Source: CasPol.exe, 00000004.00000002.5727171404.000000001D4B1000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: ftp://ftp.solucionest.com.ar/office |
Source: CasPol.exe, 00000004.00000002.5727171404.000000001D4B1000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://127.0.0.1:HTTP/1.1 |
Source: CasPol.exe, 00000004.00000002.5727171404.000000001D4B1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000003.997300925.000000001C411000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5728626213.000000001D5D1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5728362756.000000001D5A5000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://42ScOTnxUv4XWwo.net |
Source: CasPol.exe, 00000004.00000002.5727171404.000000001D4B1000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi |
Source: CDMDataEventHandler.dll.0.dr | String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0 |
Source: CDMDataEventHandler.dll.0.dr | String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0 |
Source: CDMDataEventHandler.dll.0.dr | String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0 |
Source: CDMDataEventHandler.dll.0.dr | String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O |
Source: CDMDataEventHandler.dll.0.dr | String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P |
Source: CDMDataEventHandler.dll.0.dr | String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05 |
Source: CDMDataEventHandler.dll.0.dr | String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02 |
Source: CDMDataEventHandler.dll.0.dr | String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0: |
Source: CDMDataEventHandler.dll.0.dr | String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K |
Source: CDMDataEventHandler.dll.0.dr | String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0 |
Source: CasPol.exe, 00000004.00000002.5703889334.0000000001267000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://donaldtrumpverse.com/kO4_tiMHM116.bin |
Source: CasPol.exe, 00000004.00000002.5703889334.0000000001267000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://donaldtrumpverse.com/kO4_tiMHM116.bin2 |
Source: CasPol.exe, 00000004.00000002.5727171404.000000001D4B1000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://jGgoxh.com |
Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe | String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError |
Source: CDMDataEventHandler.dll.0.dr | String found in binary or memory: http://ocsp.digicert.com0C |
Source: CDMDataEventHandler.dll.0.dr | String found in binary or memory: http://ocsp.digicert.com0N |
Source: CDMDataEventHandler.dll.0.dr | String found in binary or memory: http://ocsp.digicert.com0O |
Source: CasPol.exe, 00000004.00000002.5728626213.000000001D5D1000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: CDMDataEventHandler.dll.0.dr | String found in binary or memory: http://www.digicert.com/CPS0 |
Source: CDMDataEventHandler.dll.0.dr | String found in binary or memory: https://pie-us1.api.ws-hp.com/clienttelemetry |
Source: CDMDataEventHandler.dll.0.dr | String found in binary or memory: https://schemaregistry.analysis.ext.hp.com/cdm/gun/com.hp.cdm.platform.software.domain.eventing.reso |
Source: CDMDataEventHandler.dll.0.dr | String found in binary or memory: https://schemaregistry.analysis.ext.hp.com/cdm/id/sw/originatorDetail.schema.json |
Source: CDMDataEventHandler.dll.0.dr | String found in binary or memory: https://schemaregistry.analysis.ext.hp.com/cdm/id/sw/sysInfoBase.schema.json |
Source: CDMDataEventHandler.dll.0.dr | String found in binary or memory: https://stage-us1.api.ws-hp.com/clienttelemetry |
Source: CDMDataEventHandler.dll.0.dr | String found in binary or memory: https://us1.api.ws-hp.com/clienttelemetry |
Source: CDMDataEventHandler.dll.0.dr | String found in binary or memory: https://www.digicert.com/CPS0 |
Source: CasPol.exe, 00000004.00000002.5727171404.000000001D4B1000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe | Code function: 0_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe | Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe | Code function: 0_2_0040755C |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe | Code function: 0_2_00406D85 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe | Code function: 0_2_71081BFF |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Code function: 4_2_00EDC1E0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Code function: 4_2_00EDDAB0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Code function: 4_2_00ED7B58 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Code function: 4_2_00EDF446 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Code function: 4_2_00ED37C8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Code function: 4_2_1D2DA160 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Code function: 4_2_1D2D9890 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Code function: 4_2_1D2D9548 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Code function: 4_2_203E2820 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Code function: 4_2_203E2C60 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Code function: 4_2_203E8A50 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Code function: 4_2_203EB698 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Code function: 4_2_203ED7F1 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Code function: 4_2_203E79B0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Code function: 4_2_2040F478 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Code function: 4_2_2040047B |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Code function: 4_2_2040E0E0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Code function: 4_2_20403080 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Code function: 4_2_20407290 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Code function: 4_2_20405EA8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Code function: 4_2_2040B8F8 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe | Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\conhost.exe | Process information set: NOOPENFILEERRORBOX |
Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe, 00000000.00000002.946012142.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5706457767.0000000002D49000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: Hyper-V Guest Shutdown Service |
Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe, 00000000.00000002.946012142.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5706457767.0000000002D49000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: Hyper-V Remote Desktop Virtualization Service |
Source: CasPol.exe, 00000004.00000002.5706457767.0000000002D49000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: vmicshutdown |
Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe, 00000000.00000002.946012142.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5706457767.0000000002D49000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: Hyper-V Volume Shadow Copy Requestor |
Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe, 00000000.00000002.946012142.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5706457767.0000000002D49000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: Hyper-V PowerShell Direct Service |
Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe, 00000000.00000002.945728921.0000000002C01000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: ntdlluser32kernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\Microsoft.NET\Framework\v4.0.30319\caspol.exewindir=\syswow64\iertutil.dllwindir=\Microsoft.NET\Framework\v4.0.30319\caspol.exewindir=\syswow64\iertutil.dll |
Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe, 00000000.00000002.946012142.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5706457767.0000000002D49000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: Hyper-V Time Synchronization Service |
Source: CasPol.exe, 00000004.00000002.5706457767.0000000002D49000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: vmicvss |
Source: CasPol.exe, 00000004.00000002.5704750244.000000000129C000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5702999054.000000000122B000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW |
Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe, 00000000.00000002.945728921.0000000002C01000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe, 00000000.00000002.946012142.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5706457767.0000000002D49000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: Hyper-V Data Exchange Service |
Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe, 00000000.00000002.944634357.0000000000848000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exep |
Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe, 00000000.00000002.946012142.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5706457767.0000000002D49000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: Hyper-V Heartbeat Service |
Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe, 00000000.00000002.944895221.000000000087C000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe, 00000000.00000002.946012142.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5706457767.0000000002D49000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: Hyper-V Guest Service Interface |
Source: CasPol.exe, 00000004.00000002.5706457767.0000000002D49000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: vmicheartbeat |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe | Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |