Source: CasPol.exe, 0000000D.00000002.7349511763.000000001DD21000.00000004.00000001.sdmp |
String found in binary or memory: http://127.0.0.1:HTTP/1.1 |
Source: CasPol.exe, 0000000D.00000002.7350801578.000000001DE28000.00000004.00000001.sdmp, CasPol.exe, 0000000D.00000002.7350917897.000000001DE36000.00000004.00000001.sdmp, CasPol.exe, 0000000D.00000002.7351132420.000000001DE62000.00000004.00000001.sdmp, CasPol.exe, 0000000D.00000002.7351187881.000000001DE6A000.00000004.00000001.sdmp |
String found in binary or memory: http://8AH9aWyWzTn3yBDLZw.net |
Source: CasPol.exe, 0000000D.00000002.7350801578.000000001DE28000.00000004.00000001.sdmp |
String found in binary or memory: http://8AH9aWyWzTn3yBDLZw.nett- |
Source: CasPol.exe, 0000000D.00000002.7349511763.000000001DD21000.00000004.00000001.sdmp |
String found in binary or memory: http://DynDns.comDynDNS |
Source: CasPol.exe, 0000000D.00000002.7335956710.0000000001002000.00000004.00000020.sdmp, CasPol.exe, 0000000D.00000002.7350917897.000000001DE36000.00000004.00000001.sdmp, CasPol.exe, 0000000D.00000002.7336199881.0000000001017000.00000004.00000020.sdmp, CasPol.exe, 0000000D.00000002.7356678782.000000001FF48000.00000004.00000001.sdmp |
String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04 |
Source: CasPol.exe, 0000000D.00000003.2751321706.0000000001061000.00000004.00000001.sdmp, CasPol.exe, 0000000D.00000002.7337234857.0000000001061000.00000004.00000020.sdmp, CasPol.exe, 0000000D.00000003.2755167735.0000000001061000.00000004.00000001.sdmp |
String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06 |
Source: CasPol.exe, 0000000D.00000002.7350917897.000000001DE36000.00000004.00000001.sdmp, CasPol.exe, 0000000D.00000002.7336199881.0000000001017000.00000004.00000020.sdmp, CasPol.exe, 0000000D.00000002.7356922567.000000001FF72000.00000004.00000001.sdmp, CasPol.exe, 0000000D.00000002.7356678782.000000001FF48000.00000004.00000001.sdmp |
String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q |
Source: CasPol.exe, 0000000D.00000002.7336567127.0000000001034000.00000004.00000020.sdmp, CasPol.exe, 0000000D.00000002.7350917897.000000001DE36000.00000004.00000001.sdmp, CasPol.exe, 0000000D.00000002.7336199881.0000000001017000.00000004.00000020.sdmp, CasPol.exe, 0000000D.00000002.7356678782.000000001FF48000.00000004.00000001.sdmp |
String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0 |
Source: CasPol.exe, 0000000D.00000003.2751321706.0000000001061000.00000004.00000001.sdmp, CasPol.exe, 0000000D.00000002.7337234857.0000000001061000.00000004.00000020.sdmp, CasPol.exe, 0000000D.00000003.2755167735.0000000001061000.00000004.00000001.sdmp |
String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: CasPol.exe, 0000000D.00000002.7350917897.000000001DE36000.00000004.00000001.sdmp |
String found in binary or memory: http://furteksdokuma.com.tr |
Source: CasPol.exe, 0000000D.00000002.7349511763.000000001DD21000.00000004.00000001.sdmp |
String found in binary or memory: http://kFWRbv.com |
Source: CasPol.exe, 0000000D.00000002.7350917897.000000001DE36000.00000004.00000001.sdmp |
String found in binary or memory: http://mail.furteksdokuma.com.tr |
Source: CasPol.exe, 0000000D.00000002.7335956710.0000000001002000.00000004.00000020.sdmp, CasPol.exe, 0000000D.00000002.7336567127.0000000001034000.00000004.00000020.sdmp, CasPol.exe, 0000000D.00000002.7350917897.000000001DE36000.00000004.00000001.sdmp, CasPol.exe, 0000000D.00000002.7336199881.0000000001017000.00000004.00000020.sdmp, CasPol.exe, 0000000D.00000002.7356922567.000000001FF72000.00000004.00000001.sdmp, CasPol.exe, 0000000D.00000002.7356678782.000000001FF48000.00000004.00000001.sdmp |
String found in binary or memory: http://ocsp.comodoca.com0 |
Source: UserOOBEBroker.exe, 00000015.00000002.7333160812.000001EB84730000.00000002.00020000.sdmp |
String found in binary or memory: http://schemas.microso |
Source: CasPol.exe, 0000000D.00000003.2751321706.0000000001061000.00000004.00000001.sdmp |
String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/ |
Source: CasPol.exe, 0000000D.00000003.2751321706.0000000001061000.00000004.00000001.sdmp |
String found in binary or memory: https://csp.withgoogle.com/csp/report-to/gse_l9ocaq |
Source: CasPol.exe, 0000000D.00000003.2755167735.0000000001061000.00000004.00000001.sdmp |
String found in binary or memory: https://doc-08-5k-docs.googleusercontent.com/ |
