Source: 0000000D.00000000.325076127.0000000000D00000.00000040.00000001.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=downl"} |
Source: conhost.exe.2976.15.memstrmin |
Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "droidyandex@centraldefiltros.clicui4cu2@@mail.centraldefiltros.cldroidyandexreports@centraldefiltros.cl"} |
Source: pago del 20.01.2022.PDF______________________________________.exe |
Virustotal: Detection: 53% |
Perma Link |
Source: pago del 20.01.2022.PDF______________________________________.exe |
Metadefender: Detection: 23% |
Perma Link |
Source: pago del 20.01.2022.PDF______________________________________.exe |
ReversingLabs: Detection: 57% |
Source: pago del 20.01.2022.PDF______________________________________.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: global traffic |
HTTP traffic detected: GET /uc?export=download&id=1BKTAGEWv-q5Ke_0MnBa_Ml90CTgLrdi9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/terpfju9qddp0r9mjehva49e9rt3lobm/1643010900000/08383092466185559033/*/1BKTAGEWv-q5Ke_0MnBa_Ml90CTgLrdi9?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-00-6k-docs.googleusercontent.comConnection: Keep-Alive |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49786 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49785 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49786 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49785 -> 443 |
Source: CasPol.exe, 0000000D.00000002.548386393.000000001DB81000.00000004.00000001.sdmp |
String found in binary or memory: http://127.0.0.1:HTTP/1.1 |
Source: CasPol.exe, 0000000D.00000002.548386393.000000001DB81000.00000004.00000001.sdmp |
String found in binary or memory: http://DynDns.comDynDNS |
Source: pago del 20.01.2022.PDF______________________________________.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0 |
Source: pago del 20.01.2022.PDF______________________________________.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0 |
Source: CasPol.exe, 0000000D.00000003.364907661.000000000102F000.00000004.00000001.sdmp, CasPol.exe, 0000000D.00000002.544453919.0000000001029000.00000004.00000020.sdmp |
String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: pago del 20.01.2022.PDF______________________________________.exe |
String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P |
Source: pago del 20.01.2022.PDF______________________________________.exe |
String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02 |
Source: pago del 20.01.2022.PDF______________________________________.exe |
String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0: |
Source: pago del 20.01.2022.PDF______________________________________.exe |
String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0 |
Source: CasPol.exe, 0000000D.00000002.548386393.000000001DB81000.00000004.00000001.sdmp |
String found in binary or memory: http://mglNPC.com |
Source: pago del 20.01.2022.PDF______________________________________.exe |
String found in binary or memory: http://ocsp.digicert.com0C |
Source: pago del 20.01.2022.PDF______________________________________.exe |
String found in binary or memory: http://ocsp.digicert.com0O |
Source: pago del 20.01.2022.PDF______________________________________.exe |
String found in binary or memory: http://www.digicert.com/CPS0 |
Source: CasPol.exe, 0000000D.00000003.364907661.000000000102F000.00000004.00000001.sdmp, CasPol.exe, 0000000D.00000002.544372729.0000000001004000.00000004.00000020.sdmp |
String found in binary or memory: https://doc-00-6k-docs.googleusercontent.com/ |
Source: CasPol.exe, 0000000D.00000002.544453919.0000000001029000.00000004.00000020.sdmp |
String found in binary or memory: https://doc-00-6k-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/terpfju9 |
Source: CasPol.exe, 0000000D.00000002.544265522.0000000000FD3000.00000004.00000020.sdmp |
String found in binary or memory: https://drive.google.com/ |
Source: CasPol.exe, 0000000D.00000002.544265522.0000000000FD3000.00000004.00000020.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=1BKTAGEWv-q5Ke_0MnBa_Ml90CTgLrdi9 |
Source: pago del 20.01.2022.PDF______________________________________.exe |
String found in binary or memory: https://www.digicert.com/CPS0 |
Source: CasPol.exe, 0000000D.00000002.548386393.000000001DB81000.00000004.00000001.sdmp |
String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha |
Source: global traffic |
HTTP traffic detected: GET /uc?export=download&id=1BKTAGEWv-q5Ke_0MnBa_Ml90CTgLrdi9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/terpfju9qddp0r9mjehva49e9rt3lobm/1643010900000/08383092466185559033/*/1BKTAGEWv-q5Ke_0MnBa_Ml90CTgLrdi9?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-00-6k-docs.googleusercontent.comConnection: Keep-Alive |
Source: 00000000.00000002.371007980.000000000040B000.00000020.00020000.sdmp, type: MEMORY |
Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth |
Source: 00000000.00000000.274792398.000000000040B000.00000020.00020000.sdmp, type: MEMORY |
Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth |
Source: pago del 20.01.2022.PDF______________________________________.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: 00000000.00000002.371007980.000000000040B000.00000020.00020000.sdmp, type: MEMORY |
Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 00000000.00000000.274792398.000000000040B000.00000020.00020000.sdmp, type: MEMORY |
Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe |
Code function: 0_2_00411CB2 |
0_2_00411CB2 |
Source: C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe |
Code function: 0_2_00411002 |
0_2_00411002 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 13_2_00D0E5B1 |
13_2_00D0E5B1 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 13_2_1DB446A0 |
13_2_1DB446A0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 13_2_1DB44690 |
13_2_1DB44690 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 13_2_1DB44672 |
13_2_1DB44672 |
Source: pago del 20.01.2022.PDF______________________________________.exe, 00000000.00000002.371056590.0000000000429000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameDYPPEDES.exe vs pago del 20.01.2022.PDF______________________________________.exe |
Source: pago del 20.01.2022.PDF______________________________________.exe |
Binary or memory string: OriginalFilenameDYPPEDES.exe vs pago del 20.01.2022.PDF______________________________________.exe |
Source: pago del 20.01.2022.PDF______________________________________.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: pago del 20.01.2022.PDF______________________________________.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: pago del 20.01.2022.PDF______________________________________.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: pago del 20.01.2022.PDF______________________________________.exe |
Virustotal: Detection: 53% |
Source: pago del 20.01.2022.PDF______________________________________.exe |
Metadefender: Detection: 23% |
Source: pago del 20.01.2022.PDF______________________________________.exe |
ReversingLabs: Detection: 57% |
Source: pago del 20.01.2022.PDF______________________________________.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: unknown |
Process created: C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe "C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe" |
|
Source: C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe" |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe" |
Jump to behavior |
Source: C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe |
Code function: 0_2_00412C60 push ds; retf |
0_2_00412C6E |
Source: C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe |
Code function: 0_2_00412D6F push es; iretd |
0_2_00412D77 |
Source: C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe |
Code function: 0_2_004141C2 push esi; retf |
0_2_004141C5 |
Source: C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe |
Code function: 0_2_00412988 push eax; iretd |
0_2_00412989 |
Source: C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe |
Code function: 0_2_00412727 push ebx; retf |
0_2_00412771 |
Source: C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe |
Code function: 0_2_004027E4 push esi; ret |
0_2_004027E5 |
Source: C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe |
Code function: 0_2_004123E9 push esp; iretd |
0_2_004123EA |
Source: C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe |
Code function: 0_2_02340E47 push ds; retf |
0_2_02340E73 |
Source: C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe |
Code function: 0_2_02343289 push esi; ret |
0_2_0234328C |
Source: C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe |
Code function: 0_2_02342AEB push ebp; retf |
0_2_02342AFC |
Source: C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe |
Code function: 0_2_023413D5 push edi; retf |
0_2_023413D6 |
Source: C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe |
Code function: 0_2_0234193E push eax; retf |
0_2_0234193F |
Source: C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe |
Code function: 0_2_0234192E push esp; retf |
0_2_02341933 |
Source: C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe |
Code function: 0_2_02342916 push ebx; retf |
0_2_02342929 |
Source: unknown |
Process created: "C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe" |
|
Source: C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe |
Process created: "C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe" |
|
Source: C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe |
Process created: "C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe" |
Jump to behavior |
Source: C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe |
File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe |
File opened: C:\Program Files\qga\qga.exe |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
File opened: C:\Program Files\qga\qga.exe |
Jump to behavior |
Source: pago del 20.01.2022.PDF______________________________________.exe, 00000000.00000002.371207766.000000000079A000.00000004.00000020.sdmp |
Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEY |
Source: pago del 20.01.2022.PDF______________________________________.exe, 00000000.00000002.371574091.0000000003140000.00000004.00000001.sdmp |
Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE |
Source: pago del 20.01.2022.PDF______________________________________.exe, 00000000.00000002.371574091.0000000003140000.00000004.00000001.sdmp |
Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32APPDATA=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXE\SYSWOW64\MSHTML.TLB |
Source: pago del 20.01.2022.PDF______________________________________.exe, 00000000.00000002.371591025.000000000320A000.00000004.00000001.sdmp, CasPol.exe, 0000000D.00000002.545379503.0000000002B8A000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Guest Shutdown Service |
Source: pago del 20.01.2022.PDF______________________________________.exe, 00000000.00000002.371574091.0000000003140000.00000004.00000001.sdmp |
Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32APPDATA=windir=\Microsoft.NET\Framework\v4.0.30319\caspol.exe\syswow64\mshtml.tlb |
Source: pago del 20.01.2022.PDF______________________________________.exe, 00000000.00000002.371207766.000000000079A000.00000004.00000020.sdmp |
Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exey |
Source: pago del 20.01.2022.PDF______________________________________.exe, 00000000.00000002.371591025.000000000320A000.00000004.00000001.sdmp, CasPol.exe, 0000000D.00000002.545379503.0000000002B8A000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Remote Desktop Virtualization Service |
Source: CasPol.exe, 0000000D.00000002.545379503.0000000002B8A000.00000004.00000001.sdmp |
Binary or memory string: vmicshutdown |
Source: pago del 20.01.2022.PDF______________________________________.exe, 00000000.00000002.371591025.000000000320A000.00000004.00000001.sdmp, CasPol.exe, 0000000D.00000002.545379503.0000000002B8A000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Volume Shadow Copy Requestor |
Source: pago del 20.01.2022.PDF______________________________________.exe, 00000000.00000002.371591025.000000000320A000.00000004.00000001.sdmp, CasPol.exe, 0000000D.00000002.545379503.0000000002B8A000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V PowerShell Direct Service |
Source: pago del 20.01.2022.PDF______________________________________.exe, 00000000.00000002.371591025.000000000320A000.00000004.00000001.sdmp, CasPol.exe, 0000000D.00000002.545379503.0000000002B8A000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Time Synchronization Service |
Source: CasPol.exe, 0000000D.00000002.545379503.0000000002B8A000.00000004.00000001.sdmp |
Binary or memory string: vmicvss |
Source: CasPol.exe, 0000000D.00000002.544407815.0000000001015000.00000004.00000020.sdmp |
Binary or memory string: Hyper-V RAW |
Source: CasPol.exe, 0000000D.00000002.544265522.0000000000FD3000.00000004.00000020.sdmp |
Binary or memory string: Hyper-V RAWH |
Source: pago del 20.01.2022.PDF______________________________________.exe, 00000000.00000002.371574091.0000000003140000.00000004.00000001.sdmp |
Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: pago del 20.01.2022.PDF______________________________________.exe, 00000000.00000002.371591025.000000000320A000.00000004.00000001.sdmp, CasPol.exe, 0000000D.00000002.545379503.0000000002B8A000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Data Exchange Service |
Source: pago del 20.01.2022.PDF______________________________________.exe, 00000000.00000002.371591025.000000000320A000.00000004.00000001.sdmp, CasPol.exe, 0000000D.00000002.545379503.0000000002B8A000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Heartbeat Service |
Source: pago del 20.01.2022.PDF______________________________________.exe, 00000000.00000002.371591025.000000000320A000.00000004.00000001.sdmp, CasPol.exe, 0000000D.00000002.545379503.0000000002B8A000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Guest Service Interface |
Source: CasPol.exe, 0000000D.00000002.545379503.0000000002B8A000.00000004.00000001.sdmp |
Binary or memory string: vmicheartbeat |
Source: CasPol.exe, 0000000D.00000002.545130148.0000000001730000.00000002.00020000.sdmp |
Binary or memory string: Program Manager |
Source: CasPol.exe, 0000000D.00000002.545130148.0000000001730000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: CasPol.exe, 0000000D.00000002.545130148.0000000001730000.00000002.00020000.sdmp |
Binary or memory string: Progman |
Source: CasPol.exe, 0000000D.00000002.545130148.0000000001730000.00000002.00020000.sdmp |
Binary or memory string: Progmanlock |
Source: C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation |
Jump to behavior |
Source: Yara match |
File source: 0000000D.00000002.548386393.000000001DB81000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: CasPol.exe PID: 2132, type: MEMORYSTR |
Source: Yara match |
File source: 0000000D.00000002.548386393.000000001DB81000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: CasPol.exe PID: 2132, type: MEMORYSTR |
Source: Yara match |
File source: 0000000D.00000002.548386393.000000001DB81000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: CasPol.exe PID: 2132, type: MEMORYSTR |