Windows Analysis Report
SecuriteInfo.com.generic.ml.10062.exe

Overview

General Information

Sample Name:	SecuriteInfo.com.generic.ml.10062.exe
Analysis ID:	634320
MD5:	95050a1e0c7d4c57f62e26967b3b0bfd
SHA1:	baa57d1bf6d8a41ba89c6d09bfc4ec2bc986830c
SHA256:	458597ef6835136826411179f244673d5b2702e906bedb3e470786eb455d98ce
Infos:

Detection

AgentTesla, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AgentTesla

Yara detected GuLoader

Snort IDS alert for network traffic

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

C2 URLs / IPs found in malware configuration

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

PE file does not import any functions

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Binary contains a suspicious time stamp

PE / OLE file has an invalid certificate

PE file contains more sections than normal

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Signatures

AV Detection

Found malware configuration

Source: 00000001.00000002.62482366099.00000000032B0000.00000040.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: GuLoader {"Payload URL": "http://2.56.57.22/yendexoriginwithoutfilter_rtSDhNF87.bin"}
Source: SecuriteInfo.com.generic.ml.10062.exe.7996.1.memstrmin	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "droidyandex@centraldefiltros.clicui4cu2@@mail.centraldefiltros.cldroidyandexreports@centraldefiltros.cl"}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.generic.ml.10062.exe

Virustotal: Detection: 11%

Perma Link

Uses 32bit PE files

Source: SecuriteInfo.com.generic.ml.10062.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: SecuriteInfo.com.generic.ml.10062.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: H:\n2\3rdparty\FFmpeg\2.8.2\public\src\ffmpeg\libavutil\avutil-54.pdb source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62481419345.0000000002BF2000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.1.dr
Source:	Binary string: System.IO.FileSystem.Watcher.ni.pdb source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62478493581.000000000293F000.00000004.00000800.00020000.00000000.sdmp, System.IO.FileSystem.Watcher.dll.1.dr
Source:	Binary string: D:\SourceCode\gc3.gpuswitch\production_V4.2\Service\ServiceSDK\Release\GPUSwitchPlugin\ARMOURY CRATE eGPU Product.pdb source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62478493581.000000000293F000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.1.dr
Source:	Binary string: D:\SourceCode\gc3.gpuswitch\production_V4.2\Service\ServiceSDK\Release\GPUSwitchPlugin\ARMOURY CRATE eGPU Product.pdb source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62478493581.000000000293F000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.1.dr
Source:	Binary string: H:\n2\3rdparty\FFmpeg\2.8.2\public\src\ffmpeg\libavutil\avutil-54.pdb source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62481419345.0000000002BF2000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.1.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.FileSystem.Watcher\net6.0-windows-Release\System.IO.FileSystem.Watcher.pdb source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62478493581.000000000293F000.00000004.00000800.00020000.00000000.sdmp, System.IO.FileSystem.Watcher.dll.1.dr

Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	1_2_00405D74
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_0040699E FindFirstFileW,FindClose,	1_2_0040699E
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_0040290B FindFirstFileW,	1_2_0040290B

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.11.20:49763 -> 2.56.57.22:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://2.56.57.22/yendexoriginwithoutfilter_rtSDhNF87.bin

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: GBTCLOUDUS GBTCLOUDUS

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /yendexoriginwithoutfilter_rtSDhNF87.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 2.56.57.22Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22

Source: CasPol.exe, 00000005.00000002.67212907111.000000001D58F000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: subdomain_match":["go","tv"]},{"applied_policy":"EdgeUA","domain":"video.zhihu.com"},{"applied_policy":"ChromeUA","domain":"la7.it"},{"applied_policy":"ChromeUA","domain":"ide.cs50.io"},{"applied_policy":"ChromeUA","domain":"moneygram.com"},{"applied_policy":"ChromeUA","domain":"blog.esuteru.com"},{"applied_policy":"ChromeUA","domain":"online.tivo.com","path_match":["/start"]},{"applied_policy":"ChromeUA","domain":"smallbusiness.yahoo.com","path_match":["/businessmaker"]},{"applied_policy":"ChromeUA","domain":"jeeready.amazon.in","path_match":["/home"]},{"applied_policy":"ChromeUA","domain":"abc.com"},{"applied_policy":"ChromeUA","domain":"mvsrec738.examly.io"},{"applied_policy":"ChromeUA","domain":"myslate.sixphrase.com"},{"applied_policy":"ChromeUA","domain":"search.norton.com","path_match":["/nsssOnboarding"]},{"applied_policy":"ChromeUA","domain":"checkdecide.com"},{"applied_policy":"ChromeUA","domain":"virtualvisitlogin.partners.org"},{"applied_policy":"ChromeUA","domain":"carelogin.bryantelemedicine.com"},{"applied_policy":"ChromeUA","domain":"providerstc.hs.utah.gov"},{"applied_policy":"ChromeUA","domain":"applychildcaresubsidy.alberta.ca"},{"applied_policy":"ChromeUA","domain":"elearning.evn.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"telecare.keckmedicine.org"},{"applied_policy":"ChromeUA","domain":"authoring.amirsys.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"elearning.seabank.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"app.fields.corteva.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"gsq.minornet.com"},{"applied_policy":"ChromeUA","domain":"shop.lic.co.nz"},{"applied_policy":"ChromeUA","domain":"telehealthportal.uofuhealth.org"},{"applied_policy":"ChromeUA","domain":"portal.centurylink.com"},{"applied_policy":"ChromeUA","domain":"visitnow.org"},{"applied_policy":"ChromeUA","domain":"www.hotstar.com","path_match":["/in/subscribe/payment/methods/dc","/in/subscribe/payment/methods/cc"]},{"applied_policy":"ChromeUA","domain":"tryca.st","path_match":["/studio","/publisher"]},{"applied_policy":"ChromeUA","domain":"telemost.yandex.ru"},{"applied_policy":"ChromeUA","domain":"astrogo.astro.com.my"},{"applied_policy":"ChromeUA","domain":"airbornemedia.gogoinflight.com"},{"applied_policy":"ChromeUA","domain":"itoaxaca.mindbox.app"},{"applied_policy":"ChromeUA","domain":"app.classkick.com"},{"applied_policy":"ChromeUA","domain":"exchangeservicecenter.com","path_match":["/freeze"]},{"applied_policy":"ChromeUA","domain":"bancodeoccidente.com.co","path_match":["/portaltransaccional"]},{"applied_policy":"ChromeUA","domain":"better.com"},{"applied_policy":"IEUA","domain":"bm.gzekao.cn","path_match":["/tr/webregister/"]},{"applied_policy":"ChromeUA","domain":"scheduling.care.psjhealth.org","path_match":["/virtual"]},{"applied_policy":"ChromeUA","domain":"salud.go.cr"},{"applied_policy":"ChromeUA","domain":"learning.chungdahm.com"},{"applied_policy":"C

Source: CasPol.exe, 00000005.00000002.67212135583.000000001D4E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: CasPol.exe, 00000005.00000003.63392768852.00000000011C5000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.67188771993.00000000011C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://2.56.57.22/yendexoriginwithoutfilter_rtSDhNF87.bin
Source: CasPol.exe, 00000005.00000002.67212135583.000000001D4E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62481419345.0000000002BF2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62478493581.000000000293F000.00000004.00000800.00020000.00000000.sdmp, lang-1045.dll.1.dr, ARMOURY CRATE eGPU Product.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62481419345.0000000002BF2000.00000004.00000800.00020000.00000000.sdmp, lang-1045.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62481419345.0000000002BF2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62478493581.000000000293F000.00000004.00000800.00020000.00000000.sdmp, lang-1045.dll.1.dr, ARMOURY CRATE eGPU Product.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: folder-publicshare.png.1.dr	String found in binary or memory: http://creativecommons.org/licenses/by-sa/4.0/
Source: SecuriteInfo.com.generic.ml.10062.exe	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: SecuriteInfo.com.generic.ml.10062.exe	String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: SecuriteInfo.com.generic.ml.10062.exe	String found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62478493581.000000000293F000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.1.dr	String found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0
Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62478493581.000000000293F000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.1.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0b
Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62478493581.000000000293F000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.1.dr	String found in binary or memory: http://crl.globalsign.com/root.crl0G
Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62481419345.0000000002BF2000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.1.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62481419345.0000000002BF2000.00000004.00000800.00020000.00000000.sdmp, lang-1045.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62481419345.0000000002BF2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62478493581.000000000293F000.00000004.00000800.00020000.00000000.sdmp, lang-1045.dll.1.dr, ARMOURY CRATE eGPU Product.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62481419345.0000000002BF2000.00000004.00000800.00020000.00000000.sdmp, lang-1045.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62481419345.0000000002BF2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62478493581.000000000293F000.00000004.00000800.00020000.00000000.sdmp, lang-1045.dll.1.dr, ARMOURY CRATE eGPU Product.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62481419345.0000000002BF2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62478493581.000000000293F000.00000004.00000800.00020000.00000000.sdmp, lang-1045.dll.1.dr, ARMOURY CRATE eGPU Product.exe.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62481419345.0000000002BF2000.00000004.00000800.00020000.00000000.sdmp, lang-1045.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62481419345.0000000002BF2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62478493581.000000000293F000.00000004.00000800.00020000.00000000.sdmp, lang-1045.dll.1.dr, ARMOURY CRATE eGPU Product.exe.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: CasPol.exe, 00000005.00000002.67212135583.000000001D4E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mglNPC.com
Source: SecuriteInfo.com.generic.ml.10062.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62481419345.0000000002BF2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62478493581.000000000293F000.00000004.00000800.00020000.00000000.sdmp, lang-1045.dll.1.dr, ARMOURY CRATE eGPU Product.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62481419345.0000000002BF2000.00000004.00000800.00020000.00000000.sdmp, lang-1045.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62481419345.0000000002BF2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62478493581.000000000293F000.00000004.00000800.00020000.00000000.sdmp, lang-1045.dll.1.dr, ARMOURY CRATE eGPU Product.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62478493581.000000000293F000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.1.dr	String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62481419345.0000000002BF2000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.1.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62478493581.000000000293F000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.1.dr	String found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U
Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62478493581.000000000293F000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.1.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: SecuriteInfo.com.generic.ml.10062.exe	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: SecuriteInfo.com.generic.ml.10062.exe	String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: SecuriteInfo.com.generic.ml.10062.exe	String found in binary or memory: http://repository.certum.pl/ctsca2021.cer0
Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62481419345.0000000002BF2000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.1.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62481419345.0000000002BF2000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.1.dr	String found in binary or memory: http://s2.symcb.com0
Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62478493581.000000000293F000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0
Source: SecuriteInfo.com.generic.ml.10062.exe	String found in binary or memory: http://subca.ocsp-certum.com01
Source: SecuriteInfo.com.generic.ml.10062.exe	String found in binary or memory: http://subca.ocsp-certum.com02
Source: SecuriteInfo.com.generic.ml.10062.exe	String found in binary or memory: http://subca.ocsp-certum.com05
Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62481419345.0000000002BF2000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.1.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62481419345.0000000002BF2000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.1.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62481419345.0000000002BF2000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.1.dr	String found in binary or memory: http://sv.symcd.com0&
Source: avutil-54.dll.1.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62481419345.0000000002BF2000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.1.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0
Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62481419345.0000000002BF2000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.1.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62481419345.0000000002BF2000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.1.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62481419345.0000000002BF2000.00000004.00000800.00020000.00000000.sdmp, lang-1045.dll.1.dr	String found in binary or memory: http://www.avast.com0/
Source: SecuriteInfo.com.generic.ml.10062.exe	String found in binary or memory: http://www.certum.pl/CPS0
Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62481419345.0000000002BF2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62478493581.000000000293F000.00000004.00000800.00020000.00000000.sdmp, lang-1045.dll.1.dr, ARMOURY CRATE eGPU Product.exe.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62481419345.0000000002BF2000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.1.dr	String found in binary or memory: http://www.nero.com
Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62481419345.0000000002BF2000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.1.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62481419345.0000000002BF2000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.1.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62481419345.0000000002BF2000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.1.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62481419345.0000000002BF2000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.1.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62478493581.000000000293F000.00000004.00000800.00020000.00000000.sdmp, System.IO.FileSystem.Watcher.dll.1.dr	String found in binary or memory: https://github.com/dotnet/runtime
Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62481419345.0000000002BF2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62478493581.000000000293F000.00000004.00000800.00020000.00000000.sdmp, lang-1045.dll.1.dr, ARMOURY CRATE eGPU Product.exe.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62478493581.000000000293F000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.1.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: CasPol.exe, 00000005.00000002.67212135583.000000001D4E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: global traffic

HTTP traffic detected: GET /yendexoriginwithoutfilter_rtSDhNF87.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 2.56.57.22Cache-Control: no-cache

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe

Code function: 1_2_00405809 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

1_2_00405809

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000005.00000002.67212135583.000000001D4E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: Process Memory Space: CasPol.exe PID: 4028, type: MEMORYSTR	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen

Uses 32bit PE files

Source: SecuriteInfo.com.generic.ml.10062.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Yara signature match

Source: 00000005.00000002.67212135583.000000001D4E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: Process Memory Space: CasPol.exe PID: 4028, type: MEMORYSTR	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe

Code function: 1_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

1_2_00403640

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_00406D5F	1_2_00406D5F
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_6F671BFF	1_2_6F671BFF
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032C1E19	1_2_032C1E19
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032C09E6	1_2_032C09E6
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032BA722	1_2_032BA722
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B1727	1_2_032B1727
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B0338	1_2_032B0338
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B0734	1_2_032B0734
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B0B0C	1_2_032B0B0C
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B1B19	1_2_032B1B19
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B176C	1_2_032B176C
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B0379	1_2_032B0379
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B077D	1_2_032B077D
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B0B4A	1_2_032B0B4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B1755	1_2_032B1755
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B03A9	1_2_032B03A9
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B17A3	1_2_032B17A3
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B7BA6	1_2_032B7BA6
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032BA7A6	1_2_032BA7A6
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032C17BF	1_2_032C17BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B7BB3	1_2_032B7BB3
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B0B89	1_2_032B0B89
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032BA78F	1_2_032BA78F
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B438E	1_2_032B438E
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B17E5	1_2_032B17E5
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032BA7FE	1_2_032BA7FE
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B0BC1	1_2_032B0BC1
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B07C0	1_2_032B07C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B03DE	1_2_032B03DE
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B0225	1_2_032B0225
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B0609	1_2_032B0609
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B6A05	1_2_032B6A05
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B7E1A	1_2_032B7E1A
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B0A66	1_2_032B0A66
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B0648	1_2_032B0648
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032BA642	1_2_032BA642
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B0E40	1_2_032B0E40
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B0A45	1_2_032B0A45
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B0255	1_2_032B0255
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032C2AAC	1_2_032C2AAC
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032BA6B9	1_2_032BA6B9
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B06BC	1_2_032B06BC
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B02B3	1_2_032B02B3
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032C46B0	1_2_032C46B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B0683	1_2_032B0683
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B0E82	1_2_032B0E82
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B0281	1_2_032B0281
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B0687	1_2_032B0687
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B0A9E	1_2_032B0A9E
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B1AEA	1_2_032B1AEA
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032C22E4	1_2_032C22E4
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B02FE	1_2_032B02FE
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B06F6	1_2_032B06F6
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B0ADD	1_2_032B0ADD
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032BB12B	1_2_032BB12B
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B7139	1_2_032B7139
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032BA538	1_2_032BA538
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032C2539	1_2_032C2539
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B0930	1_2_032B0930
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B0D34	1_2_032B0D34
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B0505	1_2_032B0505
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B1917	1_2_032B1917
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B056B	1_2_032B056B
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B016F	1_2_032B016F
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032BA567	1_2_032BA567
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B6D72	1_2_032B6D72
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B0976	1_2_032B0976
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032BB148	1_2_032BB148
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B1943	1_2_032B1943
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B0DAD	1_2_032B0DAD
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B19B9	1_2_032B19B9
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B01B0	1_2_032B01B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B09B7	1_2_032B09B7
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B7D8C	1_2_032B7D8C
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B1980	1_2_032B1980
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B0586	1_2_032B0586
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032BA59E	1_2_032BA59E
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B01E4	1_2_032B01E4
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B09FA	1_2_032B09FA
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B69FF	1_2_032B69FF
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B0DF6	1_2_032B0DF6
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B1DCC	1_2_032B1DCC
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B05D2	1_2_032B05D2
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B040E	1_2_032B040E
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B000E	1_2_032B000E
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B0802	1_2_032B0802
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B0C68	1_2_032B0C68
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B0C6E	1_2_032B0C6E
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B0C64	1_2_032B0C64
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B7C48	1_2_032B7C48
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B044F	1_2_032B044F
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B0C42	1_2_032B0C42
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B0840	1_2_032B0840
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B005B	1_2_032B005B
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B185C	1_2_032B185C
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B0CA9	1_2_032B0CA9
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B0887	1_2_032B0887
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B0485	1_2_032B0485
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B189B	1_2_032B189B
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B0095	1_2_032B0095
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B7CE8	1_2_032B7CE8
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B6CEC	1_2_032B6CEC
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032BA4F9	1_2_032BA4F9
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B0CF4	1_2_032B0CF4
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B18CE	1_2_032B18CE
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B00CE	1_2_032B00CE
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B08C0	1_2_032B08C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B04C6	1_2_032B04C6
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B6CDF	1_2_032B6CDF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_013478D0	5_2_013478D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01347E56	5_2_01347E56
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0134D680	5_2_0134D680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01345128	5_2_01345128
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01343179	5_2_01343179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_013425E8	5_2_013425E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0134D058	5_2_0134D058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01346310	5_2_01346310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_01345B80	5_2_01345B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0134EA70	5_2_0134EA70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_013A8430	5_2_013A8430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_013A5888	5_2_013A5888
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_013A7B06	5_2_013A7B06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_013A9F70	5_2_013A9F70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_013ADF60	5_2_013ADF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_013A93D9	5_2_013A93D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_013A07D2	5_2_013A07D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_013A5E08	5_2_013A5E08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_013AAA60	5_2_013AAA60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_013A9AB0	5_2_013A9AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_013A4540	5_2_013A4540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_013A4190	5_2_013A4190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_1C6214E8	5_2_1C6214E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_1C62D518	5_2_1C62D518
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_1C6272D8	5_2_1C6272D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_1D325D08	5_2_1D325D08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_1D324374	5_2_1D324374
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_1D325C20	5_2_1D325C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_1D3269D0	5_2_1D3269D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_1F714320	5_2_1F714320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_1F71BE70	5_2_1F71BE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_1F71B110	5_2_1F71B110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_1F71DC78	5_2_1F71DC78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_1F718C68	5_2_1F718C68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_1F713708	5_2_1F713708
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_1F713A50	5_2_1F713A50