Source: CasPol.exe, 0000000D.00000002.7336199881.0000000001017000.00000004.00000020.sdmp |
String found in binary or memory: https://doc-08-5k-docs.googleusercontent.com/_ |
Source: CasPol.exe, 0000000D.00000003.2751321706.0000000001061000.00000004.00000001.sdmp, CasPol.exe, 0000000D.00000002.7337234857.0000000001061000.00000004.00000020.sdmp, CasPol.exe, 0000000D.00000003.2754982414.0000000001043000.00000004.00000001.sdmp, CasPol.exe, 0000000D.00000003.2755167735.0000000001061000.00000004.00000001.sdmp |
String found in binary or memory: https://doc-08-5k-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/rnbptrhp |
Source: CasPol.exe, 0000000D.00000003.2755167735.0000000001061000.00000004.00000001.sdmp |
String found in binary or memory: https://doc-08-5k-docs.googleusercontent.com/y |
Source: CasPol.exe, 0000000D.00000002.7335956710.0000000001002000.00000004.00000020.sdmp |
String found in binary or memory: https://drive.google.com/ |
Source: CasPol.exe, 0000000D.00000002.7334475913.0000000000E30000.00000004.00000001.sdmp, CasPol.exe, 0000000D.00000002.7336199881.0000000001017000.00000004.00000020.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=150165GSkz9-m3FahfFvn26gkuLRySZPu |
Source: CasPol.exe, 0000000D.00000003.2751137585.000000000104A000.00000004.00000001.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=150165GSkz9-m3FahfFvn26gkuLRySZPuFdq1n8HLuvGi-fpP0 |
Source: CasPol.exe, 0000000D.00000002.7336199881.0000000001017000.00000004.00000020.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=150165GSkz9-m3FahfFvn26gkuLRySZPuk |
Source: CasPol.exe, 0000000D.00000002.7350383503.000000001DDD8000.00000004.00000001.sdmp |
String found in binary or memory: https://login.live.com/ |
Source: CasPol.exe, 0000000D.00000002.7349511763.000000001DD21000.00000004.00000001.sdmp |
String found in binary or memory: https://login.live.com// |
Source: CasPol.exe, 0000000D.00000002.7349511763.000000001DD21000.00000004.00000001.sdmp |
String found in binary or memory: https://login.live.com/https://login.live.com/ |
Source: CasPol.exe, 0000000D.00000002.7349511763.000000001DD21000.00000004.00000001.sdmp |
String found in binary or memory: https://login.live.com/v104 |
Source: CasPol.exe, 0000000D.00000002.7336567127.0000000001034000.00000004.00000020.sdmp, CasPol.exe, 0000000D.00000002.7350917897.000000001DE36000.00000004.00000001.sdmp, CasPol.exe, 0000000D.00000002.7336199881.0000000001017000.00000004.00000020.sdmp, CasPol.exe, 0000000D.00000002.7356678782.000000001FF48000.00000004.00000001.sdmp |
String found in binary or memory: https://sectigo.com/CPS0 |
Source: CasPol.exe, 0000000D.00000002.7350383503.000000001DDD8000.00000004.00000001.sdmp |
String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash |
Source: CasPol.exe, 0000000D.00000002.7349511763.000000001DD21000.00000004.00000001.sdmp |
String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_004036BD |
0_2_004036BD |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_00401538 |
0_2_00401538 |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_00401774 |
0_2_00401774 |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_00401727 |
0_2_00401727 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 13_2_008F0040 |
13_2_008F0040 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 13_2_008F6988 |
13_2_008F6988 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 13_2_008F1420 |
13_2_008F1420 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 13_2_00931130 |
13_2_00931130 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 13_2_00933A50 |
13_2_00933A50 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 13_2_0093BA50 |
13_2_0093BA50 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 13_2_00934320 |
13_2_00934320 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 13_2_0093C7B0 |
13_2_0093C7B0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 13_2_00933708 |
13_2_00933708 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 13_2_00F28490 |
13_2_00F28490 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 13_2_00F2A9F8 |
13_2_00F2A9F8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 13_2_00F28F20 |
13_2_00F28F20 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 13_2_00F26270 |
13_2_00F26270 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 13_2_00F23330 |
13_2_00F23330 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 13_2_011719B0 |
13_2_011719B0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 13_2_01172DA0 |
13_2_01172DA0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 13_2_01177E60 |
13_2_01177E60 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 13_2_0117DED5 |
13_2_0117DED5 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 13_2_0117D2E0 |
13_2_0117D2E0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 13_2_0117A940 |
13_2_0117A940 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 13_2_0117A9A0 |
13_2_0117A9A0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 13_2_013C0040 |
13_2_013C0040 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 13_2_013C50F8 |
13_2_013C50F8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 13_2_013C6C78 |
13_2_013C6C78 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 13_2_013C6048 |
13_2_013C6048 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 13_2_013CA420 |
13_2_013CA420 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 13_2_1DB95E08 |
13_2_1DB95E08 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 13_2_1DB946C4 |
13_2_1DB946C4 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 13_2_1DB95DC1 |
13_2_1DB95DC1 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 13_2_1DB96AF1 |
13_2_1DB96AF1 |
Source: unknown |
Process created: C:\Users\user\Desktop\FACTURAS.exe "C:\Users\user\Desktop\FACTURAS.exe" |
|
Source: C:\Users\user\Desktop\FACTURAS.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\FACTURAS.exe" |
|
Source: C:\Users\user\Desktop\FACTURAS.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\FACTURAS.exe" |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: unknown |
Process created: C:\Windows\System32\oobe\UserOOBEBroker.exe C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding |
|
Source: C:\Users\user\Desktop\FACTURAS.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\FACTURAS.exe" |
Jump to behavior |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\FACTURAS.exe" |
Jump to behavior |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_004013B4 push FFFFFFCDh; iretd |
0_2_0040140C |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_0040204F push FFFFFFCDh; iretd |
0_2_0040206F |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_004111C3 push ebp; ret |
0_2_00411288 |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_004051D5 push 0340104Fh; iretd |
0_2_004051DB |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_00403A4A push esi; retf |
0_2_00403A4B |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_00402B0E push FFFFFFCDh; iretd |
0_2_00402D9B |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_00404C1F push eax; ret |
0_2_00404C39 |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_0040BCD6 push 3CF881B8h; ret |
0_2_0040BD03 |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_00413574 push 00000039h; iretd |
0_2_00413578 |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_0040A61E push D9EC50BBh; retf |
0_2_0040A62B |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_0040A739 push cs; iretd |
0_2_0040A73A |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_02295AF5 push esi; retf |
0_2_02295B05 |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_02290B8A pushfd ; ret |
0_2_02290E7D |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_022933FF push ds; retf |
0_2_02293401 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 13_2_00F22177 push edi; retn 0000h |
13_2_00F22179 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 13_2_013C3D0A push eax; retf |
13_2_013C3D51 |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: FACTURAS.exe, 00000000.00000002.2779665465.0000000003120000.00000004.00000001.sdmp |
Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32APPDATA=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXE\SYSWOW64\MSVBVM60.DLLWINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXE\SYSWOW64\MSVBVM60.DLL |
Source: FACTURAS.exe, 00000000.00000002.2779665465.0000000003120000.00000004.00000001.sdmp, CasPol.exe, 0000000D.00000002.7334475913.0000000000E30000.00000004.00000001.sdmp |
Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE |
Source: FACTURAS.exe, 00000000.00000002.2777688692.00000000005BD000.00000004.00000020.sdmp |
Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE |
Source: CasPol.exe, 0000000D.00000002.7334475913.0000000000E30000.00000004.00000001.sdmp |
Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32APPDATA=HTTPS://DRIVE.GOOGLE.COM/UC?EXPORT=DOWNLOAD&ID=150165GSKZ9-M3FAHFFVN26GKULRYSZPU |
Source: FACTURAS.exe, 00000000.00000002.2779725495.00000000031E9000.00000004.00000001.sdmp, CasPol.exe, 0000000D.00000002.7341559645.0000000002BB9000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Guest Shutdown Service |
Source: CasPol.exe, 0000000D.00000002.7334475913.0000000000E30000.00000004.00000001.sdmp |
Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32APPDATA=https://drive.google.com/uc?export=download&id=150165GSkz9-m3FahfFvn26gkuLRySZPu |
Source: CasPol.exe, 0000000D.00000002.7335956710.0000000001002000.00000004.00000020.sdmp |
Binary or memory string: Hyper-V RAW8 |
Source: FACTURAS.exe, 00000000.00000002.2779725495.00000000031E9000.00000004.00000001.sdmp, CasPol.exe, 0000000D.00000002.7341559645.0000000002BB9000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Remote Desktop Virtualization Service |
Source: CasPol.exe, 0000000D.00000002.7341559645.0000000002BB9000.00000004.00000001.sdmp |
Binary or memory string: vmicshutdown |
Source: FACTURAS.exe, 00000000.00000002.2779725495.00000000031E9000.00000004.00000001.sdmp, CasPol.exe, 0000000D.00000002.7341559645.0000000002BB9000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Volume Shadow Copy Requestor |
Source: FACTURAS.exe, 00000000.00000002.2779725495.00000000031E9000.00000004.00000001.sdmp, CasPol.exe, 0000000D.00000002.7341559645.0000000002BB9000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V PowerShell Direct Service |
Source: FACTURAS.exe, 00000000.00000002.2779725495.00000000031E9000.00000004.00000001.sdmp, CasPol.exe, 0000000D.00000002.7341559645.0000000002BB9000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Time Synchronization Service |
Source: CasPol.exe, 0000000D.00000002.7341559645.0000000002BB9000.00000004.00000001.sdmp |
Binary or memory string: vmicvss |
Source: CasPol.exe, 0000000D.00000002.7336567127.0000000001034000.00000004.00000020.sdmp |
Binary or memory string: Hyper-V RAW |
Source: FACTURAS.exe, 00000000.00000002.2779665465.0000000003120000.00000004.00000001.sdmp, CasPol.exe, 0000000D.00000002.7334475913.0000000000E30000.00000004.00000001.sdmp |
Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: FACTURAS.exe, 00000000.00000002.2779725495.00000000031E9000.00000004.00000001.sdmp, CasPol.exe, 0000000D.00000002.7341559645.0000000002BB9000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Data Exchange Service |
Source: FACTURAS.exe, 00000000.00000002.2779725495.00000000031E9000.00000004.00000001.sdmp, CasPol.exe, 0000000D.00000002.7341559645.0000000002BB9000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Heartbeat Service |
Source: FACTURAS.exe, 00000000.00000002.2779725495.00000000031E9000.00000004.00000001.sdmp, CasPol.exe, 0000000D.00000002.7341559645.0000000002BB9000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Guest Service Interface |
Source: FACTURAS.exe, 00000000.00000002.2777688692.00000000005BD000.00000004.00000020.sdmp |
Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: FACTURAS.exe, 00000000.00000002.2779665465.0000000003120000.00000004.00000001.sdmp |
Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32APPDATA=windir=\Microsoft.NET\Framework\v4.0.30319\caspol.exe\syswow64\msvbvm60.dllwindir=\Microsoft.NET\Framework\v4.0.30319\caspol.exe\syswow64\msvbvm60.dll |
Source: CasPol.exe, 0000000D.00000002.7341559645.0000000002BB9000.00000004.00000001.sdmp |
Binary or memory string: vmicheartbeat |
Source: CasPol.exe, 0000000D.00000002.7340987079.0000000001761000.00000002.00020000.sdmp, UserOOBEBroker.exe, 00000015.00000002.7335370516.000001EB84ED1000.00000002.00020000.sdmp |
Binary or memory string: Program Manager |
Source: CasPol.exe, 0000000D.00000002.7340987079.0000000001761000.00000002.00020000.sdmp, UserOOBEBroker.exe, 00000015.00000002.7335370516.000001EB84ED1000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: CasPol.exe, 0000000D.00000002.7340987079.0000000001761000.00000002.00020000.sdmp, UserOOBEBroker.exe, 00000015.00000002.7335370516.000001EB84ED1000.00000002.00020000.sdmp |
Binary or memory string: Progman |
Source: CasPol.exe, 0000000D.00000002.7340987079.0000000001761000.00000002.00020000.sdmp, UserOOBEBroker.exe, 00000015.00000002.7335370516.000001EB84ED1000.00000002.00020000.sdmp |
Binary or memory string: Progmanlock |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation |
Jump to behavior |