebx; ret	7_2_36F22012
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F21FE8 push ebx; ret	7_2_36F21FEA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F2C3DA push 36F2C3BDh; ret	7_2_36F2C3A3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F21FC1 push ebx; ret	7_2_36F21FC2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F21F99 push ebx; ret	7_2_36F21F9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F21D47 push edx; ret	7_2_36F21D4A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F21D4B push ebx; ret	7_2_36F21D4E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F21D4F push ebx; ret	7_2_36F21D52
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F22121 push edi; ret	7_2_36F22122
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F21D01 push ecx; ret	7_2_36F21D02

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe

Code function: 1_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

1_2_10001B18

Drops PE files

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	File created: C:\Users\user\AppData\Local\Temp\nsiF853.tmp\AdvSplash.dll			Jump to dropped file
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	File created: C:\Users\user\AppData\Local\Temp\nsiF853.tmp\System.dll			Jump to dropped file

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect Any.run

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Rechung-R1663322504.exe	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: Rechung-R1663322504.exe, 00000001.00000002.52369801898.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp, Rechung-R1663322504.exe, 00000001.00000003.52267232301.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE1
Source: Rechung-R1663322504.exe, Rechung-R1663322504.exe, 00000001.00000002.52369801898.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp, Rechung-R1663322504.exe, 00000001.00000003.52267232301.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Code function: 1_2_00402862 FindFirstFileW,	1_2_00402862
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Code function: 1_2_0040596D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	1_2_0040596D
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Code function: 1_2_004065A2 FindFirstFileW,FindClose,	1_2_004065A2

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts	Jump to behavior
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: Rechung-R1663322504.exe, 00000001.00000002.52425335519.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: Rechung-R1663322504.exe, 00000001.00000002.52425335519.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: Rechung-R1663322504.exe, 00000001.00000002.52425335519.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: Rechung-R1663322504.exe, 00000001.00000002.52425335519.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: Rechung-R1663322504.exe, 00000001.00000002.52425335519.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: Rechung-R1663322504.exe, 00000001.00000002.52425335519.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: Rechung-R1663322504.exe, 00000001.00000002.52425335519.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: CasPol.exe, 00000007.00000002.52522416612.000000000422B000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.52522416612.0000000004283000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Rechung-R1663322504.exe	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: Rechung-R1663322504.exe, 00000001.00000002.52425335519.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: Rechung-R1663322504.exe, 00000001.00000002.52425335519.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: Rechung-R1663322504.exe, 00000001.00000002.52369801898.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp, Rechung-R1663322504.exe, 00000001.00000003.52267232301.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe1
Source: Rechung-R1663322504.exe, Rechung-R1663322504.exe, 00000001.00000002.52369801898.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp, Rechung-R1663322504.exe, 00000001.00000003.52267232301.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe
Source: Rechung-R1663322504.exe, 00000001.00000002.52425335519.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: Rechung-R1663322504.exe, 00000001.00000002.52425335519.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe

Code function: 1_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

1_2_10001B18

Enables debug privileges

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Process token adjusted: Debug

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe

Code function: 1_2_00406937 GetTickCount,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,

1_2_00406937

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe base: 1100000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Users\user\Desktop\Rechung-R1663322504.exe	Jump to behavior
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Users\user\Desktop\Rechung-R1663322504.exe	Jump to behavior
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Users\user\Desktop\Rechung-R1663322504.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2584	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe

1_2_00403350

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.9.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.2107.4-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected BrowserPasswordDump

Source: Yara match	File source: 7.2.CasPol.exe.37520000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CasPol.exe.37520000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.52561610808.0000000037520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.52540526737.0000000034E8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.52560446262.0000000036F71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.52540526737.0000000034E46000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 5220, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000007.00000002.52540526737.0000000034D71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 5220, type: MEMORYSTR

Remote Access Functionality

Yara detected BrowserPasswordDump

Source: Yara match	File source: 7.2.CasPol.exe.37520000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CasPol.exe.37520000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.52561610808.0000000037520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.52540526737.0000000034E8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.52560446262.0000000036F71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.52540526737.0000000034E46000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 5220, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.217.16.129	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false
158.101.44.242	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	true
142.250.184.206	drive.google.com	United States	15169	GOOGLEUS	false

