Source: CasPol.exe, 00000004.00000002.178067906148.000000001DFE1000.00000004.00000001.sdmp |
String found in binary or memory: http://127.0.0.1:HTTP/1.1 |
Source: CasPol.exe, 00000004.00000002.178067906148.000000001DFE1000.00000004.00000001.sdmp |
String found in binary or memory: http://DynDns.comDynDNS |
Source: CasPol.exe, 00000004.00000002.178069183188.000000001E0EE000.00000004.00000001.sdmp, CasPol.exe, 00000004.00000002.178075825984.00000000201CE000.00000004.00000001.sdmp, CasPol.exe, 00000004.00000002.178075641973.00000000201AE000.00000004.00000001.sdmp |
String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04 |
Source: CasPol.exe, 00000004.00000003.174390973147.00000000010D2000.00000004.00000001.sdmp, CasPol.exe, 00000004.00000003.173182619305.00000000010D4000.00000004.00000001.sdmp, CasPol.exe, 00000004.00000002.178057799249.00000000010D2000.00000004.00000001.sdmp, CasPol.exe, 00000004.00000003.173178007336.00000000010DB000.00000004.00000001.sdmp, CasPol.exe, 00000004.00000003.173178484304.00000000010DB000.00000004.00000001.sdmp |
String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06 |
Source: CasPol.exe, 00000004.00000002.178069183188.000000001E0EE000.00000004.00000001.sdmp, CasPol.exe, 00000004.00000002.178076040939.00000000201F5000.00000004.00000001.sdmp, CasPol.exe, 00000004.00000002.178075641973.00000000201AE000.00000004.00000001.sdmp, CasPol.exe, 00000004.00000003.174391935597.00000000201F1000.00000004.00000001.sdmp, CasPol.exe, 00000004.00000002.178057401527.0000000001085000.00000004.00000020.sdmp |
String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q |
Source: CasPol.exe, 00000004.00000002.178069183188.000000001E0EE000.00000004.00000001.sdmp, CasPol.exe, 00000004.00000002.178076040939.00000000201F5000.00000004.00000001.sdmp, CasPol.exe, 00000004.00000002.178075641973.00000000201AE000.00000004.00000001.sdmp, CasPol.exe, 00000004.00000003.174391935597.00000000201F1000.00000004.00000001.sdmp |
String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0 |
Source: CasPol.exe, 00000004.00000003.174390973147.00000000010D2000.00000004.00000001.sdmp, CasPol.exe, 00000004.00000003.173182619305.00000000010D4000.00000004.00000001.sdmp, CasPol.exe, 00000004.00000002.178057799249.00000000010D2000.00000004.00000001.sdmp, CasPol.exe, 00000004.00000003.173178007336.00000000010DB000.00000004.00000001.sdmp, CasPol.exe, 00000004.00000003.173178484304.00000000010DB000.00000004.00000001.sdmp |
String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: CasPol.exe, 00000004.00000002.178069183188.000000001E0EE000.00000004.00000001.sdmp |
String found in binary or memory: http://furteksdokuma.com.tr |
Source: CasPol.exe, 00000004.00000002.178069183188.000000001E0EE000.00000004.00000001.sdmp |
String found in binary or memory: http://mail.furteksdokuma.com.tr |
Source: CasPol.exe, 00000004.00000002.178069183188.000000001E0EE000.00000004.00000001.sdmp, CasPol.exe, 00000004.00000002.178076040939.00000000201F5000.00000004.00000001.sdmp, CasPol.exe, 00000004.00000002.178075825984.00000000201CE000.00000004.00000001.sdmp, CasPol.exe, 00000004.00000002.178075641973.00000000201AE000.00000004.00000001.sdmp, CasPol.exe, 00000004.00000003.174391935597.00000000201F1000.00000004.00000001.sdmp, CasPol.exe, 00000004.00000002.178057401527.0000000001085000.00000004.00000020.sdmp |
String found in binary or memory: http://ocsp.comodoca.com0 |
Source: CasPol.exe, 00000004.00000002.178067906148.000000001DFE1000.00000004.00000001.sdmp |
String found in binary or memory: http://tbLjUn.com |
Source: CasPol.exe, 00000004.00000003.173178007336.00000000010DB000.00000004.00000001.sdmp, CasPol.exe, 00000004.00000003.173178484304.00000000010DB000.00000004.00000001.sdmp |
String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/ |
Source: CasPol.exe, 00000004.00000003.173178007336.00000000010DB000.00000004.00000001.sdmp, CasPol.exe, 00000004.00000003.173178484304.00000000010DB000.00000004.00000001.sdmp |
String found in binary or memory: https://csp.withgoogle.com/csp/report-to/gse_l9ocaq |
Source: CasPol.exe, 00000004.00000003.173182619305.00000000010D4000.00000004.00000001.sdmp, CasPol.exe, 00000004.00000003.173178484304.00000000010DB000.00000004.00000001.sdmp, CasPol.exe, 00000004.00000002.178057401527.0000000001085000.00000004.00000020.sdmp |
String found in binary or memory: https://doc-0k-5k-docs.googleusercontent.com/ |
Source: CasPol.exe, 00000004.00000003.173182619305.00000000010D4000.00000004.00000001.sdmp |
String found in binary or memory: https://doc-0k-5k-docs.googleusercontent.com/( |
Source: CasPol.exe, 00000004.00000003.173178484304.00000000010DB000.00000004.00000001.sdmp |
String found in binary or memory: https://doc-0k-5k-docs.googleusercontent.com/C |
Source: CasPol.exe, 00000004.00000003.173178484304.00000000010DB000.00000004.00000001.sdmp |
String found in binary or memory: https://doc-0k-5k-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/voq4luic |
Source: CasPol.exe, 00000004.00000002.178057056788.0000000001048000.00000004.00000020.sdmp |
String found in binary or memory: https://drive.google.com/ |
Source: CasPol.exe, 00000004.00000002.178058495885.0000000001140000.00000004.00000001.sdmp, CasPol.exe, 00000004.00000002.178057401527.0000000001085000.00000004.00000020.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=1TZC5rT7z4IslTtNi8eG1vxrTVZrhSZe8 |
Source: CasPol.exe, 00000004.00000003.173178419445.00000000010D4000.00000004.00000001.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=1TZC5rT7z4IslTtNi8eG1vxrTVZrhSZe8n8F9DBSEsUFAom988 |
Source: CasPol.exe, 00000004.00000002.178069379415.000000001E112000.00000004.00000001.sdmp |
String found in binary or memory: https://lao1LlhpkeBMmFJyrpB.net |
Source: CasPol.exe, 00000004.00000002.178069183188.000000001E0EE000.00000004.00000001.sdmp, CasPol.exe, 00000004.00000002.178076040939.00000000201F5000.00000004.00000001.sdmp, CasPol.exe, 00000004.00000002.178075641973.00000000201AE000.00000004.00000001.sdmp, CasPol.exe, 00000004.00000003.174391935597.00000000201F1000.00000004.00000001.sdmp |
String found in binary or memory: https://sectigo.com/CPS0 |
Source: CasPol.exe, 00000004.00000002.178067906148.000000001DFE1000.00000004.00000001.sdmp |
String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha |
Source: C:\Users\user\Desktop\exe.exe |
Code function: 2_2_0040153C |
2_2_0040153C |
Source: C:\Users\user\Desktop\exe.exe |
Code function: 2_2_00401778 |
2_2_00401778 |
Source: C:\Users\user\Desktop\exe.exe |
Code function: 2_2_0040172B |
2_2_0040172B |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 4_3_010DB847 |
4_3_010DB847 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 4_2_00E06D90 |
4_2_00E06D90 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 4_2_00E007E0 |
4_2_00E007E0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 4_2_00E4C058 |
4_2_00E4C058 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 4_2_00E41130 |
4_2_00E41130 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 4_2_00E43A50 |
4_2_00E43A50 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 4_2_00E4BA30 |
4_2_00E4BA30 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 4_2_00E44320 |
4_2_00E44320 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 4_2_00E4C790 |
4_2_00E4C790 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 4_2_00E43708 |
4_2_00E43708 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 4_2_0103BB60 |
4_2_0103BB60 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 4_2_01039B70 |
4_2_01039B70 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 4_2_010396F0 |
4_2_010396F0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 4_2_0103DEC8 |
4_2_0103DEC8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 4_2_1DDF5E08 |
4_2_1DDF5E08 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 4_2_1DDF46C4 |
4_2_1DDF46C4 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 4_2_1DDF6AF1 |
4_2_1DDF6AF1 |
Source: C:\Users\user\Desktop\exe.exe |
Code function: 2_2_0040443B push ds; iretd |
2_2_0040443C |
Source: C:\Users\user\Desktop\exe.exe |
Code function: 2_2_00412CE9 pushfd ; iretd |
2_2_00412CEF |
Source: C:\Users\user\Desktop\exe.exe |
Code function: 2_2_004078BA push esp; ret |
2_2_004078C0 |
Source: C:\Users\user\Desktop\exe.exe |
Code function: 2_2_00408951 push esi; iretd |
2_2_0040895C |
Source: C:\Users\user\Desktop\exe.exe |
Code function: 2_2_0040A585 push edi; ret |
2_2_0040A587 |
Source: C:\Users\user\Desktop\exe.exe |
Code function: 2_2_02AD4D3F push edx; iretd |
2_2_02AD4D40 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 4_3_010DBD4F push cs; iretd |
4_3_010DBD50 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 4_3_010DCAEF push ds; retf |
4_3_010DCAF0 |
Source: C:\Users\user\Desktop\exe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: exe.exe, 00000002.00000002.173207280826.0000000003100000.00000004.00000001.sdmp |
Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32APPDATA=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXE\SYSWOW64\MSVBVM60.DLL |
Source: exe.exe, 00000002.00000002.173205251497.0000000000644000.00000004.00000020.sdmp |
Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE0UD |
Source: exe.exe, 00000002.00000002.173207280826.0000000003100000.00000004.00000001.sdmp, CasPol.exe, 00000004.00000002.178058495885.0000000001140000.00000004.00000001.sdmp |
Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE |
Source: CasPol.exe, 00000004.00000002.178058495885.0000000001140000.00000004.00000001.sdmp |
Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32APPDATA=HTTPS://DRIVE.GOOGLE.COM/UC?EXPORT=DOWNLOAD&ID=1TZC5RT7Z4ISLTTNI8EG1VXRTVZRHSZE8 |
Source: exe.exe, 00000002.00000002.173207347901.00000000031C9000.00000004.00000001.sdmp, CasPol.exe, 00000004.00000002.178060093859.0000000002D39000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Guest Shutdown Service |
Source: exe.exe, 00000002.00000002.173207347901.00000000031C9000.00000004.00000001.sdmp, CasPol.exe, 00000004.00000002.178060093859.0000000002D39000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Remote Desktop Virtualization Service |
Source: CasPol.exe, 00000004.00000002.178060093859.0000000002D39000.00000004.00000001.sdmp |
Binary or memory string: vmicshutdown |
Source: exe.exe, 00000002.00000002.173207347901.00000000031C9000.00000004.00000001.sdmp, CasPol.exe, 00000004.00000002.178060093859.0000000002D39000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Volume Shadow Copy Requestor |
Source: CasPol.exe, 00000004.00000002.178058495885.0000000001140000.00000004.00000001.sdmp |
Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32APPDATA=https://drive.google.com/uc?export=download&id=1TZC5rT7z4IslTtNi8eG1vxrTVZrhSZe8 |
Source: exe.exe, 00000002.00000002.173207280826.0000000003100000.00000004.00000001.sdmp |
Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32APPDATA=windir=\Microsoft.NET\Framework\v4.0.30319\caspol.exe\syswow64\msvbvm60.dll |
Source: exe.exe, 00000002.00000002.173205251497.0000000000644000.00000004.00000020.sdmp |
Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe0Ud |
Source: exe.exe, 00000002.00000002.173207347901.00000000031C9000.00000004.00000001.sdmp, CasPol.exe, 00000004.00000002.178060093859.0000000002D39000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V PowerShell Direct Service |
Source: exe.exe, 00000002.00000002.173207347901.00000000031C9000.00000004.00000001.sdmp, CasPol.exe, 00000004.00000002.178060093859.0000000002D39000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Time Synchronization Service |
Source: CasPol.exe, 00000004.00000002.178060093859.0000000002D39000.00000004.00000001.sdmp |
Binary or memory string: vmicvss |
Source: CasPol.exe, 00000004.00000002.178057627252.00000000010B8000.00000004.00000001.sdmp, CasPol.exe, 00000004.00000003.174390768568.00000000010B8000.00000004.00000001.sdmp, CasPol.exe, 00000004.00000002.178057056788.0000000001048000.00000004.00000020.sdmp |
Binary or memory string: Hyper-V RAW |
Source: exe.exe, 00000002.00000002.173207280826.0000000003100000.00000004.00000001.sdmp, CasPol.exe, 00000004.00000002.178058495885.0000000001140000.00000004.00000001.sdmp |
Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: exe.exe, 00000002.00000002.173207347901.00000000031C9000.00000004.00000001.sdmp, CasPol.exe, 00000004.00000002.178060093859.0000000002D39000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Data Exchange Service |
Source: exe.exe, 00000002.00000002.173207347901.00000000031C9000.00000004.00000001.sdmp, CasPol.exe, 00000004.00000002.178060093859.0000000002D39000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Heartbeat Service |
Source: exe.exe, 00000002.00000002.173207347901.00000000031C9000.00000004.00000001.sdmp, CasPol.exe, 00000004.00000002.178060093859.0000000002D39000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Guest Service Interface |
Source: CasPol.exe, 00000004.00000002.178060093859.0000000002D39000.00000004.00000001.sdmp |
Binary or memory string: vmicheartbeat |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation |
Jump to behavior |