Contains functionality to call native functions

Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032C1E19 NtAllocateVirtualMemory,		1_2_032C1E19
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032C41B7 NtResumeThread,		1_2_032C41B7

PE file does not import any functions

Source: System.IO.FileSystem.Watcher.dll.1.dr	Static PE information: No import functions for PE file found
Source: MsMpLics.dll.1.dr	Static PE information: No import functions for PE file found
Source: lang-1045.dll.1.dr	Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62478493581.000000000293F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameARMOURY CRATE eGPU Product.exe8 vs SecuriteInfo.com.generic.ml.10062.exe
Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62478493581.000000000293F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs SecuriteInfo.com.generic.ml.10062.exe
Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62478493581.000000000293F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.IO.FileSystem.Watcher.dll@ vs SecuriteInfo.com.generic.ml.10062.exe

PE file contains strange resources

Source: SecuriteInfo.com.generic.ml.10062.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: edgegdi.dll			Jump to behavior

PE / OLE file has an invalid certificate

Source: SecuriteInfo.com.generic.ml.10062.exe

Static PE information: invalid certificate

PE file contains more sections than normal

Source: p11-kit-trust.dll.1.dr

Static PE information: Number of sections : 11 > 10

Source: SecuriteInfo.com.generic.ml.10062.exe

Virustotal: Detection: 11%

Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe "C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe"	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1264:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1264:304:WilStaging_02

Source: Yara match	File source: 00000001.00000002.62482366099.00000000032B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.62332198808.0000000000F00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_6F6730C0 push eax; ret	1_2_6F6730EE
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032BC74F push 3A3A3F63h; retf	1_2_032BC76A
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B8E23 pushad ; iretd	1_2_032B8E2E
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B5AC9 push FFFFFF86h; iretd	1_2_032B5ACC
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032B9AD4 push esp; retf	1_2_032B9AD5
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032BC9C2 push ebp; iretd	1_2_032BC9C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0134142F push edi; retn 0000h	5_2_01341431
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0134CC2A pushad ; ret	5_2_0134CC55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0134CC06 pushad ; ret	5_2_0134CC0D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0134CC56 pushad ; ret	5_2_0134CC59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0134CC96 pushad ; ret	5_2_0134CC9D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0134CC9E pushad ; ret	5_2_0134CCA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0134CC83 pushad ; ret	5_2_0134CC8D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0134CC8E pushad ; ret	5_2_0134CC95
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0134CCE6 pushad ; ret	5_2_0134CCE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0134CCE2 pushad ; ret	5_2_0134CCE5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0134CCEE pushad ; ret	5_2_0134CCF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0134CCEA pushad ; ret	5_2_0134CCED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0134CCDE pushad ; ret	5_2_0134CCE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0134CCDA pushad ; ret	5_2_0134CCDD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0134CCCF pushad ; ret	5_2_0134CCD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0134CB26 pushad ; ret	5_2_0134CB29
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0134CB16 push ss; ret	5_2_0134CB19
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0134CB12 push ss; ret	5_2_0134CB15
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0134CB1A pushad ; ret	5_2_0134CB25
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0134CB6E pushad ; ret	5_2_0134CB75
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0134CB46 push ss; ret	5_2_0134CB5D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0134CBB2 pushad ; ret	5_2_0134CBBD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0134CBBE pushad ; ret	5_2_0134CBC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0134CBAE push ss; ret	5_2_0134CBB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_0134CBAA push ss; ret	5_2_0134CBAD

Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	File created: C:\Users\user\AppData\Local\Temp\nsi821.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	File created: C:\Users\user\AppData\Local\Temp\System.IO.FileSystem.Watcher.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	File created: C:\Users\user\AppData\Local\Temp\avutil-54.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	File created: C:\Users\user\AppData\Local\Temp\lang-1045.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	File created: C:\Users\user\AppData\Local\Temp\p11-kit-trust.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	File created: C:\Users\user\AppData\Local\Temp\MsMpLics.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	File created: C:\Users\user\AppData\Local\Temp\ARMOURY CRATE eGPU Product.exe	Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62482616857.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: NTDLLUSER32KERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLLWINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLLWINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLL
Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62482616857.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\System.IO.FileSystem.Watcher.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\avutil-54.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lang-1045.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\p11-kit-trust.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MsMpLics.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ARMOURY CRATE eGPU Product.exe	Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	API call chain: ExitProcess graph end node

Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62483095871.0000000004F19000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.67190695311.0000000002D09000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62482616857.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ntdlluser32kernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\Microsoft.NET\Framework\v4.0.30319\caspol.exewindir=\syswow64\iertutil.dllwindir=\Microsoft.NET\Framework\v4.0.30319\caspol.exewindir=\syswow64\iertutil.dllwindir=\Microsoft.NET\Framework\v4.0.30319\caspol.exewindir=\syswow64\iertutil.dll
Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62483095871.0000000004F19000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.67190695311.0000000002D09000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: CasPol.exe, 00000005.00000002.67190695311.0000000002D09000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62483095871.0000000004F19000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.67190695311.0000000002D09000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62483095871.0000000004F19000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.67190695311.0000000002D09000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: avutil-54.dll.1.dr	Binary or memory string: yuv420pyuyv422rgb24bgr24yuv422pyuv444pyuv410pyuv411pgraygray8,y8monowmonobpal8yuvj420pyuvj422pyuvj444pxvmcmcxvmcidctuyvy422uyyvyy411bgr8bgr4bgr4_bytergb8rgb4rgb4_bytenv12nv21argbrgbaabgrbgragray16bey16begray16ley16leyuv440pyuvj440pyuva420pvdpau_h264vdpau_mpeg1vdpau_mpeg2vdpau_wmv3vdpau_vc1rgb48bergb48lergb565bergb565lergb555bergb555lebgr565bebgr565lebgr555bebgr555levaapi_mocovaapi_idctvaapi_vldyuv420p16leyuv420p16beyuv422p16leyuv422p16beyuv444p16leyuv444p16bevdpau_mpeg4dxva2_vldrgb444lergb444bebgr444lebgr444beya8gray8abgr48bebgr48leyuv420p9beyuv420p9leyuv420p10beyuv420p10leyuv422p10beyuv422p10leyuv444p9beyuv444p9leyuv444p10beyuv444p10leyuv422p9beyuv422p9levda_vldgbrpgbrp9begbrp9legbrp10begbrp10legbrp16begbrp16leyuva420p9beyuva420p9leyuva422p9beyuva422p9leyuva444p9beyuva444p9leyuva420p10beyuva420p10leyuva422p10beyuva422p10leyuva444p10beyuva444p10leyuva420p16beyuva420p16leyuva422p16beyuva422p16leyuva444p16beyuva444p16levdpauxyz12lexyz12benv16nv20lenv20beyvyu422vdaya16beya16leqsvmmald3d11va_vldrgba64bergba64lebgra64bebgra64le0rgbrgb00bgrbgr0yuva444pyuva422pyuv420p12beyuv420p12leyuv420p14beyuv420p14leyuv422p12beyuv422p12leyuv422p14beyuv422p14leyuv444p12beyuv444p12leyuv444p14beyuv444p14legbrp12begbrp12legbrp14begbrp14legbrapgbrap16begbrap16leyuvj411pbayer_bggr8bayer_rggb8bayer_gbrg8bayer_grbg8bayer_bggr16lebayer_bggr16bebayer_rggb16lebayer_rggb16bebayer_gbrg16lebayer_gbrg16bebayer_grbg16lebayer_grbg16beyuv440p10leyuv440p10beyuv440p12leyuv440p12beayuv64leayuv64bevideotoolbox_vldunknowntvpcreservedbt470mbt2020linearlog100log316iec61966-2-4bt1361eiec61966-2-1bt2020-10bt2020-20gbrycgcobt2020ncbt2020cunspecifiedleftcentertoplefttopbottomleftbottomrgb32bgr32le%s%sname nb_components nb_bits%-11s %7d %10dlibavutil/pixdesc.cd->log2_chroma_w <= 3d->log2_chroma_h <= 3d->nb_components <= 4d->name && d->name[0](d->nb_components==4 \|\| d->nb_components==2) == !!(d->flags & (1 << 7))!c->plane && !c->step_minus1 && !c->offset_plus1 && !c->shift && !c->depth_minus1c->step_minus1 >= c->depth_minus18*(c->step_minus1+1) >= c->depth_minus1+1bayer_tmp[0] == 0 && tmp[1] == 0beyuvjpixelutils support is required but libavutil is not compiled with it
Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62483095871.0000000004F19000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.67190695311.0000000002D09000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: avutil-54.dll.1.dr	Binary or memory string: xvmcidct
Source: CasPol.exe, 00000005.00000002.67190695311.0000000002D09000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: CasPol.exe, 00000005.00000003.63392916195.00000000011DA000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.67188286070.000000000117B000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.67188909794.00000000011DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62482616857.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62483095871.0000000004F19000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.67190695311.0000000002D09000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: CasPol.exe, 00000005.00000003.63392916195.00000000011DA000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.67188909794.00000000011DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%k,
Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62483095871.0000000004F19000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.67190695311.0000000002D09000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: SecuriteInfo.com.generic.ml.10062.exe, 00000001.00000002.62483095871.0000000004F19000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.67190695311.0000000002D09000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: CasPol.exe, 00000005.00000002.67190695311.0000000002D09000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032C121E mov eax, dword ptr fs:[00000030h]	1_2_032C121E
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032C1954 mov eax, dword ptr fs:[00000030h]	1_2_032C1954
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Code function: 1_2_032BA4F9 mov eax, dword ptr fs:[00000030h]	1_2_032BA4F9

Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.10062.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: Yara match	File source: 00000005.00000002.67212135583.000000001D4E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 4028, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

ID:	634320
Product:	CloudBasic
Start time:	22:41:38
Start date:	25.05.2022
Sample:	SecuriteInfo.com.generic.ml.10062.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Architecture:	WINDOWS
MD5:	95050a1e0c7d4c57f62e26967b3b0bfd
SHA1:	baa57d1bf6d8a41ba89c6d09bfc4ec2bc986830c
SHA256:	458597ef6835136826411179f244673d5b2702e906bedb3e470786eb455d98ce
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\ARMOURY CRATE eGPU Product.exe	PE32+ executable (GUI) x86-64, for MS Windows	39981C2A1465413B506246DA3721D9A1	213C41C908F9A7C62C4D5D8079FC17188066CB3B	19AE2C74ECE76F6AE7074AC31B198D6BF201DDE201B5B31EACA023877241F7B9
C:\Users\user\AppData\Local\Temp\Ddsstivhed9.non	data	6CEA9045463D0C5D27E1A89AE139E33F	64A5497F8D154AEEF22F7CAC3F72F4D2FC5F9D62	D532BF8700F1B322DCF738AF6EF2DAB7FE5328DCBA0C4ED04227AF6BA4F1A1BD
C:\Users\user\AppData\Local\Temp\Fecundify.lnk	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide	54BD2D457F7D4C05C7AFE12B2ABCF87B	A6FA0107D62F273B2C8AE469FE5450F851819934	87E5DF62B393359F15DE57070A40440C2A84DD4323FA00EC34F66805CCC117C4
C:\Users\user\AppData\Local\Temp\MsMpLics.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	797476E8813090CC62D574BB9B59F2DD	BDBBBFD1B3B2E8B2CCF368815DCF06247FC08C14	85C2314ECAA192D438DEBFAB7490E047C7780EB59A115DFEB68E36BF84CFAC22
C:\Users\user\AppData\Local\Temp\Sognefogedernes.Run6	data	B13B974324F63044A880BC84365A0BD0	F7DABC096172A0A09C89628D830E067CC97A8E88	A34D0845D289E5A64498E4F6BF5A30A17C3F187FB292CCF5B1057D81D467E63D
C:\Users\user\AppData\Local\Temp\System.IO.FileSystem.Watcher.dll	PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows	BBA87C141D8F08D86033E05DAAC57D5D	1EA5B7EE9B5C418FB4B15EE91F7524F5DB0D96D1	EFD311B206AB942C188C3F83AEBE13AEF1D475CB5D822CF3B70AB162DCDC6FF7
C:\Users\user\AppData\Local\Temp\Undergangsstemningen.ini	ASCII text, with CRLF line terminators	CEA246A40ED9A68F27EEC9458A18DEEF	3E210EBBD8F29926A51BA1074FAD9A22D53659D2	2F37518683B8AA7E7C81B0F07A42B2A2692CA32FE4DEEB6618470A5EB245B2EC
C:\Users\user\AppData\Local\Temp\avutil-54.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	19ED470A232B01BB34B7F85288B017F0	4AE08D71FB45055FCCB0D86174150082A39881F1	CF17BEE0C9479D7AAED9D3399E79FD89ED9535175C9AEEA73C54E48124D6C81A
C:\Users\user\AppData\Local\Temp\folder-publicshare.png	PNG image data, 16 x 16, 8-bit colormap, non-interlaced	1D98E1B2D84D7B9D0927F6B651EDE827	A1F77FF7EC77865AEF6A4C1B64CC4E3C492090A5	A9109F45EFD9920700AAF489167AE647FB0BF88CE12AAF69502AD6D1505CB7B3
C:\Users\user\AppData\Local\Temp\krista.ini	ASCII text, with CRLF line terminators	6EA2EDF492D8337635DDCD02048BFA32	3F86F5C6398972128ABD8822B5BD1BFE446C6517	35E1C059B4E54107456E898FBED2CFA59289F9272495014B4396C8ED427EBC95
C:\Users\user\AppData\Local\Temp\lang-1045.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	E10F0042C0EE3B2DE59BEC61D3811C6A	0F75AEEE0338D2E563FD146847E21187C68FD75F	20DA8A600117A2ACC6A66AD493390D1DA3F8A9CC7FF13A8185EC02A0E5C93B2B
C:\Users\user\AppData\Local\Temp\multimedia-volume-control-symbolic.symbolic.png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	E91514290CFC6F38580278374D3C6B0F	068CB1200349717E8D2EE64475F480C850A85099	0DE516FC5D5A233BC240F055C70B004160CE4FA2364C93CC12D7D1A60C23420D
C:\Users\user\AppData\Local\Temp\nsi821.tmp\System.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	CFF85C549D536F651D4FB8387F1976F2	D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E	8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
C:\Users\user\AppData\Local\Temp\p11-kit-trust.dll	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows	2510EF915FD96CB0C5D947BA98CB751D	AE10088DD6EC5BD0607FD5848A746AE57DCDC20E	02528C6E3F317B8FA9010BED22383D9BF696CC3DC9B97CC7FF81A445BE470FA1

Windows Analysis Report SecuriteInfo.com.generic.ml.10062.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
SecuriteInfo.com.generic.ml.10062.exe