Contacted Domains

Name	IP	Active
drive.google.com	142.250.184.206	true
googlehosted.l.googleusercontent.com	172.217.16.129	true
checkip.dyndns.com	158.101.44.242	true
doc-04-c4-docs.googleusercontent.com	unknown	unknown
checkip.dyndns.org	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://doc-04-c4-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/eu361v7891419i1as1r1dl2nqlomasvu/1679114250000/12853136832670220481/*/1RhzoPq21Mbz1UprqcH2DXnwFIoRgz7-l?e=download&uuid=687b7ba6-caf7-4f82-8267-8cb96e77380a	false		high

AV Detection

Multi AV Scanner detection for submitted file

Source: Rechung-R1663322504.exe	ReversingLabs: Detection: 30%
Source: Rechung-R1663322504.exe	Virustotal: Detection: 37%			Perma Link

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_370F1C22 CryptUnprotectData,		7_2_370F1C22
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_370F1BF9 CryptUnprotectData,		7_2_370F1BF9

Uses 32bit PE files

Source: Rechung-R1663322504.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 142.250.184.206:443 -> 192.168.11.20:49843 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.16.129:443 -> 192.168.11.20:49844 version: TLS 1.2

Source: Rechung-R1663322504.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Development\Releases\Json\Working\Src\Newtonsoft.Json\bin\Release\DotNet20\7d562147-cd91-4fc9-8abf-f0e85d79adad\Newtonsoft.Json.Net20.pdb source: CasPol.exe, 00000007.00000002.52546988980.0000000035EB7000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.52540526737.0000000034EBB000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.52546988980.0000000035F86000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.52561889914.0000000037600000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\C L A Y\Desktop\BrowserPass-master\BrowserPass\obj\Debug\BrowserPass.pdb source: CasPol.exe, 00000007.00000002.52561610808.0000000037520000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: -Cl#"costura.browserpass.pdb.compressed source: CasPol.exe, 00000007.00000002.52540526737.0000000034D71000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\C L A Y\Desktop\BrowserPass-master\BrowserPass\obj\Debug\BrowserPass.pdbPUjU \U_CorDllMainmscoree.dll source: CasPol.exe, 00000007.00000002.52561610808.0000000037520000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: -Cl-,costura.newtonsoft.json.net20.pdb.compressed,)Cl\| source: CasPol.exe, 00000007.00000002.52540526737.0000000034D71000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Code function: 1_2_00402862 FindFirstFileW,	1_2_00402862
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Code function: 1_2_0040596D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	1_2_0040596D
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Code function: 1_2_004065A2 FindFirstFileW,FindClose,	1_2_004065A2

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts	Jump to behavior
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D2C109h	7_2_00D2BE60
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D2AB79h	7_2_00D2A8D0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D23F79h	7_2_00D23CD0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D20769h	7_2_00D204C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D24C69h	7_2_00D249C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D2B869h	7_2_00D2B5C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D29171h	7_2_00D28EC8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D22599h	7_2_00D222F0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	7_2_00D263FA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D23289h	7_2_00D22FE0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D22E39h	7_2_00D22B90
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D23B29h	7_2_00D23880
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D2A729h	7_2_00D2A480
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D28459h	7_2_00D281B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D21459h	7_2_00D211B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D29E61h	7_2_00D29BB8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D22149h	7_2_00D21EA0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D21CF9h	7_2_00D21A50
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D229E9h	7_2_00D22740
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D2B419h	7_2_00D2B170
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D24819h	7_2_00D24570
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D20319h	7_2_00D20070
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D28D21h	7_2_00D28A78
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D21009h	7_2_00D20D60
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D29A11h	7_2_00D29768
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D20BB9h	7_2_00D20910
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D2BCB9h	7_2_00D2BA10
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D295C1h	7_2_00D29318
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	7_2_00D26400
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D218A9h	7_2_00D21600
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D2A2DAh	7_2_00D2A030
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D236D9h	7_2_00D23430
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D2AFC9h	7_2_00D2AD20
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D243C9h	7_2_00D24120
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 00D288D1h	7_2_00D28628
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	7_2_00D26729
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 36F2DF29h	7_2_36F2DC70
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 36F2F4B9h	7_2_36F2F200
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 36F22971h	7_2_36F22588
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 36F223E3h	7_2_36F2212B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then mov esp, ebp	7_2_36F2B0F0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then mov esp, ebp	7_2_36F2B0E0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 36F2DBCDh	7_2_36F2CED0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 36F2E379h	7_2_36F2E0C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 36F22971h	7_2_36F228A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 36F2FD59h	7_2_36F2FAAE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 36F2F909h	7_2_36F2F650
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	7_2_36F2CA29
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	7_2_36F2CC08
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	7_2_36F2C3E8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 36F2F069h	7_2_36F2EDB0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 36F22971h	7_2_36F22586
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 36F2EC19h	7_2_36F2E961
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4x nop then jmp 36F2E7C9h	7_2_36F2E510

