Source: 00000010.00000000.266464354998.0000000001300000.00000040.00000400.00020000.00000000.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "https://onedrive.live.com/download?cidO"} |
Source: 00000022.00000002.268467219270.000000001E151000.00000004.00000800.00020000.00000000.sdmp |
Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "9bd83597-93e4-4366-8889-6a4efb8a", "Group": "2022", "Domain1": "tochukwu1122.ddns.net", "Domain2": "127.0.0.1", "Port": 1122, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"} |
Source: Yara match |
File source: 37.2.CasPol.exe.1f1eeadc.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 34.2.CasPol.exe.1f19eadc.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 34.2.CasPol.exe.1f1a3105.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 37.2.CasPol.exe.1f1f3105.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 34.2.CasPol.exe.1f19eadc.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 37.2.CasPol.exe.1f1e9ca6.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 34.2.CasPol.exe.1f199ca6.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 37.2.CasPol.exe.1f1eeadc.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000022.00000002.268467219270.000000001E151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000022.00000002.268467630247.000000001F151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000025.00000002.268476945395.000000001E1A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000025.00000002.268477360466.000000001F1A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: CasPol.exe PID: 3064, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: CasPol.exe PID: 7664, type: MEMORYSTR |
Source: powershell.exe, 0000000A.00000002.266616415243.0000000008E36000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000003.266461629328.0000000008E35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.266608445995.00000000080D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000003.266459610439.00000000080D0000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266840482525.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266551551961.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266562042776.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267134796205.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267399589907.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267057712404.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266971022965.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000022.00000002.268393588039.00000000011AF000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000025.00000002.268401907263.000000000122D000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06 |
Source: powershell.exe, 0000000A.00000002.266616415243.0000000008E36000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000003.266461629328.0000000008E35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.266608445995.00000000080D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000003.266459610439.00000000080D0000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266840482525.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266551551961.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266562042776.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267134796205.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267399589907.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267057712404.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266971022965.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000022.00000002.268393588039.00000000011AF000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000025.00000002.268401907263.000000000122D000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: CasPol.exe, 00000010.00000003.266551551961.00000000016CC000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.m |
Source: CasPol.exe, 00000010.00000003.266551551961.00000000016CC000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://microsoft.co |
Source: powershell.exe, 0000000A.00000002.266604273172.000000000641A000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 0000000A.00000002.266590681721.0000000005509000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 0000000A.00000002.266588787753.00000000053B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.268515140389.0000000004D71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.268357616536.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.268352485259.0000000005351000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 0000000A.00000002.266590681721.0000000005509000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 0000000A.00000002.266588787753.00000000053B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.268515140389.0000000004D71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.268357616536.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.268352485259.0000000005351000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore6lB |
Source: powershell.exe, 0000000A.00000002.266604273172.000000000641A000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 0000000A.00000002.266604273172.000000000641A000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 0000000A.00000002.266604273172.000000000641A000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 0000000A.00000002.266590681721.0000000005509000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 0000000A.00000003.266207346947.0000000005DE8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: CasPol.exe, 00000010.00000003.266840482525.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266551551961.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266562042776.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266561876381.00000000016C0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266840397089.00000000016C0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266551480695.00000000016C1000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267134796205.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267399589907.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267057712404.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266971022965.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000022.00000002.268392159029.0000000001158000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000022.00000002.268394477912.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000025.00000002.268401907263.000000000122D000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000025.00000002.268401655086.0000000001208000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://kadnjg.bn.files.1drv.com/ |
