| Source: CasPol.exe, 00000006.00000002.22646307055.000000001DF31000.00000004.00000001.sdmp | String found in binary or memory: http://127.0.0.1:HTTP/1.1 |
| Source: CasPol.exe, 00000006.00000002.22646307055.000000001DF31000.00000004.00000001.sdmp | String found in binary or memory: http://DynDns.comDynDNS |
| Source: CasPol.exe, 00000006.00000003.21845391885.0000000000FEC000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000002.22637414137.0000000000FE2000.00000004.00000020.sdmp, CasPol.exe, 00000006.00000003.21840238765.0000000000FEC000.00000004.00000001.sdmp | String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06 |
| Source: CasPol.exe, 00000006.00000003.21845391885.0000000000FEC000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000002.22637414137.0000000000FE2000.00000004.00000020.sdmp, CasPol.exe, 00000006.00000003.21840238765.0000000000FEC000.00000004.00000001.sdmp | String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
| Source: CasPol.exe, 00000006.00000002.22646307055.000000001DF31000.00000004.00000001.sdmp | String found in binary or memory: http://kFWRbv.com |
| Source: CasPol.exe, 00000006.00000003.21840136475.0000000000FDF000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000003.21840238765.0000000000FEC000.00000004.00000001.sdmp | String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/ |
| Source: CasPol.exe, 00000006.00000003.21840136475.0000000000FDF000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000003.21840238765.0000000000FEC000.00000004.00000001.sdmp | String found in binary or memory: https://csp.withgoogle.com/csp/report-to/gse_l9ocaq |
| Source: CasPol.exe, 00000006.00000003.21840238765.0000000000FEC000.00000004.00000001.sdmp | String found in binary or memory: https://doc-0g-7s-docs.googleusercontent.com/ |
| Source: CasPol.exe, 00000006.00000003.21845391885.0000000000FEC000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000003.21840238765.0000000000FEC000.00000004.00000001.sdmp | String found in binary or memory: https://doc-0g-7s-docs.googleusercontent.com/1 |
| Source: CasPol.exe, 00000006.00000003.21840238765.0000000000FEC000.00000004.00000001.sdmp | String found in binary or memory: https://doc-0g-7s-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/09s7mqju |
| Source: CasPol.exe, 00000006.00000003.21845391885.0000000000FEC000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000003.21840238765.0000000000FEC000.00000004.00000001.sdmp | String found in binary or memory: https://doc-0g-7s-docs.googleusercontent.com/e |
| Source: CasPol.exe, 00000006.00000003.21845391885.0000000000FEC000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000003.21840238765.0000000000FEC000.00000004.00000001.sdmp | String found in binary or memory: https://doc-0g-7s-docs.googleusercontent.com/u |
| Source: CasPol.exe, 00000006.00000002.22636737249.0000000000F58000.00000004.00000020.sdmp | String found in binary or memory: https://drive.google.com/ |
| Source: CasPol.exe, 00000006.00000002.22636737249.0000000000F58000.00000004.00000020.sdmp | String found in binary or memory: https://drive.google.com/st |
| Source: CasPol.exe, 00000006.00000002.22637930252.0000000001150000.00000004.00000001.sdmp | String found in binary or memory: https://drive.google.com/uc?export=download&id=1e3nVGX3LlhNn9Zf6RwTjDw6FKTCAih9T |
| Source: CasPol.exe, 00000006.00000002.22636994763.0000000000F95000.00000004.00000020.sdmp | String found in binary or memory: https://drive.google.com/uc?export=download&id=1e3nVGX3LlhNn9Zf6RwTjDw6FKTCAih9T. |
| Source: CasPol.exe, 00000006.00000003.21840176556.0000000000FE6000.00000004.00000001.sdmp | String found in binary or memory: https://drive.google.com/uc?export=download&id=1e3nVGX3LlhNn9Zf6RwTjDw6FKTCAih9TmPHLwNfjxpm9j9STo |
| Source: CasPol.exe, 00000006.00000002.22646307055.000000001DF31000.00000004.00000001.sdmp | String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Code function: 6_2_00B21130 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Code function: 6_2_00B24320 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Code function: 6_2_00B23A50 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Code function: 6_2_00B23708 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Code function: 6_2_1DED5E08 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Code function: 6_2_1DED46C4 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Code function: 6_2_1DED6AF1 |
| Source: unknown | Process created: C:\Users\user\Desktop\FACTURAS.exe "C:\Users\user\Desktop\FACTURAS.exe" |
| Source: C:\Users\user\Desktop\FACTURAS.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\FACTURAS.exe" |
| Source: C:\Users\user\Desktop\FACTURAS.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\FACTURAS.exe" |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
| Source: C:\Users\user\Desktop\FACTURAS.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\FACTURAS.exe" |
| Source: C:\Users\user\Desktop\FACTURAS.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\FACTURAS.exe" |
| Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 1_2_0040508B pushad ; ret |
| Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 1_2_0040755C push cs; retf |
| Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 1_2_00407179 push esp; iretd |
| Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 1_2_00407584 push cs; retf |
| Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 1_2_004085B8 push edx; retf |
| Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 1_2_00406245 push ecx; retf |
| Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 1_2_004072E6 push ebp; iretd |
| Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 1_2_004042FC push edx; retf |
| Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 1_2_0040972A push eax; iretd |
| Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 1_2_004083D6 pushfd ; iretd |
| Source: C:\Users\user\Desktop\FACTURAS.exe | Code function: 1_2_023247D6 push 00000063h; iretd |
| Source: C:\Users\user\Desktop\FACTURAS.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Users\user\Desktop\FACTURAS.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Users\user\Desktop\FACTURAS.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Users\user\Desktop\FACTURAS.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Users\user\Desktop\FACTURAS.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\System32\conhost.exe | Process information set: NOOPENFILEERRORBOX |
| Source: FACTURAS.exe, 00000001.00000002.21869632814.0000000003170000.00000004.00000001.sdmp | Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32APPDATA=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXE\SYSWOW64\MSVBVM60.DLLWINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXE\SYSWOW64\MSVBVM60.DLL |
| Source: FACTURAS.exe, 00000001.00000002.21869632814.0000000003170000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000002.22637930252.0000000001150000.00000004.00000001.sdmp | Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE |
| Source: CasPol.exe, 00000006.00000002.22637930252.0000000001150000.00000004.00000001.sdmp | Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32APPDATA=HTTPS://DRIVE.GOOGLE.COM/UC?EXPORT=DOWNLOAD&ID=1E3NVGX3LLHNN9ZF6RWTJDW6FKTCAIH9T |
| Source: FACTURAS.exe, 00000001.00000002.21869694639.0000000003239000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000002.22638624948.0000000002C99000.00000004.00000001.sdmp | Binary or memory string: Hyper-V Guest Shutdown Service |
| Source: CasPol.exe, 00000006.00000002.22636737249.0000000000F58000.00000004.00000020.sdmp | Binary or memory string: Hyper-V RAWX |
| Source: FACTURAS.exe, 00000001.00000002.21869694639.0000000003239000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000002.22638624948.0000000002C99000.00000004.00000001.sdmp | Binary or memory string: Hyper-V Remote Desktop Virtualization Service |
| Source: CasPol.exe, 00000006.00000002.22638624948.0000000002C99000.00000004.00000001.sdmp | Binary or memory string: vmicshutdown |
| Source: FACTURAS.exe, 00000001.00000002.21869694639.0000000003239000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000002.22638624948.0000000002C99000.00000004.00000001.sdmp | Binary or memory string: Hyper-V Volume Shadow Copy Requestor |
| Source: CasPol.exe, 00000006.00000002.22637364540.0000000000FD8000.00000004.00000020.sdmp | Binary or memory string: Hyper-V RAWM |
| Source: FACTURAS.exe, 00000001.00000002.21869694639.0000000003239000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000002.22638624948.0000000002C99000.00000004.00000001.sdmp | Binary or memory string: Hyper-V PowerShell Direct Service |
| Source: FACTURAS.exe, 00000001.00000002.21869694639.0000000003239000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000002.22638624948.0000000002C99000.00000004.00000001.sdmp | Binary or memory string: Hyper-V Time Synchronization Service |
| Source: CasPol.exe, 00000006.00000002.22638624948.0000000002C99000.00000004.00000001.sdmp | Binary or memory string: vmicvss |
| Source: CasPol.exe, 00000006.00000002.22637364540.0000000000FD8000.00000004.00000020.sdmp | Binary or memory string: Hyper-V RAW |
| Source: CasPol.exe, 00000006.00000002.22637930252.0000000001150000.00000004.00000001.sdmp | Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32APPDATA=https://drive.google.com/uc?export=download&id=1e3nVGX3LlhNn9Zf6RwTjDw6FKTCAih9T |
| Source: FACTURAS.exe, 00000001.00000002.21869632814.0000000003170000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000002.22637930252.0000000001150000.00000004.00000001.sdmp | Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
| Source: FACTURAS.exe, 00000001.00000002.21869694639.0000000003239000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000002.22638624948.0000000002C99000.00000004.00000001.sdmp | Binary or memory string: Hyper-V Data Exchange Service |
| Source: FACTURAS.exe, 00000001.00000002.21869694639.0000000003239000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000002.22638624948.0000000002C99000.00000004.00000001.sdmp | Binary or memory string: Hyper-V Heartbeat Service |
| Source: FACTURAS.exe, 00000001.00000002.21869694639.0000000003239000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000002.22638624948.0000000002C99000.00000004.00000001.sdmp | Binary or memory string: Hyper-V Guest Service Interface |
| Source: CasPol.exe, 00000006.00000002.22638624948.0000000002C99000.00000004.00000001.sdmp | Binary or memory string: vmicheartbeat |
| Source: FACTURAS.exe, 00000001.00000002.21869632814.0000000003170000.00000004.00000001.sdmp | Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32APPDATA=windir=\Microsoft.NET\Framework\v4.0.30319\caspol.exe\syswow64\msvbvm60.dllwindir=\Microsoft.NET\Framework\v4.0.30319\caspol.exe\syswow64\msvbvm60.dll |
| Source: CasPol.exe, 00000006.00000002.22638238010.0000000001840000.00000002.00020000.sdmp | Binary or memory string: Shell_TrayWnd |
| Source: CasPol.exe, 00000006.00000002.22638238010.0000000001840000.00000002.00020000.sdmp | Binary or memory string: Program Manager]\ |
| Source: CasPol.exe, 00000006.00000002.22638238010.0000000001840000.00000002.00020000.sdmp | Binary or memory string: Progman |
| Source: CasPol.exe, 00000006.00000002.22638238010.0000000001840000.00000002.00020000.sdmp | Binary or memory string: Progmanlock |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
Play interactive tour
Edit tour
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node