Loading ...

Play interactive tourEdit tour

Analysis Report 35c08321-bd5d-46a4-a0e1-c20e37a09f91

Overview

General Information

Sample Name:35c08321-bd5d-46a4-a0e1-c20e37a09f91 (renamed file extension from none to exe)
Analysis ID:299744
MD5:624706daf30855712f050e092df51ea6
SHA1:731c327dc2ead198d2ecb6493247cf7652dda687
SHA256:48fd43b160911b31c7b1d4fa1c08a5b20a8fa0a5686f185846b39e048e5243a9

Most interesting Screenshot:

Detection

AgentTesla
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AgentTesla
.NET source code contains very large array initializations
Allocates memory in foreign processes
Connects to a pastebin service (likely for C&C)
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE / OLE file has an invalid certificate
Queries disk information (often used to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • 35c08321-bd5d-46a4-a0e1-c20e37a09f91.exe (PID: 5896 cmdline: 'C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exe' MD5: 624706DAF30855712F050E092DF51EA6)
    • timeout.exe (PID: 256 cmdline: timeout 4 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
      • conhost.exe (PID: 3544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • CasPol.exe (PID: 5456 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe MD5: F866FC1C2E928779C7119353C3091F0C)
    • CasPol.exe (PID: 5260 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe MD5: F866FC1C2E928779C7119353C3091F0C)
    • WerFault.exe (PID: 4680 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5896 -s 1708 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.489717824.0000000002EA1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000A.00000002.489717824.0000000002EA1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      0000000A.00000002.486658346.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.343873064.0000000004463000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: 35c08321-bd5d-46a4-a0e1-c20e37a09f91.exe PID: 5896JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            10.2.CasPol.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Multi AV Scanner detection for submitted fileShow sources
              Source: 35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeReversingLabs: Detection: 12%
              Machine Learning detection for sampleShow sources
              Source: 35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeJoe Sandbox ML: detected
              Source: 10.2.CasPol.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeCode function: 4x nop then jmp 0194B707h0_2_0194A9F8

              Networking:

              barindex
              Connects to a pastebin service (likely for C&C)Show sources
              Source: unknownDNS query: name: hastebin.com
              Source: Joe Sandbox ViewIP Address: 104.24.126.89 104.24.126.89
              Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
              Source: unknownDNS traffic detected: queries for: hastebin.com
              Source: CasPol.exe, 0000000A.00000002.489717824.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
              Source: CasPol.exe, 0000000A.00000002.489717824.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
              Source: 35c08321-bd5d-46a4-a0e1-c20e37a09f91.exe, 00000000.00000002.342958991.00000000032E6000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
              Source: 35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
              Source: 35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
              Source: 35c08321-bd5d-46a4-a0e1-c20e37a09f91.exe, 00000000.00000002.342958991.00000000032E6000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
              Source: 35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
              Source: 35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
              Source: 35c08321-bd5d-46a4-a0e1-c20e37a09f91.exe, 00000000.00000002.342958991.00000000032E6000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
              Source: 35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
              Source: 35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
              Source: CasPol.exe, 0000000A.00000002.489717824.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://hbrNYN.com
              Source: 35c08321-bd5d-46a4-a0e1-c20e37a09f91.exe, 00000000.00000002.342958991.00000000032E6000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: 35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeString found in binary or memory: http://ocsp.digicert.com0C
              Source: 35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeString found in binary or memory: http://ocsp.digicert.com0O
              Source: WerFault.exe, 0000000D.00000003.320470106.0000000005CB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
              Source: WerFault.exe, 0000000D.00000003.320470106.0000000005CB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
              Source: WerFault.exe, 0000000D.00000003.320470106.0000000005CB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
              Source: WerFault.exe, 0000000D.00000003.320470106.0000000005CB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
              Source: WerFault.exe, 0000000D.00000003.320470106.0000000005CB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
              Source: WerFault.exe, 0000000D.00000003.320470106.0000000005CB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
              Source: WerFault.exe, 0000000D.00000003.320470106.0000000005CB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
              Source: 35c08321-bd5d-46a4-a0e1-c20e37a09f91.exe, 00000000.00000002.342911572.0000000003291000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.320470106.0000000005CB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: WerFault.exe, 0000000D.00000003.320470106.0000000005CB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
              Source: WerFault.exe, 0000000D.00000003.320470106.0000000005CB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
              Source: WerFault.exe, 0000000D.00000003.320470106.0000000005CB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
              Source: WerFault.exe, 0000000D.00000003.320470106.0000000005CB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
              Source: WerFault.exe, 0000000D.00000003.320470106.0000000005CB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
              Source: WerFault.exe, 0000000D.00000003.320470106.0000000005CB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
              Source: WerFault.exe, 0000000D.00000003.320470106.0000000005CB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
              Source: CasPol.exe, 0000000A.00000002.489717824.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
              Source: 35c08321-bd5d-46a4-a0e1-c20e37a09f91.exe, 00000000.00000002.343873064.0000000004463000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000002.486658346.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/
              Source: CasPol.exe, 0000000A.00000002.489717824.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
              Source: 35c08321-bd5d-46a4-a0e1-c20e37a09f91.exe, 00000000.00000002.342911572.0000000003291000.00000004.00000001.sdmpString found in binary or memory: https://hastebin.com
              Source: 35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeString found in binary or memory: https://hastebin.com/raw/jerusucobi
              Source: 35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeString found in binary or memory: https://hastebin.com/raw/judezaxavi
              Source: 35c08321-bd5d-46a4-a0e1-c20e37a09f91.exe, 00000000.00000002.342958991.00000000032E6000.00000004.00000001.sdmp, 35c08321-bd5d-46a4-a0e1-c20e37a09f91.exe, 00000000.00000002.343012334.0000000003300000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
              Source: 35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeString found in binary or memory: https://www.digicert.com/CPS0
              Source: 35c08321-bd5d-46a4-a0e1-c20e37a09f91.exe, 00000000.00000002.343873064.0000000004463000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000002.486658346.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
              Source: CasPol.exe, 0000000A.00000002.489717824.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
              Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

              System Summary:

              barindex
              .NET source code contains very large array initializationsShow sources
              Source: 10.2.CasPol.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b13A7F633u002dC95Eu002d4B30u002d9665u002d08DA8974002Fu007d/F16E028Du002d359Bu002d46CBu002dA714u002dC126504B0C68.csLarge array initialization: .cctor: array initializer size 11997
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeCode function: 0_2_019486A0 NtSetInformationThread,0_2_019486A0
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeCode function: 0_2_0194A120 NtSetInformationThread,0_2_0194A120
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeCode function: 0_2_0194A9F80_2_0194A9F8
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeCode function: 0_2_019475000_2_01947500
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeCode function: 0_2_01948B710_2_01948B71
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeCode function: 0_2_0194A2770_2_0194A277
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeCode function: 0_2_01948B800_2_01948B80
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeCode function: 0_2_0630E0A00_2_0630E0A0
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeCode function: 0_2_0630B6C40_2_0630B6C4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 10_2_02AF46A010_2_02AF46A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 10_2_02AF35C410_2_02AF35C4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 10_2_02AF461A10_2_02AF461A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 10_2_02AFD28110_2_02AFD281
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 10_2_02AF539010_2_02AF5390
              Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5896 -s 1708
              Source: 35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeStatic PE information: invalid certificate
              Source: 35c08321-bd5d-46a4-a0e1-c20e37a09f91.exe, 00000000.00000002.343012334.0000000003300000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs 35c08321-bd5d-46a4-a0e1-c20e37a09f91.exe
              Source: 35c08321-bd5d-46a4-a0e1-c20e37a09f91.exe, 00000000.00000002.344913747.0000000005880000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs 35c08321-bd5d-46a4-a0e1-c20e37a09f91.exe
              Source: 35c08321-bd5d-46a4-a0e1-c20e37a09f91.exe, 00000000.00000002.345773364.0000000006250000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 35c08321-bd5d-46a4-a0e1-c20e37a09f91.exe
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
              Source: 10.2.CasPol.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 10.2.CasPol.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: classification engineClassification label: mal96.troj.evad.winEXE@9/4@1/1
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3544:120:WilError_01
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5896
              Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER48FB.tmpJump to behavior
              Source: 35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: 35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeReversingLabs: Detection: 12%
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeFile read: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exe 'C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
              Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5896 -s 1708
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4Jump to behavior
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exeJump to behavior
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exeJump to behavior
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: 35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: 35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000000D.00000003.323283981.0000000005A6A000.00000004.00000040.sdmp
              Source: Binary string: System.pdb$ source: WER48FB.tmp.dmp.13.dr
              Source: Binary string: System.ni.pdb% source: WerFault.exe, 0000000D.00000003.322771412.0000000005A6E000.00000004.00000040.sdmp
              Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000000D.00000002.341136258.0000000006200000.00000004.00000001.sdmp
              Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000D.00000003.314815200.00000000055A0000.00000004.00000001.sdmp
              Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000D.00000003.323283981.0000000005A6A000.00000004.00000040.sdmp
              Source: Binary string: onfiguration.ni.pdb source: WerFault.exe, 0000000D.00000003.323026660.0000000005A7B000.00000004.00000001.sdmp
              Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000D.00000003.323309649.0000000005A60000.00000004.00000040.sdmp
              Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 0000000D.00000003.322771412.0000000005A6E000.00000004.00000040.sdmp
              Source: Binary string: wuser32.pdbF source: WerFault.exe, 0000000D.00000003.323283981.0000000005A6A000.00000004.00000040.sdmp
              Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000D.00000003.322978816.0000000005A91000.00000004.00000001.sdmp
              Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000D.00000003.322978816.0000000005A91000.00000004.00000001.sdmp
              Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000D.00000003.322978816.0000000005A91000.00000004.00000001.sdmp
              Source: Binary string: winnsi.pdb source: WerFault.exe, 0000000D.00000003.322771412.0000000005A6E000.00000004.00000040.sdmp
              Source: Binary string: ml.pdb source: WerFault.exe, 0000000D.00000003.323026660.0000000005A7B000.00000004.00000001.sdmp
              Source: Binary string: .ni.pdb source: WerFault.exe, 0000000D.00000003.323026660.0000000005A7B000.00000004.00000001.sdmp
              Source: Binary string: clr.pdb source: WerFault.exe, 0000000D.00000003.323309649.0000000005A60000.00000004.00000040.sdmp
              Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000000D.00000003.323283981.0000000005A6A000.00000004.00000040.sdmp
              Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000D.00000003.322978816.0000000005A91000.00000004.00000001.sdmp
              Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000D.00000003.322978816.0000000005A91000.00000004.00000001.sdmp
              Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000000D.00000003.322771412.0000000005A6E000.00000004.00000040.sdmp
              Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000000D.00000003.322991739.0000000005AA6000.00000004.00000001.sdmp, WER48FB.tmp.dmp.13.dr
              Source: Binary string: schannel.pdb source: WerFault.exe, 0000000D.00000003.322771412.0000000005A6E000.00000004.00000040.sdmp
              Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 0000000D.00000002.341136258.0000000006200000.00000004.00000001.sdmp
              Source: Binary string: System.Core.pdb5 source: WerFault.exe, 0000000D.00000003.322771412.0000000005A6E000.00000004.00000040.sdmp
              Source: Binary string: WLDP.pdb% source: WerFault.exe, 0000000D.00000003.322771412.0000000005A6E000.00000004.00000040.sdmp
              Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000D.00000003.315098052.00000000035D6000.00000004.00000001.sdmp
              Source: Binary string: System.Core.pdb8 source: WER48FB.tmp.dmp.13.dr
              Source: Binary string: shcore.pdbX source: WerFault.exe, 0000000D.00000003.323283981.0000000005A6A000.00000004.00000040.sdmp
              Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000D.00000003.322824738.0000000005A62000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000D.00000003.322771412.0000000005A6E000.00000004.00000040.sdmp, WER48FB.tmp.dmp.13.dr
              Source: Binary string: System.Xml.pdbx source: WerFault.exe, 0000000D.00000002.341136258.0000000006200000.00000004.00000001.sdmp
              Source: Binary string: indows.Forms.pdb source: WerFault.exe, 0000000D.00000003.323026660.0000000005A7B000.00000004.00000001.sdmp
              Source: Binary string: shell32.pdbp source: WerFault.exe, 0000000D.00000003.323283981.0000000005A6A000.00000004.00000040.sdmp
              Source: Binary string: mscoree.pdb source: WerFault.exe, 0000000D.00000003.322978816.0000000005A91000.00000004.00000001.sdmp
              Source: Binary string: 35c08321-bd5d-46a4-a0e1-c20e37a09f91.PDB#`cY source: 35c08321-bd5d-46a4-a0e1-c20e37a09f91.exe, 00000000.00000002.341736483.00000000011B4000.00000004.00000010.sdmp
              Source: Binary string: ole32.pdbb source: WerFault.exe, 0000000D.00000003.323283981.0000000005A6A000.00000004.00000040.sdmp
              Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000D.00000003.322771412.0000000005A6E000.00000004.00000040.sdmp
              Source: Binary string: shlwapi.pdbk source: WerFault.exe, 0000000D.00000003.322824738.0000000005A62000.00000004.00000040.sdmp
              Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000D.00000003.322771412.0000000005A6E000.00000004.00000040.sdmp
              Source: Binary string: nsi.pdb source: WerFault.exe, 0000000D.00000003.322771412.0000000005A6E000.00000004.00000040.sdmp
              Source: Binary string: msvcp_win.pdb: source: WerFault.exe, 0000000D.00000003.323283981.0000000005A6A000.00000004.00000040.sdmp
              Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000D.00000003.323283981.0000000005A6A000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.ni.pdbRSDS source: WER48FB.tmp.dmp.13.dr
              Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000000D.00000003.322771412.0000000005A6E000.00000004.00000040.sdmp, WER48FB.tmp.dmp.13.dr
              Source: Binary string: ole32.pdb source: WerFault.exe, 0000000D.00000003.323283981.0000000005A6A000.00000004.00000040.sdmp
              Source: Binary string: clrjit.pdb. source: WerFault.exe, 0000000D.00000003.323283981.0000000005A6A000.00000004.00000040.sdmp
              Source: Binary string: version.pdbJ source: WerFault.exe, 0000000D.00000003.323283981.0000000005A6A000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000D.00000002.341136258.0000000006200000.00000004.00000001.sdmp
              Source: Binary string: msasn1.pdb source: WerFault.exe, 0000000D.00000003.322771412.0000000005A6E000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.pdb source: WerFault.exe, 0000000D.00000003.322771412.0000000005A6E000.00000004.00000040.sdmp, WER48FB.tmp.dmp.13.dr
              Source: Binary string: wintrust.pdb# source: WerFault.exe, 0000000D.00000003.322771412.0000000005A6E000.00000004.00000040.sdmp
              Source: Binary string: profapi.pdbL source: WerFault.exe, 0000000D.00000003.323283981.0000000005A6A000.00000004.00000040.sdmp
              Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000D.00000003.323283981.0000000005A6A000.00000004.00000040.sdmp
              Source: Binary string: combase.pdb source: WerFault.exe, 0000000D.00000003.322824738.0000000005A62000.00000004.00000040.sdmp
              Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000D.00000003.322771412.0000000005A6E000.00000004.00000040.sdmp
              Source: Binary string: rasapi32.pdb6 source: WerFault.exe, 0000000D.00000003.323283981.0000000005A6A000.00000004.00000040.sdmp
              Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000D.00000003.314940368.00000000035D0000.00000004.00000001.sdmp
              Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER48FB.tmp.dmp.13.dr
              Source: Binary string: ncrypt.pdb source: WerFault.exe, 0000000D.00000003.322771412.0000000005A6E000.00000004.00000040.sdmp
              Source: Binary string: secur32.pdb source: WerFault.exe, 0000000D.00000003.322771412.0000000005A6E000.00000004.00000040.sdmp
              Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000D.00000003.322978816.0000000005A91000.00000004.00000001.sdmp
              Source: Binary string: System.Xml.ni.pdbRSDS source: WER48FB.tmp.dmp.13.dr
              Source: Binary string: rasadhlp.pdb source: WerFault.exe, 0000000D.00000003.322771412.0000000005A6E000.00000004.00000040.sdmp
              Source: Binary string: ml.ni.pdb source: WerFault.exe, 0000000D.00000003.323026660.0000000005A7B000.00000004.00000001.sdmp
              Source: Binary string: .pdb? source: 35c08321-bd5d-46a4-a0e1-c20e37a09f91.exe, 00000000.00000002.341736483.00000000011B4000.00000004.00000010.sdmp
              Source: Binary string: System.Core.ni.pdbRSDSD source: WER48FB.tmp.dmp.13.dr
              Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000000D.00000003.322771412.0000000005A6E000.00000004.00000040.sdmp
              Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 0000000D.00000003.322771412.0000000005A6E000.00000004.00000040.sdmp
              Source: Binary string: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.PDB4 source: 35c08321-bd5d-46a4-a0e1-c20e37a09f91.exe, 00000000.00000002.341736483.00000000011B4000.00000004.00000010.sdmp
              Source: Binary string: ncryptsslp.pdb? source: WerFault.exe, 0000000D.00000003.322771412.0000000005A6E000.00000004.00000040.sdmp
              Source: Binary string: mscoreei.pdbk source: WerFault.exe, 0000000D.00000003.322824738.0000000005A62000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000000D.00000002.341136258.0000000006200000.00000004.00000001.sdmp
              Source: Binary string: wwin32u.pdbd source: WerFault.exe, 0000000D.00000003.323283981.0000000005A6A000.00000004.00000040.sdmp
              Source: Binary string: shcore.pdb source: WerFault.exe, 0000000D.00000003.323283981.0000000005A6A000.00000004.00000040.sdmp
              Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000000D.00000003.322771412.0000000005A6E000.00000004.00000040.sdmp
              Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000D.00000003.323309649.0000000005A60000.00000004.00000040.sdmp
              Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000D.00000003.323283981.0000000005A6A000.00000004.00000040.sdmp
              Source: Binary string: shell32.pdb source: WerFault.exe, 0000000D.00000003.323283981.0000000005A6A000.00000004.00000040.sdmp
              Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000000D.00000003.322771412.0000000005A6E000.00000004.00000040.sdmp, WER48FB.tmp.dmp.13.dr
              Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000D.00000003.323283981.0000000005A6A000.00000004.00000040.sdmp
              Source: Binary string: powrprof.pdb- source: WerFault.exe, 0000000D.00000003.323283981.0000000005A6A000.00000004.00000040.sdmp
              Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000000D.00000003.322771412.0000000005A6E000.00000004.00000040.sdmp
              Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000000D.00000003.323283981.0000000005A6A000.00000004.00000040.sdmp
              Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000D.00000003.323283981.0000000005A6A000.00000004.00000040.sdmp
              Source: Binary string: c.pdbis source: 35c08321-bd5d-46a4-a0e1-c20e37a09f91.exe, 00000000.00000002.341736483.00000000011B4000.00000004.00000010.sdmp
              Source: Binary string: winnsi.pdb) source: WerFault.exe, 0000000D.00000003.322771412.0000000005A6E000.00000004.00000040.sdmp
              Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000D.00000003.323283981.0000000005A6A000.00000004.00000040.sdmp
              Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000000D.00000002.341136258.0000000006200000.00000004.00000001.sdmp
              Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000000D.00000003.322771412.0000000005A6E000.00000004.00000040.sdmp
              Source: Binary string: dhcpcsvc6.pdb1 source: WerFault.exe, 0000000D.00000003.322771412.0000000005A6E000.00000004.00000040.sdmp
              Source: Binary string: rasman.pdb< source: WerFault.exe, 0000000D.00000003.323283981.0000000005A6A000.00000004.00000040.sdmp
              Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000D.00000003.323283981.0000000005A6A000.00000004.00000040.sdmp
              Source: Binary string: winhttp.pdb source: WerFault.exe, 0000000D.00000003.322771412.0000000005A6E000.00000004.00000040.sdmp
              Source: Binary string: oleaut32.pdbT source: WerFault.exe, 0000000D.00000003.323283981.0000000005A6A000.00000004.00000040.sdmp
              Source: Binary string: ntasn1.pdb source: WerFault.exe, 0000000D.00000003.322771412.0000000005A6E000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000000D.00000003.322771412.0000000005A6E000.00000004.00000040.sdmp
              Source: Binary string: rtutils.pdb source: WerFault.exe, 0000000D.00000003.322771412.0000000005A6E000.00000004.00000040.sdmp
              Source: Binary string: System.pdbx source: WerFault.exe, 0000000D.00000002.341136258.0000000006200000.00000004.00000001.sdmp
              Source: Binary string: profapi.pdb source: WerFault.exe, 0000000D.00000003.323283981.0000000005A6A000.00000004.00000040.sdmp
              Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000000D.00000003.322771412.0000000005A6E000.00000004.00000040.sdmp
              Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000000D.00000003.322771412.0000000005A6E000.00000004.00000040.sdmp, WER48FB.tmp.dmp.13.dr
              Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000D.00000003.323309649.0000000005A60000.00000004.00000040.sdmp
              Source: Binary string: WLDP.pdb source: WerFault.exe, 0000000D.00000003.322771412.0000000005A6E000.00000004.00000040.sdmp
              Source: Binary string: sechost.pdb source: WerFault.exe, 0000000D.00000003.322978816.0000000005A91000.00000004.00000001.sdmp
              Source: Binary string: System.ni.pdbRSDS source: WER48FB.tmp.dmp.13.dr
              Source: Binary string: clrjit.pdb source: WerFault.exe, 0000000D.00000003.323283981.0000000005A6A000.00000004.00000040.sdmp
              Source: Binary string: rasman.pdb source: WerFault.exe, 0000000D.00000003.323283981.0000000005A6A000.00000004.00000040.sdmp
              Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000D.00000003.323283981.0000000005A6A000.00000004.00000040.sdmp
              Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000000D.00000003.322771412.0000000005A6E000.00000004.00000040.sdmp, WER48FB.tmp.dmp.13.dr
              Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 0000000D.00000003.322771412.0000000005A6E000.00000004.00000040.sdmp
              Source: Binary string: jVisualBasic.pdb source: 35c08321-bd5d-46a4-a0e1-c20e37a09f91.exe, 00000000.00000002.341736483.00000000011B4000.00000004.00000010.sdmp
              Source: Binary string: wmswsock.pdb source: WerFault.exe, 0000000D.00000003.322771412.0000000005A6E000.00000004.00000040.sdmp
              Source: Binary string: version.pdb source: WerFault.exe, 0000000D.00000003.323283981.0000000005A6A000.00000004.00000040.sdmp
              Source: Binary string: onfiguration.pdb source: WerFault.exe, 0000000D.00000003.323026660.0000000005A7B000.00000004.00000001.sdmp
              Source: Binary string: wintrust.pdb source: WerFault.exe, 0000000D.00000003.322771412.0000000005A6E000.00000004.00000040.sdmp
              Source: Binary string: System.Xml.pdb source: WerFault.exe, 0000000D.00000003.322771412.0000000005A6E000.00000004.00000040.sdmp, WER48FB.tmp.dmp.13.dr
              Source: Binary string: System.pdb source: WerFault.exe, 0000000D.00000003.322771412.0000000005A6E000.00000004.00000040.sdmp, WER48FB.tmp.dmp.13.dr
              Source: Binary string: ore.ni.pdb source: WerFault.exe, 0000000D.00000003.323026660.0000000005A7B000.00000004.00000001.sdmp
              Source: Binary string: bcrypt.pdbh source: WerFault.exe, 0000000D.00000003.323283981.0000000005A6A000.00000004.00000040.sdmp
              Source: Binary string: System.ni.pdbT3hl source: WerFault.exe, 0000000D.00000002.341136258.0000000006200000.00000004.00000001.sdmp
              Source: Binary string: ore.pdb source: WerFault.exe, 0000000D.00000003.323026660.0000000005A7B000.00000004.00000001.sdmp
              Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000000D.00000003.322771412.0000000005A6E000.00000004.00000040.sdmp, WER48FB.tmp.dmp.13.dr
              Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000D.00000003.323309649.0000000005A60000.00000004.00000040.sdmp
              Source: Binary string: psapi.pdb source: WerFault.exe, 0000000D.00000003.323283981.0000000005A6A000.00000004.00000040.sdmp
              Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 0000000D.00000003.322771412.0000000005A6E000.00000004.00000040.sdmp
