Windows Analysis Report
Original Shipment_Document.PDF.exe

Overview

General Information

Sample Name:	Original Shipment_Document.PDF.exe
Analysis ID:	679174
MD5:	626cdeaa4696c819fd07921073f6c740
SHA1:	b094f5e4c3792a05b7f307ad78d2e52cfcbf87b4
SHA256:	d8519cee2bbf5c257375b339d530b33f275db40c06de0f96911eb5b4f207f2c5
Infos:

Detection

Nanocore, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Detected Nanocore Rat

Yara detected GuLoader

Snort IDS alert for network traffic

Initial sample is a PE file and has a suspicious name

Writes to foreign memory regions

Mass process execution to delay analysis

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Generic Downloader

Obfuscated command line found

Executable has a suspicious name (potential lure to open the executable)

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses an obfuscated file name to hide its real file extension (double extension)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses 32bit PE files

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Too many similar processes found

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

PE / OLE file has an invalid certificate

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: Original Shipment_Document.PDF.exe	Virustotal: Detection: 32%			Perma Link
Source: Original Shipment_Document.PDF.exe	ReversingLabs: Detection: 22%

Source: 00000088.00000000.185799522780.0000000000E30000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1RTjXzM3oLxMQRuQuQg9TR4kX_hPJtp2r"}

Uses 32bit PE files

Source: Original Shipment_Document.PDF.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 142.250.179.174:443 -> 192.168.11.20:49791 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.225:443 -> 192.168.11.20:49792 version: TLS 1.2

Source: Original Shipment_Document.PDF.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: CasPol.exe, 00000088.00000003.185986328993.000000001ED13000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: CasPol.exe, 00000088.00000003.185986328993.000000001ED13000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: CasPol.exe, 00000088.00000003.185986328993.000000001ED13000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: CasPol.exe, 00000088.00000003.185986328993.000000001ED13000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: CasPol.exe, 00000088.00000003.185986328993.000000001ED13000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	1_2_00405C13
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0040683D FindFirstFileW,FindClose,	1_2_0040683D
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0040290B FindFirstFileW,	1_2_0040290B

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Windows\Microsoft.NET\Framework\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System\06e54f5fa1f15dd558eaf403cdcacad3\System.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\5085e86702d2182b0d9417971c65ded2\System.Drawing.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\ae952be8fa59744d6333aed90b72f162\System.Windows.Forms.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Windows\Microsoft.NET\	Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49794 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49794 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.11.20:49794 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49799 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49799 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49801 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49801 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49805 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49805 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2810290 ETPRO TROJAN NanoCore RAT Keepalive Response 1 188.127.230.176:4726 -> 192.168.11.20:49805
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49807 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49807 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49808 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49808 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49809 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49809 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49811 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49811 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49812 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49812 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49813 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49813 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49815 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49815 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.11.20:49815 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49816 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49816 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49819 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49819 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49820 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49820 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49822 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49822 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49823 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49823 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49824 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49824 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49825 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49825 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49826 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 188.127.230.176:4726 -> 192.168.11.20:49826
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49826 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49828 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49828 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49829 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49829 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.11.20:49829 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49830 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49830 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49831 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49831 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49832 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49832 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2810290 ETPRO TROJAN NanoCore RAT Keepalive Response 1 188.127.230.176:4726 -> 192.168.11.20:49832
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49835 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49835 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49836 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49836 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49837 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49837 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49838 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49838 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49839 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49839 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49840 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49840 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49841 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49841 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.11.20:49841 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49842 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49842 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49843 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49843 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49844 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49844 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49846 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49846 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49847 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49847 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49848 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49848 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49849 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49849 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49850 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49850 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49851 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49851 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49852 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49852 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.11.20:49852 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49853 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49853 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49854 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49854 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49855 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49855 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2810290 ETPRO TROJAN NanoCore RAT Keepalive Response 1 188.127.230.176:4726 -> 192.168.11.20:49855
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49856 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49856 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49857 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49857 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49858 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49858 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49860 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49860 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49861 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49861 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49862 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49862 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.11.20:49862 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49863 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49863 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49865 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49865 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49866 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49866 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49867 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49867 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49868 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49868 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49869 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49869 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49870 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49870 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49871 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49871 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49872 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 188.127.230.176:4726 -> 192.168.11.20:49872
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49872 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49873 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49873 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.11.20:49873 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49878 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49878 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49879 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49879 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2810290 ETPRO TROJAN NanoCore RAT Keepalive Response 1 188.127.230.176:4726 -> 192.168.11.20:49879
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49880 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49880 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49881 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49881 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49883 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49883 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49884 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49884 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49885 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49885 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49886 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49886 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49887 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49887 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.11.20:49887 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49888 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49888 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49889 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49889 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49890 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49890 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49891 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49891 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49892 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 188.127.230.176:4726 -> 192.168.11.20:49892

Yara detected Generic Downloader

Source: Yara match

File source: 136.3.CasPol.exe.1ed1c57e.2.raw.unpack, type: UNPACKEDPE

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=1RTjXzM3oLxMQRuQuQg9TR4kX_hPJtp2r

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1RTjXzM3oLxMQRuQuQg9TR4kX_hPJtp2r HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/bcmtj5ie1disn24fvm7mb2d8jibr4j1v/1659691950000/06422039211485589527/*/1RTjXzM3oLxMQRuQuQg9TR4kX_hPJtp2r?e=download&uuid=fa4270ed-3082-4e6e-8e77-e38f9ee0c1fd HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-14-70-docs.googleusercontent.comConnection: Keep-Alive

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.11.20:49794 -> 188.127.230.176:4726

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: CasPol.exe, 00000088.00000003.186209483638.0000000001241000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000088.00000003.185951105666.0000000001241000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000088.00000003.185946644468.000000000122A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: CasPol.exe, 00000088.00000003.185946644468.000000000122A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: CasPol.exe, 00000088.00000003.185986328993.000000001ED13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://google.com
Source: Original Shipment_Document.PDF.exe, windows.exe.136.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: CasPol.exe, 00000088.00000003.185946644468.000000000122A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external
Source: CasPol.exe, 00000088.00000003.186565322060.0000000001202000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000088.00000003.186517811821.0000000001201000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000088.00000003.186208501547.00000000011FD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000088.00000003.185951314480.0000000001252000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://doc-14-70-docs.googleusercontent.com/
Source: CasPol.exe, 00000088.00000003.185950717846.0000000001214000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000088.00000003.186208501547.00000000011FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://doc-14-70-docs.googleusercontent.com/%%doc-14-70-docs.googleusercontent.com
Source: CasPol.exe, 00000088.00000003.185946644468.000000000122A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000088.00000003.186208501547.00000000011FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://doc-14-70-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/bcmtj5ie
Source: CasPol.exe, 00000088.00000003.186210437136.00000000011CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: CasPol.exe, 00000088.00000003.186210437136.00000000011CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1RTjXzM3oLxMQRuQuQg9TR4kX_hPJtp2r
Source: CasPol.exe, 00000088.00000003.186345012682.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000088.00000003.186246224448.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000088.00000003.186210437136.00000000011CD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000088.00000003.186438307331.00000000011D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1RTjXzM3oLxMQRuQuQg9TR4kX_hPJtp2roiA
Source: CasPol.exe, 00000088.00000003.186210437136.00000000011CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/x~

Source: unknown

DNS traffic detected: queries for: drive.google.com

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1RTjXzM3oLxMQRuQuQg9TR4kX_hPJtp2r HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/bcmtj5ie1disn24fvm7mb2d8jibr4j1v/1659691950000/06422039211485589527/*/1RTjXzM3oLxMQRuQuQg9TR4kX_hPJtp2r?e=download&uuid=fa4270ed-3082-4e6e-8e77-e38f9ee0c1fd HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-14-70-docs.googleusercontent.comConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 142.250.179.174:443 -> 192.168.11.20:49791 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.225:443 -> 192.168.11.20:49792 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

Code function: 1_2_004056A8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

1_2_004056A8

Too many similar processes found

Source: Conhost.exe	Process created: 63
Source: cmd.eXe	Process created: 119

System Summary

Malicious sample detected (through community Yara rule)

Source: 136.3.CasPol.exe.1ed365d7.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 136.3.CasPol.exe.1ed365d7.1.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 136.3.CasPol.exe.1ed365d7.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 136.3.CasPol.exe.1ed1c57e.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 136.3.CasPol.exe.1ed1c57e.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 136.3.CasPol.exe.1ed1c57e.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 136.3.CasPol.exe.1ed365d7.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 136.3.CasPol.exe.1ed1c57e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 136.3.CasPol.exe.1ed365d7.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 136.3.CasPol.exe.1ed365d7.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 136.3.CasPol.exe.1ed1c57e.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 136.3.CasPol.exe.1ed1c57e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 136.3.CasPol.exe.1ed30ba9.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 136.3.CasPol.exe.1ed1c57e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 136.3.CasPol.exe.1ed365d7.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 136.3.CasPol.exe.1ed30ba9.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 136.3.CasPol.exe.1ed30ba9.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 136.3.CasPol.exe.1ed30ba9.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000088.00000003.185986328993.000000001ED13000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000088.00000003.185986328993.000000001ED13000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: CasPol.exe PID: 4156, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: CasPol.exe PID: 4156, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Original Shipment_Document.PDF.exe

Executable has a suspicious name (potential lure to open the executable)

Source: Original Shipment_Document.PDF.exe

Static file information: Suspicious name

Uses 32bit PE files

Source: Original Shipment_Document.PDF.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Yara signature match

Source: 136.3.CasPol.exe.1ed365d7.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 136.3.CasPol.exe.1ed365d7.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 136.3.CasPol.exe.1ed365d7.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 136.3.CasPol.exe.1ed365d7.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 136.3.CasPol.exe.1ed1c57e.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 136.3.CasPol.exe.1ed1c57e.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 136.3.CasPol.exe.1ed1c57e.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 136.3.CasPol.exe.1ed1c57e.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 136.3.CasPol.exe.1ed365d7.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 136.3.CasPol.exe.1ed365d7.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 136.3.CasPol.exe.1ed1c57e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 136.3.CasPol.exe.1ed1c57e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 136.3.CasPol.exe.1ed365d7.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 136.3.CasPol.exe.1ed365d7.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 136.3.CasPol.exe.1ed1c57e.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 136.3.CasPol.exe.1ed1c57e.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 136.3.CasPol.exe.1ed30ba9.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 136.3.CasPol.exe.1ed30ba9.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 136.3.CasPol.exe.1ed1c57e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 136.3.CasPol.exe.1ed365d7.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 136.3.CasPol.exe.1ed30ba9.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 136.3.CasPol.exe.1ed30ba9.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 136.3.CasPol.exe.1ed30ba9.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000088.00000003.185986328993.000000001ED13000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000088.00000003.185986328993.000000001ED13000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: CasPol.exe PID: 4156, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: CasPol.exe PID: 4156, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

Code function: 1_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

1_2_004034F7

Detected potential crypto function

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_00406BFE	1_2_00406BFE
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_718D1BFF	1_2_718D1BFF
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0328F608	1_2_0328F608
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03290DE4	1_2_03290DE4
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03281329	1_2_03281329
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0328032E	1_2_0328032E
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03289B38	1_2_03289B38
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280B39	1_2_03280B39
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03281B3F	1_2_03281B3F
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03281730	1_2_03281730
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03282731	1_2_03282731
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280B00	1_2_03280B00
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280F17	1_2_03280F17
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280B6D	1_2_03280B6D
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0328076E	1_2_0328076E
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03281365	1_2_03281365
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280366	1_2_03280366
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03281B71	1_2_03281B71
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03281774	1_2_03281774
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03286775	1_2_03286775
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03291B4A	1_2_03291B4A
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0328FB4E	1_2_0328FB4E
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280F59	1_2_03280F59
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03289F53	1_2_03289F53
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280BAB	1_2_03280BAB
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032817A4	1_2_032817A4
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032803A4	1_2_032803A4
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03281BB9	1_2_03281BB9
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032873B1	1_2_032873B1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280F94	1_2_03280F94
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032817FB	1_2_032817FB
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0328A3F0	1_2_0328A3F0
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032803F1	1_2_032803F1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280BF7	1_2_03280BF7
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032817CE	1_2_032817CE
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280FD8	1_2_03280FD8
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032807D2	1_2_032807D2
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03281BD7	1_2_03281BD7
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280E29	1_2_03280E29
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03281A2A	1_2_03281A2A
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0328122D	1_2_0328122D
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0328022E	1_2_0328022E
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280E24	1_2_03280E24
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280634	1_2_03280634
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03284608	1_2_03284608
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03293E12	1_2_03293E12
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280A15	1_2_03280A15
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280262	1_2_03280262
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0328127B	1_2_0328127B
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03281A72	1_2_03281A72
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03289674	1_2_03289674
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280A5D	1_2_03280A5D
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280E5E	1_2_03280E5E
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03289A50	1_2_03289A50
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280EAA	1_2_03280EAA
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032802AC	1_2_032802AC
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032806B8	1_2_032806B8
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032872B9	1_2_032872B9
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032812B1	1_2_032812B1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03285EB7	1_2_03285EB7
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280A8B	1_2_03280A8B
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280EE5	1_2_03280EE5
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032802E6	1_2_032802E6
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032806E7	1_2_032806E7
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03281AFE	1_2_03281AFE
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03281AD8	1_2_03281AD8
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280AD6	1_2_03280AD6
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0328192B	1_2_0328192B
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280124	1_2_03280124
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0328093B	1_2_0328093B
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03289D34	1_2_03289D34
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280D08	1_2_03280D08
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03281D09	1_2_03281D09
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280506	1_2_03280506
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03281112	1_2_03281112
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0328996C	1_2_0328996C
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0328117F	1_2_0328117F
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280174	1_2_03280174
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03281975	1_2_03281975
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0328715C	1_2_0328715C
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280D52	1_2_03280D52
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280952	1_2_03280952
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032801A4	1_2_032801A4
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032811BD	1_2_032811BD
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280DBE	1_2_03280DBE
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032819B1	1_2_032819B1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280D89	1_2_03280D89
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0328099F	1_2_0328099F
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032811ED	1_2_032811ED
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032871EE	1_2_032871EE
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032805EF	1_2_032805EF
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032801E3	1_2_032801E3
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032819F6	1_2_032819F6
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032805C4	1_2_032805C4
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032809DC	1_2_032809DC
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03281020	1_2_03281020
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03290825	1_2_03290825
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0328083A	1_2_0328083A
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280C3B	1_2_03280C3B
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03281833	1_2_03281833
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280005	1_2_03280005
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03281C18	1_2_03281C18
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03293019	1_2_03293019
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03289C19	1_2_03289C19
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280013	1_2_03280013
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0328186C	1_2_0328186C
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0329246F	1_2_0329246F
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280463	1_2_03280463
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0328087E	1_2_0328087E
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03286C42	1_2_03286C42
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280054	1_2_03280054
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03281C56	1_2_03281C56
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03286C56	1_2_03286C56
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032898BD	1_2_032898BD
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280C80	1_2_03280C80
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03287485	1_2_03287485
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280098	1_2_03280098
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032860F9	1_2_032860F9
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03281CCC	1_2_03281CCC
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032898C0	1_2_032898C0
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280CC1	1_2_03280CC1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032808C4	1_2_032808C4
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032804C5	1_2_032804C5
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032810DE	1_2_032810DE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 140_2_051504B0	140_2_051504B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 140_2_05150938	140_2_05150938

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0329371A NtResumeThread,	1_2_0329371A
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03290DE4 NtAllocateVirtualMemory,	1_2_03290DE4
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03292895 NtProtectVirtualMemory,	1_2_03292895

PE file contains strange resources

Source: Original Shipment_Document.PDF.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: edgegdi.dll	Jump to behavior

PE / OLE file has an invalid certificate

Source: Original Shipment_Document.PDF.exe

Static PE information: invalid certificate

Source: Original Shipment_Document.PDF.exe	Virustotal: Detection: 32%
Source: Original Shipment_Document.PDF.exe	ReversingLabs: Detection: 22%

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

File read: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

Jump to behavior

Source: Original Shipment_Document.PDF.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe "C:\Users\user\Desktop\Original Shipment_Document.PDF.exe"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03631637^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5C382120^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7F303920^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x78713865^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6D7569^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307575^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x41616575^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0975752C^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19697965^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x49796569^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307571^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216D75^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845"
Source: C:\Windows\System32\Conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09703C6B^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6C7578^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"
Source: C:\Windows\System32\Conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0363032C^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B2D2024^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x55183929^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x563A7D2C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09753C65^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216475^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216675^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09697965^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5079653D^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0D697C35^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x172B6478^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03630620^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4D1F3C29^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5C093A2C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x572D3037^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x11307537^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0C75752C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19686375^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09697569^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307575^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15307575^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x10307B37^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0A64721C^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03630720^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x583D132C^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x553C7D2C^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6C7965^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216475^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845"
Source: C:\Windows\System32\Conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15733C65^962155845"
Source: C:\Windows\System32\Conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0975752C^962155845"
Source: C:\Windows\System32\Conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19697C2C^962155845"
Source: C:\Windows\System32\Conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x172B6678^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0A6B6F7F^962155845"
Source: C:\Windows\System32\Conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\Original Shipment_Document.PDF.exe"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DSL Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp6DD1.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe 0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03631637^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5C382120^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7F303920^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x78713865^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6D7569^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307575^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x41616575^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0975752C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19697965^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x49796569^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307571^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216D75^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09703C6B^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6C7578^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0363032C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B2D2024^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x55183929^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x563A7D2C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09753C65^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216475^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216675^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09697965^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5079653D^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0D697C35^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x172B6478^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03630620^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4D1F3C29^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5C093A2C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x572D3037^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x11307537^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0C75752C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19686375^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09697569^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307575^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15307575^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x10307B37^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0A64721C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03630720^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x583D132C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x553C7D2C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6C7965^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4D1F3C29^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5C093A2C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216475^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15307575^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0975752C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x41616575^962155845"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DSL Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp6DD1.tmp	Jump to behavior

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

1_2_004034F7

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

File created: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB

Jump to behavior

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

File created: C:\Users\user\AppData\Local\Temp\nsiB404.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@192/15@92/3

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

Code function: 1_2_004021AA CoCreateInstance,

1_2_004021AA

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

Code function: 1_2_00404954 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

1_2_00404954

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5560:304:WilStaging_02
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2212:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5856:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5560:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2212:304:WilStaging_02
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{8a31290f-d587-43a1-8a5b-8b2e6c04b993}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5856:304:WilStaging_02

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: Original Shipment_Document.PDF.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: CasPol.exe, 00000088.00000003.185986328993.000000001ED13000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: CasPol.exe, 00000088.00000003.185986328993.000000001ED13000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: CasPol.exe, 00000088.00000003.185986328993.000000001ED13000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: CasPol.exe, 00000088.00000003.185986328993.000000001ED13000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: CasPol.exe, 00000088.00000003.185986328993.000000001ED13000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000088.00000000.185799522780.0000000000E30000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.185975230036.0000000003280000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Obfuscated command line found