Source: CasPol.exe, 00000010.00000003.266840482525.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266551551961.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266562042776.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267134796205.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267399589907.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267057712404.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266971022965.00000000016CC000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://kadnjg.bn.files.1drv.com/&. |
Source: CasPol.exe, 00000022.00000002.268393588039.00000000011AF000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://kadnjg.bn.files.1drv.com/)M |
Source: CasPol.exe, 00000022.00000002.268393588039.00000000011AF000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://kadnjg.bn.files.1drv.com/EM |
Source: CasPol.exe, 00000025.00000002.268401907263.000000000122D000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://kadnjg.bn.files.1drv.com/N |
Source: CasPol.exe, 00000010.00000003.266551551961.00000000016CC000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://kadnjg.bn.files.1drv.com/P |
Source: CasPol.exe, 00000022.00000002.268394477912.00000000011ED000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://kadnjg.bn.files.1drv.com/_Event_ |
Source: CasPol.exe, 00000010.00000003.266551551961.00000000016CC000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://kadnjg.bn.files.1drv.com/y |
Source: CasPol.exe, 00000025.00000003.268315507584.0000000001285000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000025.00000003.268319359560.0000000001285000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000025.00000002.268402634074.0000000001275000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://kadnjg.bn.files.1drv.com/y4m3WEg51wPpMvwOBDGQxc03AePN0yY86OyXcDJxrS2Yo4kmiHKJqicrFmOOu5sbK8F |
Source: CasPol.exe, 00000010.00000003.266562538409.0000000001711000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266562042776.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000025.00000003.268320218693.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000025.00000003.268319359560.0000000001285000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000025.00000002.268402634074.0000000001275000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://kadnjg.bn.files.1drv.com/y4m624plfyYIXAWdtfrz_bfoDWfcwPUj5QFno4RLBcRH3SrJIxCwmlV2VAmgwJvM6c3 |
Source: CasPol.exe, 00000010.00000003.266562042776.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266552003351.0000000001712000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267134796205.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267399589907.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.267057712404.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000010.00000003.266971022965.00000000016CC000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://kadnjg.bn.files.1drv.com/y4mLaMkqxgfgA77Nhx7Bu5i00p-BE1O1XpIc_eFvfEnM8XOp9-VuvKR5WbEVOk6Ajy9 |
Source: CasPol.exe, 00000022.00000003.268306189563.0000000001212000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://kadnjg.bn.files.1drv.com/y4mamlucM5WMHi-wCNvNvuQyTGytao2V_4itsZyI16BJ46ANIo0HsJrTQX8HYAUh18L |
Source: CasPol.exe, 00000010.00000003.266551551961.00000000016CC000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://kadnjg.bn.files.1drv.com/z.3 |
Source: powershell.exe, 0000000A.00000002.266604273172.000000000641A000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: CasPol.exe, 00000022.00000002.268393588039.00000000011AF000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000022.00000002.268392159029.0000000001158000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000022.00000003.268306189563.0000000001212000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000025.00000002.268401907263.000000000122D000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://onedrive.live.com/ |
Source: CasPol.exe, 00000025.00000002.268398436566.0000000000B60000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://onedrive.live.com/download?cid=2B80EFEE51D0620B&resid=2B80EFEE51D0620B%21266&authkey=AEVbDmT |
Source: CasPol.exe, 00000022.00000002.268393588039.00000000011AF000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://onedrive.live.com/x0?b |
Source: Yara match |
File source: 37.2.CasPol.exe.1f1eeadc.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 34.2.CasPol.exe.1f19eadc.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 34.2.CasPol.exe.1f1a3105.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 37.2.CasPol.exe.1f1f3105.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 34.2.CasPol.exe.1f19eadc.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 37.2.CasPol.exe.1f1e9ca6.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 34.2.CasPol.exe.1f199ca6.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 37.2.CasPol.exe.1f1eeadc.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000022.00000002.268467219270.000000001E151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000022.00000002.268467630247.000000001F151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000025.00000002.268476945395.000000001E1A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000025.00000002.268477360466.000000001F1A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: CasPol.exe PID: 3064, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: CasPol.exe PID: 7664, type: MEMORYSTR |
Source: 37.2.CasPol.exe.1e1c3f10.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 34.2.CasPol.exe.1e173f10.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 37.2.CasPol.exe.1f1eeadc.3.unpack, type: UNPACKEDPE |
Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 34.2.CasPol.exe.1f19eadc.2.unpack, type: UNPACKEDPE |
Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 34.2.CasPol.exe.1f1a3105.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 37.2.CasPol.exe.1f1f3105.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 34.2.CasPol.exe.1f19eadc.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 37.2.CasPol.exe.1f1e9ca6.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 37.2.CasPol.exe.1f1e9ca6.2.raw.unpack, type: UNPACKEDPE |
Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 34.2.CasPol.exe.1f199ca6.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 34.2.CasPol.exe.1f199ca6.1.raw.unpack, type: UNPACKEDPE |
Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 37.2.CasPol.exe.1f1eeadc.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 00000022.00000002.268467219270.000000001E151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 00000022.00000002.268467630247.000000001F151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 00000025.00000002.268476945395.000000001E1A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 00000025.00000002.268477360466.000000001F1A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: Process Memory Space: CasPol.exe PID: 3064, type: MEMORYSTR |
Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: Process Memory Space: CasPol.exe PID: 7664, type: MEMORYSTR |
Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |