Source: 00000006.00000000.75558223607.0000000001200000.00000040.00000001.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1BlKZMF9MVJA&"} |
Source: CasPol.exe.7008.6.memstrmin |
Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "gulnaz@furteksdokuma.com.tr@Gulnaz159753mail.furteksdokuma.com.trkevinlog25@gmail.com"} |
Source: CasPol.exe, 00000006.00000002.76597546211.000000001E441000.00000004.00000001.sdmp |
String found in binary or memory: http://127.0.0.1:HTTP/1.1 |
Source: CasPol.exe, 00000006.00000002.76597546211.000000001E441000.00000004.00000001.sdmp |
String found in binary or memory: http://DynDns.comDynDNS |
Source: CasPol.exe, 00000006.00000003.75745983855.0000000001620000.00000004.00000001.sdmp |
String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06 |
Source: CasPol.exe, 00000006.00000003.75745983855.0000000001620000.00000004.00000001.sdmp |
String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: CasPol.exe, 00000006.00000002.76597546211.000000001E441000.00000004.00000001.sdmp |
String found in binary or memory: http://tbLjUn.com |
Source: Justificante.exe |
String found in binary or memory: http://topqualityfreeware.com |
Source: Justificante.exe |
String found in binary or memory: http://www.topqualityfreeware.com/ |
Source: CasPol.exe, 00000006.00000003.75745983855.0000000001620000.00000004.00000001.sdmp |
String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/ |
Source: CasPol.exe, 00000006.00000003.75745983855.0000000001620000.00000004.00000001.sdmp |
String found in binary or memory: https://csp.withgoogle.com/csp/report-to/gse_l9ocaq |
Source: CasPol.exe, 00000006.00000003.75745983855.0000000001620000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000003.75750804342.0000000001619000.00000004.00000001.sdmp |
String found in binary or memory: https://doc-14-48-docs.googleusercontent.com/ |
Source: CasPol.exe, 00000006.00000002.76587639424.000000000160B000.00000004.00000020.sdmp |
String found in binary or memory: https://doc-14-48-docs.googleusercontent.com/P |
Source: CasPol.exe, 00000006.00000003.75745983855.0000000001620000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000003.75750804342.0000000001619000.00000004.00000001.sdmp |
String found in binary or memory: https://doc-14-48-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/0g7u5k11 |
Source: CasPol.exe, 00000006.00000002.76587053720.0000000001598000.00000004.00000020.sdmp |
String found in binary or memory: https://drive.google.com/ |
Source: CasPol.exe, 00000006.00000002.76587053720.0000000001598000.00000004.00000020.sdmp |
String found in binary or memory: https://drive.google.com/.f |
Source: CasPol.exe, 00000006.00000003.75745983855.0000000001620000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000002.76586836765.0000000001430000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000002.76587346116.00000000015D6000.00000004.00000020.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=1BlKZMF9MVJAQ4upDwXLe5aNIoHz7szu8 |
Source: CasPol.exe, 00000006.00000002.76587346116.00000000015D6000.00000004.00000020.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=1BlKZMF9MVJAQ4upDwXLe5aNIoHz7szu8Fj |
Source: CasPol.exe, 00000006.00000003.75745983855.0000000001620000.00000004.00000001.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=1BlKZMF9MVJAQ4upDwXLe5aNIoHz7szu8qurfYj4I-JJpWZhZY |
Source: CasPol.exe, 00000006.00000002.76597546211.000000001E441000.00000004.00000001.sdmp |
String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha |
Source: C:\Users\user\Desktop\Justificante.exe |
Code function: 2_2_004090EA |
2_2_004090EA |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 6_2_00EE4320 |
6_2_00EE4320 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 6_2_00EE1130 |
6_2_00EE1130 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 6_2_00EE3A50 |
6_2_00EE3A50 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 6_2_00EE3708 |
6_2_00EE3708 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 6_2_1E245E08 |
6_2_1E245E08 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 6_2_1E2446C4 |
6_2_1E2446C4 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 6_2_1E246AF1 |
6_2_1E246AF1 |
Source: unknown |
Process created: C:\Users\user\Desktop\Justificante.exe "C:\Users\user\Desktop\Justificante.exe" |
|
Source: C:\Users\user\Desktop\Justificante.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\Justificante.exe" |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\Justificante.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\Justificante.exe" |
Jump to behavior |
Source: C:\Users\user\Desktop\Justificante.exe |
Code function: 2_2_0040440F pushfd ; retf |
2_2_0040442C |
Source: C:\Users\user\Desktop\Justificante.exe |
Code function: 2_2_00403834 push es; ret |
2_2_00403836 |
Source: C:\Users\user\Desktop\Justificante.exe |
Code function: 2_2_004044F3 pushfd ; retf |
2_2_004044F4 |
Source: C:\Users\user\Desktop\Justificante.exe |
Code function: 2_2_004051CC push dword ptr [esi]; iretd |
2_2_004051D3 |
Source: C:\Users\user\Desktop\Justificante.exe |
Code function: 2_2_00404592 pushfd ; retf |
2_2_004045A4 |
Source: C:\Users\user\Desktop\Justificante.exe |
Code function: 2_2_004045A7 pushfd ; retf |
2_2_004045B8 |
Source: C:\Users\user\Desktop\Justificante.exe |
Code function: 2_2_0040666B pushfd ; retf |
2_2_0040666C |
Source: C:\Users\user\Desktop\Justificante.exe |
Code function: 2_2_004062CF pushfd ; retf |
2_2_004062D0 |
Source: C:\Users\user\Desktop\Justificante.exe |
Code function: 2_2_004072EF pushfd ; retf |
2_2_0040731C |
Source: C:\Users\user\Desktop\Justificante.exe |