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03631637^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5C382120^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7F303920^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x78713865^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6D7569^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x41616575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0975752C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19697965^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x49796569^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307571^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216D75^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09703C6B^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6C7578^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0363032C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B2D2024^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x55183929^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x563A7D2C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09753C65^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216475^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216675^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09697965^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5079653D^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0D697C35^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x172B6478^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03630620^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4D1F3C29^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5C093A2C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x572D3037^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x11307537^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0C75752C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19686375^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09697569^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15307575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x10307B37^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0A64721C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03630720^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x583D132C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x553C7D2C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6C7965^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216475^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15733C65^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0975752C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19697C2C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x172B6678^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0A6B6F7F^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03631637^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5C382120^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7F303920^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x78713865^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6D7569^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307575^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x41616575^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0975752C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19697965^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x49796569^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307571^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216D75^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09703C6B^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6C7578^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0363032C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B2D2024^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x55183929^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x563A7D2C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09753C65^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216475^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216675^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09697965^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5079653D^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0D697C35^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x172B6478^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03630620^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4D1F3C29^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5C093A2C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x572D3037^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x11307537^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0C75752C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19686375^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09697569^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307575^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15307575^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x10307B37^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0A64721C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03630720^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x583D132C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x553C7D2C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6C7965^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4D1F3C29^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5C093A2C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216475^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15307575^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0975752C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x41616575^962155845"	Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_718D30C0 push eax; ret	1_2_718D30EE
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032840A0 push ebp; retf	1_2_0328424A
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03284BB8 push esp; ret	1_2_03284BB9
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280BF5 push esi; iretd	1_2_03280BF6
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0328B3C9 push 00000059h; iretd	1_2_0328B3D1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03284221 push ebp; retf	1_2_0328424A
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03283A13 push cs; iretd	1_2_03283A15
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03283250 push ss; ret	1_2_0328325E
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03285AE6 push 38EC4568h; retf	1_2_03285B30
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032882CD push cs; retf	1_2_032882CE
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032896D5 push 38D28568h; ret	1_2_03289708
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03287D4C push 22C116CCh; ret	1_2_03287D51
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03287D91 pushfd ; retf	1_2_03287DCE
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032879EB push FFFFFFB3h; iretd	1_2_03287A22
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0328B1CA push eax; iretd	1_2_0328B1CD
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0328ACE4 push ds; retf	1_2_0328AD09

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

Code function: 1_2_718D1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

1_2_718D1BFF

Drops PE files

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	File created: C:\Users\user\AppData\Local\Temp\nsaB9E2.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	File created: C:\Users\user\AppData\Local\Temp\nsaB9E2.tmp\nsExec.dll			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.eXe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DSL Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp6DD1.tmp

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe:Zone.Identifier read attributes | delete

Jump to behavior

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.exe

Static PE information: Original Shipment_Document.PDF.exe

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Mass process execution to delay analysis

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03631637^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5C382120^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7F303920^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x78713865^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6D7569^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x41616575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845"

Tries to detect Any.run

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Original Shipment_Document.PDF.exe, 00000001.00000002.185975454741.0000000003381000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: Original Shipment_Document.PDF.exe, 00000001.00000002.185975454741.0000000003381000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: NTDLLUSER32KERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOKERNELBASE.DLLSHELL32ADVAPI32TEMP=WINDIR=\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLL

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 5052	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 5052	Thread sleep time: -31300s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 1372	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

Code function: 1_2_03281329 rdtsc

1_2_03281329

Contains long sleeps (>= 3 min)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Window / User API: threadDelayed 626	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Window / User API: threadDelayed 1018	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Window / User API: foregroundWindowGot 577	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Window / User API: foregroundWindowGot 690	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	1_2_00405C13
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0040683D FindFirstFileW,FindClose,	1_2_0040683D
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0040290B FindFirstFileW,	1_2_0040290B

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Windows\Microsoft.NET\Framework\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System\06e54f5fa1f15dd558eaf403cdcacad3\System.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\5085e86702d2182b0d9417971c65ded2\System.Drawing.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\ae952be8fa59744d6333aed90b72f162\System.Windows.Forms.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Windows\Microsoft.NET\	Jump to behavior

Source: Original Shipment_Document.PDF.exe, 00000001.00000002.185975967434.0000000004F19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: Original Shipment_Document.PDF.exe, 00000001.00000002.185975967434.0000000004F19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: Original Shipment_Document.PDF.exe, 00000001.00000002.185975967434.0000000004F19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: Original Shipment_Document.PDF.exe, 00000001.00000002.185975967434.0000000004F19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: Original Shipment_Document.PDF.exe, 00000001.00000002.185975967434.0000000004F19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: Original Shipment_Document.PDF.exe, 00000001.00000002.185975967434.0000000004F19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: Original Shipment_Document.PDF.exe, 00000001.00000002.185975967434.0000000004F19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: CasPol.exe, 00000088.00000003.186208501547.00000000011FD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Original Shipment_Document.PDF.exe, 00000001.00000002.185975454741.0000000003381000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: Original Shipment_Document.PDF.exe, 00000001.00000002.185975967434.0000000004F19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: Original Shipment_Document.PDF.exe, 00000001.00000002.185975967434.0000000004F19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: CasPol.exe, 00000088.00000003.186210437136.00000000011CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: Original Shipment_Document.PDF.exe, 00000001.00000002.185975967434.0000000004F19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: Original Shipment_Document.PDF.exe, 00000001.00000002.185975454741.0000000003381000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ntdlluser32kernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoKERNELBASE.DLLshell32advapi32TEMP=windir=\Microsoft.NET\Framework\v2.0.50727\caspol.exewindir=\syswow64\iertutil.dll
Source: Original Shipment_Document.PDF.exe, 00000001.00000002.185975967434.0000000004F19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat
Source: CasPol.exe, 00000088.00000003.186208501547.00000000011FD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW=2_

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

Code function: 1_2_718D1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

1_2_718D1BFF

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

Code function: 1_2_03281329 rdtsc

1_2_03281329

Enables debug privileges

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Process token adjusted: Debug

Jump to behavior

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03289F60 mov eax, dword ptr fs:[00000030h]	1_2_03289F60
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03291B4A mov eax, dword ptr fs:[00000030h]	1_2_03291B4A
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03289F53 mov eax, dword ptr fs:[00000030h]	1_2_03289F53
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0328D205 mov eax, dword ptr fs:[00000030h]	1_2_0328D205
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0328FD64 mov eax, dword ptr fs:[00000030h]	1_2_0328FD64
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0328A172 mov ebx, dword ptr fs:[00000030h]	1_2_0328A172
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032909E1 mov eax, dword ptr fs:[00000030h]	1_2_032909E1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0328A020 mov eax, dword ptr fs:[00000030h]	1_2_0328A020
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032898BD mov eax, dword ptr fs:[00000030h]	1_2_032898BD
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032898C0 mov eax, dword ptr fs:[00000030h]	1_2_032898C0

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

Code function: 1_2_0328FD77 LdrLoadDll,

1_2_0328FD77

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe base: E30000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03631637^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5C382120^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7F303920^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x78713865^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6D7569^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307575^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x41616575^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0975752C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19697965^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x49796569^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307571^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216D75^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09703C6B^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6C7578^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0363032C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B2D2024^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x55183929^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x563A7D2C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09753C65^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216475^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216675^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09697965^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5079653D^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0D697C35^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x172B6478^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03630620^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4D1F3C29^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5C093A2C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x572D3037^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x11307537^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0C75752C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19686375^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09697569^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307575^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15307575^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x10307B37^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0A64721C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03630720^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x583D132C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x553C7D2C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6C7965^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4D1F3C29^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5C093A2C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216475^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15307575^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0975752C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x41616575^962155845"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DSL Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp6DD1.tmp	Jump to behavior

Source: CasPol.exe, 00000088.00000003.186100296322.000000001FA62000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000088.00000003.186128387512.000000001FA62000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000088.00000003.186172734108.000000001FA62000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: Program Manager

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

1_2_004034F7

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Remote Access Functionality

Detected Nanocore Rat

Source: CasPol.exe, 00000088.00000003.185986328993.000000001ED13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: CasPol.exe, 00000088.00000003.185986328993.000000001ED13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: CasPol.exe, 00000088.00000003.185986328993.000000001ED13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: CasPol.exe, 00000088.00000003.185986328993.000000001ED13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: CasPol.exe, 00000088.00000003.185986328993.000000001ED13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.181.225	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false
188.127.230.176	tuk.linkpc.net	Russian Federation	56694	DHUBRU	false
142.250.179.174	drive.google.com	United States	15169	GOOGLEUS	false

Contacted Domains

Name	IP	Active
drive.google.com	142.250.179.174	true
tuk.linkpc.net	188.127.230.176	true
googlehosted.l.googleusercontent.com	142.250.181.225	true
doc-14-70-docs.googleusercontent.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://doc-14-70-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/bcmtj5ie1disn24fvm7mb2d8jibr4j1v/1659691950000/06422039211485589527/*/1RTjXzM3oLxMQRuQuQg9TR4kX_hPJtp2r?e=download&uuid=fa4270ed-3082-4e6e-8e77-e38f9ee0c1fd	false		high

AV Detection

Multi AV Scanner detection for submitted file

Source: Original Shipment_Document.PDF.exe	Virustotal: Detection: 32%			Perma Link
Source: Original Shipment_Document.PDF.exe	ReversingLabs: Detection: 22%

Source: 00000088.00000000.185799522780.0000000000E30000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1RTjXzM3oLxMQRuQuQg9TR4kX_hPJtp2r"}

Uses 32bit PE files

Source: Original Shipment_Document.PDF.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 142.250.179.174:443 -> 192.168.11.20:49791 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.225:443 -> 192.168.11.20:49792 version: TLS 1.2

Source: Original Shipment_Document.PDF.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: CasPol.exe, 00000088.00000003.185986328993.000000001ED13000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: CasPol.exe, 00000088.00000003.185986328993.000000001ED13000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: CasPol.exe, 00000088.00000003.185986328993.000000001ED13000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: CasPol.exe, 00000088.00000003.185986328993.000000001ED13000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: CasPol.exe, 00000088.00000003.185986328993.000000001ED13000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	1_2_00405C13
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0040683D FindFirstFileW,FindClose,	1_2_0040683D
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0040290B FindFirstFileW,	1_2_0040290B

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Windows\Microsoft.NET\Framework\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System\06e54f5fa1f15dd558eaf403cdcacad3\System.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\5085e86702d2182b0d9417971c65ded2\System.Drawing.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\ae952be8fa59744d6333aed90b72f162\System.Windows.Forms.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Windows\Microsoft.NET\	Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49794 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49794 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.11.20:49794 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49799 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49799 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49801 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49801 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49805 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49805 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2810290 ETPRO TROJAN NanoCore RAT Keepalive Response 1 188.127.230.176:4726 -> 192.168.11.20:49805
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49807 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49807 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49808 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49808 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49809 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49809 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49811 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49811 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49812 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49812 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49813 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49813 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49815 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49815 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.11.20:49815 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49816 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49816 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49819 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49819 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49820 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49820 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49822 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49822 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49823 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49823 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49824 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49824 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49825 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49825 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49826 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 188.127.230.176:4726 -> 192.168.11.20:49826
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49826 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49828 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49828 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49829 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49829 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.11.20:49829 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49830 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49830 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49831 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49831 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49832 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49832 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2810290 ETPRO TROJAN NanoCore RAT Keepalive Response 1 188.127.230.176:4726 -> 192.168.11.20:49832
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49835 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49835 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49836 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49836 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49837 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49837 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49838 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49838 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49839 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49839 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49840 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49840 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49841 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49841 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.11.20:49841 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49842 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49842 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49843 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49843 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49844 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49844 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49846 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49846 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49847 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49847 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49848 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49848 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49849 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49849 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49850 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49850 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49851 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49851 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49852 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49852 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.11.20:49852 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49853 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49853 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49854 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49854 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49855 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49855 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2810290 ETPRO TROJAN NanoCore RAT Keepalive Response 1 188.127.230.176:4726 -> 192.168.11.20:49855
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49856 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49856 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49857 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49857 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49858 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49858 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49860 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49860 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49861 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49861 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49862 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49862 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.11.20:49862 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49863 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49863 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49865 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49865 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49866 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49866 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49867 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49867 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49868 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49868 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49869 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49869 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49870 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49870 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49871 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49871 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49872 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 188.127.230.176:4726 -> 192.168.11.20:49872
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49872 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49873 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49873 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.11.20:49873 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49878 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49878 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49879 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49879 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2810290 ETPRO TROJAN NanoCore RAT Keepalive Response 1 188.127.230.176:4726 -> 192.168.11.20:49879
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49880 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49880 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49881 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49881 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49883 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49883 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49884 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49884 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49885 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49885 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49886 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49886 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49887 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49887 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.11.20:49887 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49888 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49888 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49889 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49889 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49890 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49890 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49891 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49891 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49892 -> 188.127.230.176:4726
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 188.127.230.176:4726 -> 192.168.11.20:49892

Yara detected Generic Downloader

Source: Yara match

File source: 136.3.CasPol.exe.1ed1c57e.2.raw.unpack, type: UNPACKEDPE

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=1RTjXzM3oLxMQRuQuQg9TR4kX_hPJtp2r

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1RTjXzM3oLxMQRuQuQg9TR4kX_hPJtp2r HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/bcmtj5ie1disn24fvm7mb2d8jibr4j1v/1659691950000/06422039211485589527/*/1RTjXzM3oLxMQRuQuQg9TR4kX_hPJtp2r?e=download&uuid=fa4270ed-3082-4e6e-8e77-e38f9ee0c1fd HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-14-70-docs.googleusercontent.comConnection: Keep-Alive

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.11.20:49794 -> 188.127.230.176:4726

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: CasPol.exe, 00000088.00000003.186209483638.0000000001241000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000088.00000003.185951105666.0000000001241000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000088.00000003.185946644468.000000000122A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: CasPol.exe, 00000088.00000003.185946644468.000000000122A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: CasPol.exe, 00000088.00000003.185986328993.000000001ED13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://google.com
Source: Original Shipment_Document.PDF.exe, windows.exe.136.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: CasPol.exe, 00000088.00000003.185946644468.000000000122A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external
Source: CasPol.exe, 00000088.00000003.186565322060.0000000001202000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000088.00000003.186517811821.0000000001201000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000088.00000003.186208501547.00000000011FD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000088.00000003.185951314480.0000000001252000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://doc-14-70-docs.googleusercontent.com/
Source: CasPol.exe, 00000088.00000003.185950717846.0000000001214000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000088.00000003.186208501547.00000000011FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://doc-14-70-docs.googleusercontent.com/%%doc-14-70-docs.googleusercontent.com
Source: CasPol.exe, 00000088.00000003.185946644468.000000000122A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000088.00000003.186208501547.00000000011FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://doc-14-70-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/bcmtj5ie
Source: CasPol.exe, 00000088.00000003.186210437136.00000000011CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: CasPol.exe, 00000088.00000003.186210437136.00000000011CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1RTjXzM3oLxMQRuQuQg9TR4kX_hPJtp2r
Source: CasPol.exe, 00000088.00000003.186345012682.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000088.00000003.186246224448.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000088.00000003.186210437136.00000000011CD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000088.00000003.186438307331.00000000011D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1RTjXzM3oLxMQRuQuQg9TR4kX_hPJtp2roiA
Source: CasPol.exe, 00000088.00000003.186210437136.00000000011CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/x~

Source: unknown

DNS traffic detected: queries for: drive.google.com

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1RTjXzM3oLxMQRuQuQg9TR4kX_hPJtp2r HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/bcmtj5ie1disn24fvm7mb2d8jibr4j1v/1659691950000/06422039211485589527/*/1RTjXzM3oLxMQRuQuQg9TR4kX_hPJtp2r?e=download&uuid=fa4270ed-3082-4e6e-8e77-e38f9ee0c1fd HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-14-70-docs.googleusercontent.comConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 142.250.179.174:443 -> 192.168.11.20:49791 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.225:443 -> 192.168.11.20:49792 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