              Source: Binary string: cfgmgr32.pdbR source: WerFault.exe, 0000000D.00000003.323283981.0000000005A6A000.00000004.00000040.sdmp
              Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000D.00000003.322978816.0000000005A91000.00000004.00000001.sdmp
              Source: Binary string: System.Core.pdbx source: WerFault.exe, 0000000D.00000002.341136258.0000000006200000.00000004.00000001.sdmp
              Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000D.00000003.315098052.00000000035D6000.00000004.00000001.sdmp
              Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000D.00000003.322824738.0000000005A62000.00000004.00000040.sdmp
              Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000000D.00000003.322824738.0000000005A62000.00000004.00000040.sdmp
              Source: Binary string: combase.pdbk source: WerFault.exe, 0000000D.00000003.322824738.0000000005A62000.00000004.00000040.sdmp
              Source: Binary string: System.Core.pdb source: WerFault.exe, 0000000D.00000003.322771412.0000000005A6E000.00000004.00000040.sdmp, WER48FB.tmp.dmp.13.dr
              Source: Binary string: cryptbase.pdbb source: WerFault.exe, 0000000D.00000003.322978816.0000000005A91000.00000004.00000001.sdmp
              Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000D.00000003.323283981.0000000005A6A000.00000004.00000040.sdmp
              Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000000D.00000002.341136258.0000000006200000.00000004.00000001.sdmp
              Source: Binary string: bcryptprimitives.pdbk source: WerFault.exe, 0000000D.00000003.322824738.0000000005A62000.00000004.00000040.sdmp
              Source: Binary string: Microsoft.VisualBasic.pdb" source: WerFault.exe, 0000000D.00000003.322991739.0000000005AA6000.00000004.00000001.sdmp
              Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000D.00000003.323283981.0000000005A6A000.00000004.00000040.sdmp
              Source: Binary string: fltLib.pdb~ source: WerFault.exe, 0000000D.00000003.323283981.0000000005A6A000.00000004.00000040.sdmp
              Source: Binary string: System.ni.pdb source: WerFault.exe, 0000000D.00000003.322991739.0000000005AA6000.00000004.00000001.sdmp, WER48FB.tmp.dmp.13.dr
              Source: Binary string: crypt32.pdb source: WerFault.exe, 0000000D.00000003.322771412.0000000005A6E000.00000004.00000040.sdmp
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeCode function: 0_2_00FEBC8E push cs; ret 0_2_00FEBCE7
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeCode function: 0_2_062E1635 push esp; iretd 0_2_062E164F
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeCode function: 0_2_062E54B0 push esp; retf 0_2_062E54B7
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeCode function: 0_2_062E5496 push esp; retf 0_2_062E54AB
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeCode function: 0_2_062E4D2A pushfd ; retf 0_2_062E4D31
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeCode function: 0_2_062E4D24 pushfd ; retf 0_2_062E4D25
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeCode function: 0_2_062E551B push eax; retf 0_2_062E5522
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeCode function: 0_2_062E5369 pushad ; retf 0_2_062E536A
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeCode function: 0_2_062E1776 pushad ; iretd 0_2_062E1790
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeCode function: 0_2_062E5370 pushad ; retf 0_2_062E5376
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeCode function: 0_2_062E1DBB pushfd ; iretd 0_2_062E1DD5
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeCode function: 0_2_062E15CA push eax; iretd 0_2_062E15E4
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: threadDelayed 565Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4564Thread sleep count: 565 > 30Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -59812s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -58906s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -58500s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -58312s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -57812s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -57594s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -57406s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -56500s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -56312s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -56094s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -55188s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -55000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -54812s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -54312s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -54094s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -53906s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -53688s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -53000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -52812s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -51906s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -51688s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -51312s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -50812s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -50406s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -50188s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -49500s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -49094s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -48188s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -48000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -47812s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -47094s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -46906s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -46688s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -46000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -45812s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -45594s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -44906s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -44688s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -44312s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -43812s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -43594s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -43406s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -42500s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -41406s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -41000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -40812s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -40312s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -39906s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -39688s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -39000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -38812s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -38594s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -37906s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -37688s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -37500s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -36812s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -36594s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -36406s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -36188s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -35500s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -35312s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -34406s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -34188s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -33812s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -33312s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -32906s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -32688s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -31812s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4644Thread sleep time: -31594s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile opened: PhysicalDrive0Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeLast function: Thread delayed
              Source: 35c08321-bd5d-46a4-a0e1-c20e37a09f91.exe, 00000000.00000002.344913747.0000000005880000.00000002.00000001.sdmp, CasPol.exe, 0000000A.00000002.491698580.0000000005BE0000.00000002.00000001.sdmp, WerFault.exe, 0000000D.00000002.340859663.0000000005B80000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
              Source: WerFault.exe, 0000000D.00000002.335040006.0000000003507000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
              Source: 35c08321-bd5d-46a4-a0e1-c20e37a09f91.exe, 00000000.00000002.344913747.0000000005880000.00000002.00000001.sdmp, CasPol.exe, 0000000A.00000002.491698580.0000000005BE0000.00000002.00000001.sdmp, WerFault.exe, 0000000D.00000002.340859663.0000000005B80000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
              Source: 35c08321-bd5d-46a4-a0e1-c20e37a09f91.exe, 00000000.00000002.344913747.0000000005880000.00000002.00000001.sdmp, CasPol.exe, 0000000A.00000002.491698580.0000000005BE0000.00000002.00000001.sdmp, WerFault.exe, 0000000D.00000002.340859663.0000000005B80000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
              Source: 35c08321-bd5d-46a4-a0e1-c20e37a09f91.exe, 00000000.00000002.344913747.0000000005880000.00000002.00000001.sdmp, CasPol.exe, 0000000A.00000002.491698580.0000000005BE0000.00000002.00000001.sdmp, WerFault.exe, 0000000D.00000002.340859663.0000000005B80000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
              Source: C:\Users\user\Desktop\35c08321-bd5d-46a4-a0e1-c20e37a09f91.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging:

              bar