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2039190 ET TROJAN 404/Snake/Matiex Keylogger Style External IP Check 192.168.11.20:49845 -> 158.101.44.242:80

May check the online IP address of the machine

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: ORACLE-BMC-31898US ORACLE-BMC-31898US

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 158.101.44.242 158.101.44.242

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1RhzoPq21Mbz1UprqcH2DXnwFIoRgz7-l HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/eu361v7891419i1as1r1dl2nqlomasvu/1679114250000/12853136832670220481/*/1RhzoPq21Mbz1UprqcH2DXnwFIoRgz7-l?e=download&uuid=687b7ba6-caf7-4f82-8267-8cb96e77380a HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-04-c4-docs.googleusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: CasPol.exe, 00000007.00000002.52540526737.0000000034D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: CasPol.exe, 00000007.00000002.52540526737.0000000034D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Rechung-R1663322504.exe	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: Rechung-R1663322504.exe	String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: Rechung-R1663322504.exe	String found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
Source: CasPol.exe, 00000007.00000003.52341294724.000000000429A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.52522416612.00000000042B3000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000007.00000003.52345673392.00000000042B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: CasPol.exe, 00000007.00000003.52341294724.000000000429A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000007.00000003.52345673392.00000000042AE000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.52522416612.00000000042AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: CasPol.exe, 00000007.00000003.52345673392.0000000004296000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micros
Source: CasPol.exe, 00000007.00000002.52560446262.0000000036F51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.
Source: CasPol.exe, 00000007.00000002.52560446262.0000000036F51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.LinkId=42127
Source: CasPol.exe, 00000007.00000002.52561889914.0000000037600000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: Rechung-R1663322504.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Rechung-R1663322504.exe	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: Rechung-R1663322504.exe	String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: Rechung-R1663322504.exe	String found in binary or memory: http://repository.certum.pl/ctsca2021.cer0
Source: Rechung-R1663322504.exe	String found in binary or memory: http://subca.ocsp-certum.com01
Source: Rechung-R1663322504.exe	String found in binary or memory: http://subca.ocsp-certum.com02
Source: Rechung-R1663322504.exe	String found in binary or memory: http://subca.ocsp-certum.com05
Source: Amcache.hve.LOG1.9.dr, Amcache.hve.9.dr	String found in binary or memory: http://upx.sf.net
Source: Rechung-R1663322504.exe	String found in binary or memory: http://www.certum.pl/CPS0
Source: CasPol.exe, 00000007.00000002.52522416612.0000000004268000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000007.00000003.52345673392.00000000042C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://doc-04-c4-docs.googleusercontent.com/
Source: CasPol.exe, 00000007.00000002.52522416612.00000000042E0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000007.00000003.52341294724.00000000042E4000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000007.00000003.52345673392.00000000042E1000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.52522416612.0000000004283000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://doc-04-c4-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/eu361v78
Source: CasPol.exe, 00000007.00000002.52522416612.000000000422B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: CasPol.exe, 00000007.00000002.52522416612.0000000004268000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.52537250560.0000000033B30000.00000004.00001000.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.52522416612.000000000422B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1RhzoPq21Mbz1UprqcH2DXnwFIoRgz7-l
Source: CasPol.exe, 00000007.00000002.52522416612.0000000004268000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1RhzoPq21Mbz1UprqcH2DXnwFIoRgz7-lf0
Source: CasPol.exe, 00000007.00000002.52522416612.000000000422B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1RhzoPq21Mbz1UprqcH2DXnwFIoRgz7-lha
Source: CasPol.exe, 00000007.00000002.52522416612.0000000004268000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1RhzoPq21Mbz1UprqcH2DXnwFIoRgz7-ltsvcs
Source: CasPol.exe, 00000007.00000002.52540526737.0000000034EBB000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.52540526737.0000000034E3B000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.52540526737.0000000034E46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: CasPol.exe, 00000007.00000002.52540526737.0000000034EBB000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.52540526737.0000000034E3B000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.52540526737.0000000034E46000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.52546988980.0000000036246000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.52546988980.000000003625C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com//
Source: CasPol.exe, 00000007.00000002.52540526737.0000000034EB1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.52540526737.0000000034EBB000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.52540526737.0000000034E3B000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.52540526737.0000000034E46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/https://login.live.com/
Source: CasPol.exe, 00000007.00000002.52546988980.0000000036246000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.52546988980.000000003625C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/https://login.live.com/P
Source: CasPol.exe, 00000007.00000002.52540526737.0000000034EBB000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.52540526737.0000000034E3B000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.52540526737.0000000034E46000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.52546988980.0000000036246000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.52546988980.000000003625C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/v104
Source: CasPol.exe, 00000007.00000002.52540526737.0000000034E46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash

Source: unknown

DNS traffic detected: queries for: drive.google.com

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Code function: 7_2_34B6A09A recv,

7_2_34B6A09A

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1RhzoPq21Mbz1UprqcH2DXnwFIoRgz7-l HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/eu361v7891419i1as1r1dl2nqlomasvu/1679114250000/12853136832670220481/*/1RhzoPq21Mbz1UprqcH2DXnwFIoRgz7-l?e=download&uuid=687b7ba6-caf7-4f82-8267-8cb96e77380a HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-04-c4-docs.googleusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 142.250.184.206:443 -> 192.168.11.20:49843 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.16.129:443 -> 192.168.11.20:49844 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe

1_2_00405402

Uses 32bit PE files

Source: Rechung-R1663322504.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Yara signature match

Source: 7.2.CasPol.exe.37520000.3.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_BrowserPass date = 2020-12-28, author = Arnim Rupp (https://github.com/ruppde), description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/jabiel/BrowserPass, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.CasPol.exe.37520000.3.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_BrowserPass date = 2020-12-28, author = Arnim Rupp (https://github.com/ruppde), description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/jabiel/BrowserPass, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000002.52561610808.0000000037520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_BrowserPass date = 2020-12-28, author = Arnim Rupp (https://github.com/ruppde), description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/jabiel/BrowserPass, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE

One or more processes crash

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2584

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe

1_2_00403350

Creates files inside the system directory

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe

File created: C:\Windows\SysWOW64\Arbejdsglderne

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Code function: 1_2_00404C3F	1_2_00404C3F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D25C78	7_2_00D25C78
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D26778	7_2_00D26778
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D27460	7_2_00D27460
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D2BE60	7_2_00D2BE60
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D24E10	7_2_00D24E10
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D2A8D0	7_2_00D2A8D0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D23CD0	7_2_00D23CD0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D22FD0	7_2_00D22FD0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D204C0	7_2_00D204C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D249C0	7_2_00D249C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D2B5C0	7_2_00D2B5C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D2A8C0	7_2_00D2A8C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D28EC8	7_2_00D28EC8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D23CCE	7_2_00D23CCE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D222F0	7_2_00D222F0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D215F0	7_2_00D215F0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D263FA	7_2_00D263FA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D222E2	7_2_00D222E2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D22FE0	7_2_00D22FE0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D22B90	7_2_00D22B90
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D21E9E	7_2_00D21E9E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D23880	7_2_00D23880
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D2A480	7_2_00D2A480
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D22B80	7_2_00D22B80
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D281B0	7_2_00D281B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D211B0	7_2_00D211B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D249B0	7_2_00D249B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D29BB8	7_2_00D29BB8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D28EB9	7_2_00D28EB9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D204BE	7_2_00D204BE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D2B5BE	7_2_00D2B5BE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D211A0	7_2_00D211A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D21EA0	7_2_00D21EA0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D281A0	7_2_00D281A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D29BA9	7_2_00D29BA9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D20D50	7_2_00D20D50
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D21A50	7_2_00D21A50
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D2BE55	7_2_00D2BE55
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D29759	7_2_00D29759
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D22740	7_2_00D22740
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D21A4E	7_2_00D21A4E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D2B170	7_2_00D2B170
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D24570	7_2_00D24570
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D20070	7_2_00D20070
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D28A76	7_2_00D28A76
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D28A78	7_2_00D28A78
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D2387E	7_2_00D2387E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D2A47E	7_2_00D2A47E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D20D60	7_2_00D20D60
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D2B161	7_2_00D2B161
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D2456A	7_2_00D2456A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D29768	7_2_00D29768
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D25C68	7_2_00D25C68
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D26769	7_2_00D26769
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D20910	7_2_00D20910
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D2BA10	7_2_00D2BA10
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D24110	7_2_00D24110
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D20011	7_2_00D20011
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D2AD16	7_2_00D2AD16
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D29318	7_2_00D29318
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D28619	7_2_00D28619
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D26400	7_2_00D26400
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D21600	7_2_00D21600
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D20906	7_2_00D20906
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D2BA0B	7_2_00D2BA0B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D29309	7_2_00D29309
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D22732	7_2_00D22732
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D2A030	7_2_00D2A030
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D23430	7_2_00D23430
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D2AD20	7_2_00D2AD20
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D24120	7_2_00D24120
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D2A020	7_2_00D2A020
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D2342B	7_2_00D2342B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_00D28628	7_2_00D28628
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F212E8	7_2_36F212E8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F296A0	7_2_36F296A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F22C83	7_2_36F22C83
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F2DC70	7_2_36F2DC70
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F2F200	7_2_36F2F200
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F265C8	7_2_36F265C8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F2212B	7_2_36F2212B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F264D0	7_2_36F264D0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F2CED0	7_2_36F2CED0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F2E0C0	7_2_36F2E0C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F29ECB	7_2_36F29ECB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F25EA0	7_2_36F25EA0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F214A8	7_2_36F214A8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F2FAAE	7_2_36F2FAAE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F29690	7_2_36F29690
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F25E9E	7_2_36F25E9E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F25A79	7_2_36F25A79
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F2F650	7_2_36F2F650
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F26C19	7_2_36F26C19
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F2B408	7_2_36F2B408
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F2ABF3	7_2_36F2ABF3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F2B3F8	7_2_36F2B3F8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F2C3E8	7_2_36F2C3E8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F2C3DA	7_2_36F2C3DA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F2EDB0	7_2_36F2EDB0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F265B7	7_2_36F265B7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F2E961	7_2_36F2E961
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F2BD40	7_2_36F2BD40
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F2BD30	7_2_36F2BD30
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F2E510	7_2_36F2E510
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F2910F	7_2_36F2910F

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_34B6A67E NtQuerySystemInformation,		7_2_34B6A67E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_34B6A64D NtQuerySystemInformation,		7_2_34B6A64D

Tries to load missing DLLs

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: edgegdi.dll			Jump to behavior

PE / OLE file has an invalid certificate

Source: Rechung-R1663322504.exe

Static PE information: invalid certificate

Source: Rechung-R1663322504.exe	ReversingLabs: Detection: 30%
Source: Rechung-R1663322504.exe	Virustotal: Detection: 37%

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe

File read: C:\Users\user\Desktop\Rechung-R1663322504.exe

Jump to behavior

Source: Rechung-R1663322504.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Rechung-R1663322504.exe C:\Users\user\Desktop\Rechung-R1663322504.exe
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Users\user\Desktop\Rechung-R1663322504.exe
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Users\user\Desktop\Rechung-R1663322504.exe
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Users\user\Desktop\Rechung-R1663322504.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2584
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Users\user\Desktop\Rechung-R1663322504.exe	Jump to behavior
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Users\user\Desktop\Rechung-R1663322504.exe	Jump to behavior
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Users\user\Desktop\Rechung-R1663322504.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2584	Jump to behavior