Code function: 2_2_00404287 pushfd ; retf |
2_2_00404288 |
Source: C:\Users\user\Desktop\Justificante.exe |
Code function: 2_2_00404343 pushfd ; retf |
2_2_00404354 |
Source: C:\Users\user\Desktop\Justificante.exe |
Code function: 2_2_0040634B pushfd ; retf |
2_2_00406358 |
Source: C:\Users\user\Desktop\Justificante.exe |
Code function: 2_2_00404357 pushfd ; retf |
2_2_00404358 |
Source: C:\Users\user\Desktop\Justificante.exe |
Code function: 2_2_004067EC pushfd ; retf |
2_2_004067F4 |
Source: C:\Users\user\Desktop\Justificante.exe |
Code function: 2_2_053A196C push C8AEE283h; ret |
2_2_053A1971 |
Source: C:\Users\user\Desktop\Justificante.exe |
Code function: 2_2_053A279D pushfd ; iretd |
2_2_053A27A5 |
Source: C:\Users\user\Desktop\Justificante.exe |
Code function: 2_2_053A0EE4 push ds; iretd |
2_2_053A0EFB |
Source: C:\Users\user\Desktop\Justificante.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: Justificante.exe, 00000002.00000002.75778239526.00000000053C0000.00000004.00000001.sdmp |
Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32APPDATA=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXE\SYSWOW64\MSVBVM60.DLL |
Source: CasPol.exe, 00000006.00000002.76586836765.0000000001430000.00000004.00000001.sdmp |
Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32APPDATA=HTTPS://DRIVE.GOOGLE.COM/UC?EXPORT=DOWNLOAD&ID=1BLKZMF9MVJAQ4UPDWXLE5ANIOHZ7SZU8 |
Source: Justificante.exe, 00000002.00000002.75778239526.00000000053C0000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000002.76586836765.0000000001430000.00000004.00000001.sdmp |
Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE |
Source: Justificante.exe, 00000002.00000002.75778304019.0000000005489000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000002.76588942358.00000000031B9000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Guest Shutdown Service |
Source: Justificante.exe, 00000002.00000002.75778304019.0000000005489000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000002.76588942358.00000000031B9000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Remote Desktop Virtualization Service |
Source: CasPol.exe, 00000006.00000002.76588942358.00000000031B9000.00000004.00000001.sdmp |
Binary or memory string: vmicshutdown |
Source: CasPol.exe, 00000006.00000002.76587053720.0000000001598000.00000004.00000020.sdmp |
Binary or memory string: Hyper-V RAW`Qa |
Source: Justificante.exe, 00000002.00000002.75778304019.0000000005489000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000002.76588942358.00000000031B9000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Volume Shadow Copy Requestor |
Source: Justificante.exe, 00000002.00000002.75778239526.00000000053C0000.00000004.00000001.sdmp |
Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32APPDATA=windir=\Microsoft.NET\Framework\v4.0.30319\caspol.exe\syswow64\msvbvm60.dll |
Source: Justificante.exe, 00000002.00000002.75778304019.0000000005489000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000002.76588942358.00000000031B9000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V PowerShell Direct Service |
Source: Justificante.exe, 00000002.00000002.75778304019.0000000005489000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000002.76588942358.00000000031B9000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Time Synchronization Service |
Source: CasPol.exe, 00000006.00000002.76586836765.0000000001430000.00000004.00000001.sdmp |
Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32APPDATA=https://drive.google.com/uc?export=download&id=1BlKZMF9MVJAQ4upDwXLe5aNIoHz7szu8 |
Source: CasPol.exe, 00000006.00000002.76588942358.00000000031B9000.00000004.00000001.sdmp |
Binary or memory string: vmicvss |
Source: CasPol.exe, 00000006.00000002.76587639424.000000000160B000.00000004.00000020.sdmp |
Binary or memory string: Hyper-V RAW |
Source: CasPol.exe, 00000006.00000002.76587639424.000000000160B000.00000004.00000020.sdmp |
Binary or memory string: Hyper-V RAW, |
Source: Justificante.exe, 00000002.00000002.75778239526.00000000053C0000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000002.76586836765.0000000001430000.00000004.00000001.sdmp |
Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: Justificante.exe, 00000002.00000002.75778304019.0000000005489000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000002.76588942358.00000000031B9000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Data Exchange Service |
Source: Justificante.exe, 00000002.00000002.75778304019.0000000005489000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000002.76588942358.00000000031B9000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Heartbeat Service |
Source: Justificante.exe, 00000002.00000002.75778304019.0000000005489000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000002.76588942358.00000000031B9000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Guest Service Interface |
Source: CasPol.exe, 00000006.00000002.76588942358.00000000031B9000.00000004.00000001.sdmp |
Binary or memory string: vmicheartbeat |
Source: CasPol.exe, 00000006.00000002.76588481923.0000000001D61000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: CasPol.exe, 00000006.00000002.76588481923.0000000001D61000.00000002.00020000.sdmp |
Binary or memory string: Progman |
Source: CasPol.exe, 00000006.00000002.76588481923.0000000001D61000.00000002.00020000.sdmp |
Binary or memory string: Progmanlock |
Source: CasPol.exe, 00000006.00000002.76588481923.0000000001D61000.00000002.00020000.sdmp |
Binary or memory string: `Program Manager |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
Jump to behavior |