Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.122 |
Source: CasPol.exe, 0000000D.00000003.78992434114.0000000001570000.00000004.00000001.sdmp, CasPol.exe, 00000017.00000002.79854189696.0000000001163000.00000004.00000020.sdmp, CasPol.exe, 0000001B.00000002.79969192260.00000000010B9000.00000004.00000020.sdmp |
String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06 |
Source: CasPol.exe, 0000000D.00000003.78992434114.0000000001570000.00000004.00000001.sdmp, CasPol.exe, 00000017.00000002.79854189696.0000000001163000.00000004.00000020.sdmp, CasPol.exe, 0000001B.00000002.79969192260.00000000010B9000.00000004.00000020.sdmp |
String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: CasPol.exe, 00000017.00000003.79782611527.00000000011D3000.00000004.00000001.sdmp, CasPol.exe, 00000017.00000002.79854189696.0000000001163000.00000004.00000020.sdmp |
String found in binary or memory: http://www.google.com/support/accounts/answer/151657?hl=en |
Source: CasPol.exe, 0000001B.00000003.79904434041.0000000001130000.00000004.00000001.sdmp |
String found in binary or memory: https://csp.witN |
Source: CasPol.exe, 0000000D.00000003.78164216703.0000000001574000.00000004.00000001.sdmp, CasPol.exe, 00000017.00000003.79779831865.00000000011C1000.00000004.00000001.sdmp, CasPol.exe, 0000001B.00000003.79901056457.0000000001137000.00000004.00000001.sdmp |
String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/ |
Source: CasPol.exe, 0000000D.00000003.78164216703.0000000001574000.00000004.00000001.sdmp, CasPol.exe, 00000017.00000003.79779831865.00000000011C1000.00000004.00000001.sdmp, CasPol.exe, 0000001B.00000003.79901056457.0000000001137000.00000004.00000001.sdmp |
String found in binary or memory: https://csp.withgoogle.com/csp/report-to/gse_l9ocaq |
Source: CasPol.exe, 0000000D.00000003.78460048091.0000000001535000.00000004.00000001.sdmp |
String found in binary or memory: https://doc-00-68-docs.googleusercontent.com/ |
Source: CasPol.exe, 0000000D.00000003.78460048091.0000000001535000.00000004.00000001.sdmp |
String found in binary or memory: https://doc-00-68-docs.googleusercontent.com/%%doc-00-68-docs.googleusercontent.com |
Source: CasPol.exe, 0000000D.00000003.78460048091.0000000001535000.00000004.00000001.sdmp |
String found in binary or memory: https://doc-00-68-docs.googleusercontent.com/0 |
Source: CasPol.exe, 0000000D.00000003.78164216703.0000000001574000.00000004.00000001.sdmp |
String found in binary or memory: https://doc-00-68-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/7ag4bnhn |
Source: CasPol.exe, 00000017.00000002.79854189696.0000000001163000.00000004.00000020.sdmp, CasPol.exe, 0000001B.00000003.79904434041.0000000001130000.00000004.00000001.sdmp |
String found in binary or memory: https://doc-04-3g-docs.googleusercontent.com/ |
Source: CasPol.exe, 0000001B.00000002.79969642742.0000000001120000.00000004.00000020.sdmp |
String found in binary or memory: https://doc-04-3g-docs.googleusercontent.com/%%doc-04-3g-docs.googleusercontent.com |
Source: CasPol.exe, 00000017.00000002.79854189696.0000000001163000.00000004.00000020.sdmp |
String found in binary or memory: https://doc-04-3g-docs.googleusercontent.com/7 |
Source: CasPol.exe, 00000017.00000002.79854564800.00000000011AB000.00000004.00000020.sdmp |
String found in binary or memory: https://doc-04-3g-docs.googleusercontent.com/P |
Source: CasPol.exe, 0000001B.00000003.79904434041.0000000001130000.00000004.00000001.sdmp |
String found in binary or memory: https://doc-04-3g-docs.googleusercontent.com/docs/securesc/m3j9n |
Source: CasPol.exe, 0000001B.00000003.79901056457.0000000001137000.00000004.00000001.sdmp |
String found in binary or memory: https://doc-04-3g-docs.googleusercontent.com/docs/securesc/m3j9najiejndjck0dhvpff742spjj7o6/mqftof4t |
Source: CasPol.exe, 00000017.00000003.79788745751.00000000011C1000.00000004.00000001.sdmp |
String found in binary or memory: https://docs.google.com/ |
Source: CasPol.exe, 00000017.00000003.79782467161.00000000011C1000.00000004.00000001.sdmp |
String found in binary or memory: https://docs.google.com/lC |
Source: CasPol.exe, 00000017.00000003.79782611527.00000000011D3000.00000004.00000001.sdmp, CasPol.exe, 00000017.00000003.79788745751.00000000011C1000.00000004.00000001.sdmp, CasPol.exe, 00000017.00000003.79782467161.00000000011C1000.00000004.00000001.sdmp, CasPol.exe, 00000017.00000002.79854564800.00000000011AB000.00000004.00000020.sdmp |
String found in binary or memory: https://docs.google.com/nonceSigner?nonce=s94nbloa4nc92&continue=https://doc-04-3g-docs.googleuserco |
Source: CasPol.exe, 00000017.00000002.79854189696.0000000001163000.00000004.00000020.sdmp, CasPol.exe, 0000001B.00000002.79969192260.00000000010B9000.00000004.00000020.sdmp |
String found in binary or memory: https://drive.google.com/ |
Source: CasPol.exe, 0000001B.00000002.79968890359.0000000001077000.00000004.00000020.sdmp, CasPol.exe, 0000001B.00000002.79968686867.0000000000F40000.00000004.00000001.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=1oM9hn-PPsGzsYLC6phCcZPr7HMtVKRgX |
Source: CasPol.exe, 0000000D.00000003.78164152939.0000000001570000.00000004.00000001.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=1oM9hn-PPsGzsYLC6phCcZPr7HMtVKRgXOvxQvyU_6Z1TC1nUE |
Source: 23.2.CasPol.exe.1f189ca6.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 23.2.CasPol.exe.1f189ca6.3.raw.unpack, type: UNPACKEDPE |
Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 23.2.CasPol.exe.1f18eadc.1.unpack, type: UNPACKEDPE |
Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 27.2.CasPol.exe.1f0aeadc.2.unpack, type: UNPACKEDPE |
Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 23.2.CasPol.exe.1e163f10.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 27.2.CasPol.exe.1e083f10.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 23.2.CasPol.exe.1f18eadc.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 27.2.CasPol.exe.1f0a9ca6.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 27.2.CasPol.exe.1f0a9ca6.3.raw.unpack, type: UNPACKEDPE |
Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 23.2.CasPol.exe.1f193105.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 27.2.CasPol.exe.1f0aeadc.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 27.2.CasPol.exe.1f0b3105.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 00000017.00000002.79863339274.000000001E141000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 00000017.00000002.79863641955.000000001F141000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 0000001B.00000002.79978855466.000000001F061000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 0000001B.00000002.79978540386.000000001E061000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: Process Memory Space: CasPol.exe PID: 6916, type: MEMORYSTR |
Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: Process Memory Space: CasPol.exe PID: 7356, type: MEMORYSTR |
Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 23.2.CasPol.exe.1f189ca6.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 23.2.CasPol.exe.1f189ca6.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 23.2.CasPol.exe.1f189ca6.3.raw.unpack, type: UNPACKEDPE |
Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 23.2.CasPol.exe.1f18eadc.1.unpack, type: UNPACKEDPE |
Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 23.2.CasPol.exe.1f18eadc.1.unpack, type: UNPACKEDPE |
Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 27.2.CasPol.exe.1f0aeadc.2.unpack, type: UNPACKEDPE |
Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 27.2.CasPol.exe.1f0aeadc.2.unpack, type: UNPACKEDPE |
Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 23.2.CasPol.exe.1e163f10.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 23.2.CasPol.exe.1e163f10.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 27.2.CasPol.exe.1e083f10.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 27.2.CasPol.exe.1e083f10.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 23.2.CasPol.exe.1f18eadc.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 23.2.CasPol.exe.1f18eadc.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 27.2.CasPol.exe.1f0a9ca6.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 27.2.CasPol.exe.1f0a9ca6.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 27.2.CasPol.exe.1f0a9ca6.3.raw.unpack, type: UNPACKEDPE |
Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 23.2.CasPol.exe.1f193105.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 23.2.CasPol.exe.1f193105.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 27.2.CasPol.exe.1f0aeadc.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 27.2.CasPol.exe.1f0aeadc.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 27.2.CasPol.exe.1f0b3105.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 27.2.CasPol.exe.1f0b3105.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 00000017.00000002.79863339274.000000001E141000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 00000017.00000002.79863641955.000000001F141000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 0000001B.00000002.79978855466.000000001F061000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 0000001B.00000002.79978540386.000000001E061000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: Process Memory Space: CasPol.exe PID: 6916, type: MEMORYSTR |
Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: Process Memory Space: CasPol.exe PID: 7356, type: MEMORYSTR |
Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: C:\Users\user\Desktop\Doc0011222003.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Doc0011222003.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Doc0011222003.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\backgroundTaskHost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\backgroundTaskHost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\MAGTTEKNIK\PEGASUS.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\MAGTTEKNIK\PEGASUS.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\MAGTTEKNIK\PEGASUS.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\MAGTTEKNIK\PEGASUS.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\MAGTTEKNIK\PEGASUS.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\MAGTTEKNIK\PEGASUS.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: Doc0011222003.exe, 00000002.00000002.78194937276.0000000003179000.00000004.00000001.sdmp, PEGASUS.exe, 00000013.00000002.79814052365.00000000031F9000.00000004.00000001.sdmp, PEGASUS.exe, 00000014.00000002.79929761260.0000000003279000.00000004.00000001.sdmp, CasPol.exe, 00000017.00000002.79855507105.0000000002C89000.00000004.00000001.sdmp, CasPol.exe, 0000001B.00000002.79970754366.0000000002CF9000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Guest Shutdown Service |
Source: PEGASUS.exe, 00000014.00000002.79927288896.0000000000600000.00000004.00000020.sdmp |
Binary or memory string: gram Files\Qemu-ga\qemu-ga.exe |
Source: CasPol.exe, 00000017.00000002.79853001632.0000000000F00000.00000004.00000001.sdmp, CasPol.exe, 0000001B.00000002.79968686867.0000000000F40000.00000004.00000001.sdmp |
Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32APPDATA=\PEGASUS.exe\MAGTTEKNIKhttps://drive.google.com/uc?export=download&id=1oM9hn-PPsGzsYLC6phCcZPr7HMtVKRgX |
Source: Doc0011222003.exe, 00000002.00000002.78194937276.0000000003179000.00000004.00000001.sdmp, PEGASUS.exe, 00000013.00000002.79814052365.00000000031F9000.00000004.00000001.sdmp, PEGASUS.exe, 00000014.00000002.79929761260.0000000003279000.00000004.00000001.sdmp, CasPol.exe, 00000017.00000002.79855507105.0000000002C89000.00000004.00000001.sdmp, CasPol.exe, 0000001B.00000002.79970754366.0000000002CF9000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Remote Desktop Virtualization Service |
Source: CasPol.exe, 0000001B.00000002.79970754366.0000000002CF9000.00000004.00000001.sdmp |
Binary or memory string: vmicshutdown |
Source: CasPol.exe, 00000017.00000002.79854564800.00000000011AB000.00000004.00000020.sdmp |
Binary or memory string: Hyper-V RAW< |
Source: Doc0011222003.exe, 00000002.00000002.78194937276.0000000003179000.00000004.00000001.sdmp, PEGASUS.exe, 00000013.00000002.79814052365.00000000031F9000.00000004.00000001.sdmp, PEGASUS.exe, 00000014.00000002.79929761260.0000000003279000.00000004.00000001.sdmp, CasPol.exe, 00000017.00000002.79855507105.0000000002C89000.00000004.00000001.sdmp, CasPol.exe, 0000001B.00000002.79970754366.0000000002CF9000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Volume Shadow Copy Requestor |
Source: PEGASUS.exe, 00000013.00000002.79811466597.0000000000643000.00000004.00000020.sdmp |
Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe```8I |
Source: PEGASUS.exe, 00000013.00000002.79811196931.0000000000570000.00000004.00000010.sdmp |
Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32APPDATA=windir=\Microsoft.NET\Framework\v2.0.50727\caspol.exe\syswow64\msvbvm60.dllwindir=\Microsoft.NET\Framework\v2.0.50727\caspol.exe\syswow64\msvbvm60.dllwindir=\Microsoft.NET\Framework\v2.0.50727\caspol.exe\syswow64\msvbvm60.dll |
Source: Doc0011222003.exe, 00000002.00000002.78194937276.0000000003179000.00000004.00000001.sdmp, PEGASUS.exe, 00000013.00000002.79814052365.00000000031F9000.00000004.00000001.sdmp, PEGASUS.exe, 00000014.00000002.79929761260.0000000003279000.00000004.00000001.sdmp, CasPol.exe, 00000017.00000002.79855507105.0000000002C89000.00000004.00000001.sdmp, CasPol.exe, 0000001B.00000002.79970754366.0000000002CF9000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V PowerShell Direct Service |
Source: Doc0011222003.exe, 00000002.00000002.78194937276.0000000003179000.00000004.00000001.sdmp, PEGASUS.exe, 00000013.00000002.79814052365.00000000031F9000.00000004.00000001.sdmp, PEGASUS.exe, 00000014.00000002.79929761260.0000000003279000.00000004.00000001.sdmp, CasPol.exe, 00000017.00000002.79855507105.0000000002C89000.00000004.00000001.sdmp, CasPol.exe, 0000001B.00000002.79970754366.0000000002CF9000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Time Synchronization Service |
Source: CasPol.exe, 0000001B.00000002.79970754366.0000000002CF9000.00000004.00000001.sdmp |
Binary or memory string: vmicvss |
Source: CasPol.exe, 0000000D.00000003.78460233037.000000000154B000.00000004.00000001.sdmp, CasPol.exe, 00000017.00000002.79853729008.000000000111C000.00000004.00000020.sdmp, CasPol.exe, 0000001B.00000002.79968890359.0000000001077000.00000004.00000020.sdmp |
Binary or memory string: Hyper-V RAW |
Source: PEGASUS.exe, 00000014.00000002.79927620516.0000000000700000.00000004.00000010.sdmp |
Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32APPDATA=windir=\Microsoft.NET\Framework\v2.0.50727\caspol.exe\syswow64\msvbvm60.dllwindir=\Microsoft.NET\Framework\v2.0.50727\caspol.exe\syswow64\msvbvm60.dll |
Source: PEGASUS.exe, 00000013.00000002.79811196931.0000000000570000.00000004.00000010.sdmp, PEGASUS.exe, 00000014.00000002.79927620516.0000000000700000.00000004.00000010.sdmp, CasPol.exe, 00000017.00000002.79853001632.0000000000F00000.00000004.00000001.sdmp, CasPol.exe, 0000001B.00000002.79968686867.0000000000F40000.00000004.00000001.sdmp |
Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: Doc0011222003.exe, 00000002.00000002.78194937276.0000000003179000.00000004.00000001.sdmp, PEGASUS.exe, 00000013.00000002.79814052365.00000000031F9000.00000004.00000001.sdmp, PEGASUS.exe, 00000014.00000002.79929761260.0000000003279000.00000004.00000001.sdmp, CasPol.exe, 00000017.00000002.79855507105.0000000002C89000.00000004.00000001.sdmp, CasPol.exe, 0000001B.00000002.79970754366.0000000002CF9000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Data Exchange Service |
Source: Doc0011222003.exe, 00000002.00000002.78191921846.000000000061D000.00000004.00000020.sdmp |
Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe-* |
Source: Doc0011222003.exe, 00000002.00000002.78194937276.0000000003179000.00000004.00000001.sdmp, PEGASUS.exe, 00000013.00000002.79814052365.00000000031F9000.00000004.00000001.sdmp, PEGASUS.exe, 00000014.00000002.79929761260.0000000003279000.00000004.00000001.sdmp, CasPol.exe, 00000017.00000002.79855507105.0000000002C89000.00000004.00000001.sdmp, CasPol.exe, 0000001B.00000002.79970754366.0000000002CF9000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Heartbeat Service |
Source: Doc0011222003.exe, 00000002.00000002.78194937276.0000000003179000.00000004.00000001.sdmp, PEGASUS.exe, 00000013.00000002.79814052365.00000000031F9000.00000004.00000001.sdmp, PEGASUS.exe, 00000014.00000002.79929761260.0000000003279000.00000004.00000001.sdmp, CasPol.exe, 00000017.00000002.79855507105.0000000002C89000.00000004.00000001.sdmp, CasPol.exe, 0000001B.00000002.79970754366.0000000002CF9000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Guest Service Interface |
Source: PEGASUS.exe, 00000013.00000002.79811466597.0000000000643000.00000004.00000020.sdmp |
Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: CasPol.exe, 0000001B.00000002.79970754366.0000000002CF9000.00000004.00000001.sdmp |
Binary or memory string: vmicheartbeat |