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Code function: 1_2_00403350 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,	1_2_00403350
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_34B6A502 AdjustTokenPrivileges,	7_2_34B6A502
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_34B6A4CB AdjustTokenPrivileges,	7_2_34B6A4CB

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe

File created: C:\Users\user\Socialdirektrer

Jump to behavior

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe

File created: C:\Users\user\AppData\Local\Temp\nsxF7C5.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@10/15@3/3

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe

Code function: 1_2_004020FE CoCreateInstance,

1_2_004020FE

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe

Code function: 1_2_004046C3 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

1_2_004046C3

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5764:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5764:304:WilStaging_02
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

File written: C:\Windows\assembly\Desktop.ini

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: Rechung-R1663322504.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Development\Releases\Json\Working\Src\Newtonsoft.Json\bin\Release\DotNet20\7d562147-cd91-4fc9-8abf-f0e85d79adad\Newtonsoft.Json.Net20.pdb source: CasPol.exe, 00000007.00000002.52546988980.0000000035EB7000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.52540526737.0000000034EBB000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.52546988980.0000000035F86000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.52561889914.0000000037600000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\C L A Y\Desktop\BrowserPass-master\BrowserPass\obj\Debug\BrowserPass.pdb source: CasPol.exe, 00000007.00000002.52561610808.0000000037520000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: -Cl#"costura.browserpass.pdb.compressed source: CasPol.exe, 00000007.00000002.52540526737.0000000034D71000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\C L A Y\Desktop\BrowserPass-master\BrowserPass\obj\Debug\BrowserPass.pdbPUjU \U_CorDllMainmscoree.dll source: CasPol.exe, 00000007.00000002.52561610808.0000000037520000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: -Cl-,costura.newtonsoft.json.net20.pdb.compressed,)Cl\| source: CasPol.exe, 00000007.00000002.52540526737.0000000034D71000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000001.00000002.52371090291.000000000690B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Code function: 1_3_00A8BC82 pushfd ; retf	1_3_00A8BC83
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Code function: 1_3_00A8BEFE push EC8D5275h; retf	1_3_00A8BF03
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Code function: 1_3_00A88800 push eax; retf	1_3_00A88803
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Code function: 1_3_00A87879 pushad ; retf	1_3_00A8787B
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Code function: 1_3_00A8104B push es; ret	1_3_00A8104E
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Code function: 1_3_00A80DBC push es; retf	1_3_00A80EA6
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Code function: 1_3_00A877CD push edi; retf	1_3_00A87823
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Code function: 1_3_00A89B29 push esi; retf	1_3_00A89B4C
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Code function: 1_3_00A8A162 pushad ; retf 0029h	1_3_00A8A163
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Code function: 1_2_10002DE0 push eax; ret	1_2_10002E0E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F2FAA2 push esp; ret	7_2_36F2FAA5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F2203B push ebp; ret	7_2_36F22042
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F22013 push ebx; ret	7_2_36F2201A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F22011 push ebx; ret	7_2_36F22012
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F21FE8 push ebx; ret	7_2_36F21FEA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F2C3DA push 36F2C3BDh; ret	7_2_36F2C3A3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F21FC1 push ebx; ret	7_2_36F21FC2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F21F99 push ebx; ret	7_2_36F21F9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F21D47 push edx; ret	7_2_36F21D4A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F21D4B push ebx; ret	7_2_36F21D4E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F21D4F push ebx; ret	7_2_36F21D52
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F22121 push edi; ret	7_2_36F22122
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 7_2_36F21D01 push ecx; ret	7_2_36F21D02

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe

Code function: 1_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

1_2_10001B18

Drops PE files

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	File created: C:\Users\user\AppData\Local\Temp\nsiF853.tmp\AdvSplash.dll			Jump to dropped file
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	File created: C:\Users\user\AppData\Local\Temp\nsiF853.tmp\System.dll			Jump to dropped file

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect Any.run

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Rechung-R1663322504.exe	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: Rechung-R1663322504.exe, 00000001.00000002.52369801898.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp, Rechung-R1663322504.exe, 00000001.00000003.52267232301.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE1
Source: Rechung-R1663322504.exe, Rechung-R1663322504.exe, 00000001.00000002.52369801898.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp, Rechung-R1663322504.exe, 00000001.00000003.52267232301.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Code function: 1_2_00402862 FindFirstFileW,	1_2_00402862
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Code function: 1_2_0040596D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	1_2_0040596D
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Code function: 1_2_004065A2 FindFirstFileW,FindClose,	1_2_004065A2

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts	Jump to behavior
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: Rechung-R1663322504.exe, 00000001.00000002.52425335519.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: Rechung-R1663322504.exe, 00000001.00000002.52425335519.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: Rechung-R1663322504.exe, 00000001.00000002.52425335519.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: Rechung-R1663322504.exe, 00000001.00000002.52425335519.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: Rechung-R1663322504.exe, 00000001.00000002.52425335519.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: Rechung-R1663322504.exe, 00000001.00000002.52425335519.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: Rechung-R1663322504.exe, 00000001.00000002.52425335519.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: CasPol.exe, 00000007.00000002.52522416612.000000000422B000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.52522416612.0000000004283000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Rechung-R1663322504.exe	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: Rechung-R1663322504.exe, 00000001.00000002.52425335519.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: Rechung-R1663322504.exe, 00000001.00000002.52425335519.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: Rechung-R1663322504.exe, 00000001.00000002.52369801898.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp, Rechung-R1663322504.exe, 00000001.00000003.52267232301.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe1
Source: Rechung-R1663322504.exe, Rechung-R1663322504.exe, 00000001.00000002.52369801898.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp, Rechung-R1663322504.exe, 00000001.00000003.52267232301.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe
Source: Rechung-R1663322504.exe, 00000001.00000002.52425335519.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: Rechung-R1663322504.exe, 00000001.00000002.52425335519.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe

Code function: 1_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

1_2_10001B18

Enables debug privileges

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Process token adjusted: Debug

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe

Code function: 1_2_00406937 GetTickCount,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,

1_2_00406937

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe base: 1100000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Users\user\Desktop\Rechung-R1663322504.exe	Jump to behavior
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Users\user\Desktop\Rechung-R1663322504.exe	Jump to behavior
Source: C:\Users\user\Desktop\Rechung-R1663322504.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Users\user\Desktop\Rechung-R1663322504.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2584	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\Rechung-R1663322504.exe

1_2_00403350

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.9.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.2107.4-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected BrowserPasswordDump

Source: Yara match	File source: 7.2.CasPol.exe.37520000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CasPol.exe.37520000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.52561610808.0000000037520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.52540526737.0000000034E8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.52560446262.0000000036F71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.52540526737.0000000034E46000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 5220, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000007.00000002.52540526737.0000000034D71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 5220, type: MEMORYSTR

Remote Access Functionality

Yara detected BrowserPasswordDump

Source: Yara match	File source: 7.2.CasPol.exe.37520000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CasPol.exe.37520000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.52561610808.0000000037520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.52540526737.0000000034E8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.52560446262.0000000036F71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.52540526737.0000000034E46000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 5220, type: MEMORYSTR

ID:	829392
Product:	CloudBasic
Start time:	05:35:01
Start date:	18.03.2023
Sample:	Rechung-R1663322504.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Architecture:	WINDOWS
MD5:	11b5b208de7a85b46104a0597c5da7dc
SHA1:	c578bc317e666159cbfc191cb4e50de2de03ab79
SHA256:	0a80ba418f561098477e18cc42ddfc31796b2be3166ff6c99967b98388fe4826
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_caspol.exe_5cc44e97acf31afa8e5c5ec1af53c5acde2c3_00000000_24c613c7-d23f-4749-9f08-829cc3a3e2d7\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	EB6A187691ECB171BB92C9F8E305FD41	9BF86D62729502A98EF78F098BB6361B93D3F193	EC8E0F9FC991A71C6669456807F0CD410DC40AD42C6CFDBB2D85041CF8EE476D
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2E03.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	CA48408075A231F52A067DA8CD11513C	025231FF1257DEAE25771552FE42E23D301AC397	BC5EC16382F87B2F16A3AFBEB91E1DDD715E80C1D79B016BB3132A464A3AF2A6
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2E62.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	3B2723FA6E50F304DAB44C852B06D6A3	584FDF4AC4D9CEED31871A830D69D8E3DE05FDC5	58E37D2FBD32637D9BC03C469D6C1A071C6B09275AEC10F56FF20655397AD323
C:\Users\user\AppData\Local\Temp\nsiF853.tmp\AdvSplash.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	E8B67A37FB41D54A7EDA453309D45D97	96BE9BF7A988D9CEA06150D57CD1DE19F1FEC19E	2AD232BCCF4CA06CF13475AF87B510C5788AA790785FD50509BE483AFC0E0BCF
C:\Users\user\AppData\Local\Temp\nsiF853.tmp\System.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	8B3830B9DBF87F84DDD3B26645FED3A0	223BEF1F19E644A610A0877D01EADC9E28299509	F004C568D305CD95EDBD704166FCD2849D395B595DFF814BCC2012693527AC37
C:\Users\user\Separationerne.lnk	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide	4196863E92696387150E600E60EFC6FB	EB522598123ACA565CD764787F652CCAA18132CA	9EE412852B59929D0F10D8647FC2F25A79C7F216578159A43B175BA544FFB4B5
C:\Users\user\Socialdirektrer\Fornices\Vingummis\Flannelled\Yndighed\Adventure_20.bmp	JPEG image data, JFIF standard 1.01, resolution (DPI), density 100x100, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=3], baseline, precision 8, 110x110, components 3	A4530760E13B17372AE0D8CB48F66D0D	AA21564FA3A847E59402B62D3F600DDA5046A926	F37F7A75DC27903EA88D1A3912DFB9123CA217E2467EB6D5DC966F60DC7F9DB7
C:\Users\user\Socialdirektrer\Fornices\Vingummis\Flannelled\Yndighed\Dialektforskningen134.Luk	ASCII text, with very long lines (35012), with no line terminators	F75A78EE11492D9F9146075023D485D3	772AE864C11AE2C45834F681EFDF662BBD28268B	5916C8773319EA24B225C76FE361D360360CE03E1F61E2E86387514A185BDAF9
C:\Users\user\Socialdirektrer\Vandspildets.Shi37	data	BAFC11E1543369B58D7852857D986EFA	A00AD13ECA7F98C1CBBC7AE32151D3878DD2BBB0	F8D1014289006D2ACCAB3D5A1C36CD867B4D6BEC50781365175B4FF8323A5E81
C:\Users\user\Socialdirektrer\media-floppy-symbolic.symbolic.png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	293D1D4F18C3A918A44FAD289715E950	BD92A45835DD693FE8D0B72F296FE0134D46B876	553F673950BE4DE71377A297050888D0BE5A997DB334781994C3265EDA30C7B3
C:\Users\user\Socialdirektrer\mk.txt	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	71D42ABE45803AC9C3DA5FCACF9CC59C	98A1049906972ABB480ABAF1F5658C1B8C10F27C	78F5CB9345AB258CF745EAA90D44C7A7A73D3FE06EA182B1298A989135FFA11F
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	327F109CCA4114DE4FE63066D46805A7	3798C39C38008FB918DCB98DF7DC3C54EC4B17C5	9D4022C4B5D40785C0B700F710E7F9FBFD14BDAAE9613FE4ACCCDF6BF253BD65
C:\Windows\appcompat\Programs\Amcache.hve.LOG1	MS Windows registry file, NT/2000 or above	8726C4CBDA130722A758F76728527B19	7E989D5E29BECA70895BF7F8DCE7ECD5A502B331	3856E2E2811C31B7CFB6872DB96F0E384ECA9C3B6DDE5B9712BFC85D20A2B952
C:\Windows\assembly\Desktop.ini	Windows desktop.ini	F7F759A5CD40BC52172E83486B6DE404	D74930F354A56CFD03DC91AA96D8AE9657B1EE54	A709C2551B8818D7849D31A65446DC2F8C4CCA2DCBBC5385604286F49CFDAF1C
\Device\ConDrv	ASCII text	95A9765293B395853C7059AB01DA28AE	7627EBC68CCE94B1E1CCC826C0D14D8068B3C90D	08E334353322F44FDC19102929B367F4D870F3BC8872F973EAAA8119B6AC771F

Windows Analysis Report
Rechung-R1663322504.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report Rechung-R1663322504.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Rechung-R1663322504.exe