1_2_004056A8

Too many similar processes found

Source: Conhost.exe	Process created: 63
Source: cmd.eXe	Process created: 119

System Summary

Malicious sample detected (through community Yara rule)

Source: 136.3.CasPol.exe.1ed365d7.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 136.3.CasPol.exe.1ed365d7.1.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 136.3.CasPol.exe.1ed365d7.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 136.3.CasPol.exe.1ed1c57e.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 136.3.CasPol.exe.1ed1c57e.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 136.3.CasPol.exe.1ed1c57e.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 136.3.CasPol.exe.1ed365d7.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 136.3.CasPol.exe.1ed1c57e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 136.3.CasPol.exe.1ed365d7.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 136.3.CasPol.exe.1ed365d7.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 136.3.CasPol.exe.1ed1c57e.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 136.3.CasPol.exe.1ed1c57e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 136.3.CasPol.exe.1ed30ba9.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 136.3.CasPol.exe.1ed1c57e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 136.3.CasPol.exe.1ed365d7.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 136.3.CasPol.exe.1ed30ba9.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 136.3.CasPol.exe.1ed30ba9.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 136.3.CasPol.exe.1ed30ba9.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000088.00000003.185986328993.000000001ED13000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000088.00000003.185986328993.000000001ED13000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: CasPol.exe PID: 4156, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: CasPol.exe PID: 4156, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Original Shipment_Document.PDF.exe

Executable has a suspicious name (potential lure to open the executable)

Source: Original Shipment_Document.PDF.exe

Static file information: Suspicious name

Uses 32bit PE files

Source: Original Shipment_Document.PDF.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Yara signature match

Source: 136.3.CasPol.exe.1ed365d7.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 136.3.CasPol.exe.1ed365d7.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 136.3.CasPol.exe.1ed365d7.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 136.3.CasPol.exe.1ed365d7.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 136.3.CasPol.exe.1ed1c57e.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 136.3.CasPol.exe.1ed1c57e.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 136.3.CasPol.exe.1ed1c57e.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 136.3.CasPol.exe.1ed1c57e.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 136.3.CasPol.exe.1ed365d7.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 136.3.CasPol.exe.1ed365d7.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 136.3.CasPol.exe.1ed1c57e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 136.3.CasPol.exe.1ed1c57e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 136.3.CasPol.exe.1ed365d7.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 136.3.CasPol.exe.1ed365d7.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 136.3.CasPol.exe.1ed1c57e.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 136.3.CasPol.exe.1ed1c57e.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 136.3.CasPol.exe.1ed30ba9.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 136.3.CasPol.exe.1ed30ba9.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 136.3.CasPol.exe.1ed1c57e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 136.3.CasPol.exe.1ed365d7.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 136.3.CasPol.exe.1ed30ba9.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 136.3.CasPol.exe.1ed30ba9.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 136.3.CasPol.exe.1ed30ba9.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000088.00000003.185986328993.000000001ED13000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000088.00000003.185986328993.000000001ED13000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: CasPol.exe PID: 4156, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: CasPol.exe PID: 4156, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

1_2_004034F7

Detected potential crypto function

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_00406BFE	1_2_00406BFE
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_718D1BFF	1_2_718D1BFF
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0328F608	1_2_0328F608
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03290DE4	1_2_03290DE4
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03281329	1_2_03281329
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0328032E	1_2_0328032E
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03289B38	1_2_03289B38
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280B39	1_2_03280B39
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03281B3F	1_2_03281B3F
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03281730	1_2_03281730
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03282731	1_2_03282731
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280B00	1_2_03280B00
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280F17	1_2_03280F17
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280B6D	1_2_03280B6D
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0328076E	1_2_0328076E
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03281365	1_2_03281365
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280366	1_2_03280366
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03281B71	1_2_03281B71
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03281774	1_2_03281774
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03286775	1_2_03286775
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03291B4A	1_2_03291B4A
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0328FB4E	1_2_0328FB4E
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280F59	1_2_03280F59
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03289F53	1_2_03289F53
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280BAB	1_2_03280BAB
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032817A4	1_2_032817A4
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032803A4	1_2_032803A4
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03281BB9	1_2_03281BB9
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032873B1	1_2_032873B1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280F94	1_2_03280F94
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032817FB	1_2_032817FB
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0328A3F0	1_2_0328A3F0
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032803F1	1_2_032803F1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280BF7	1_2_03280BF7
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032817CE	1_2_032817CE
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280FD8	1_2_03280FD8
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032807D2	1_2_032807D2
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03281BD7	1_2_03281BD7
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280E29	1_2_03280E29
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03281A2A	1_2_03281A2A
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0328122D	1_2_0328122D
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0328022E	1_2_0328022E
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280E24	1_2_03280E24
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280634	1_2_03280634
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03284608	1_2_03284608
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03293E12	1_2_03293E12
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280A15	1_2_03280A15
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280262	1_2_03280262
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0328127B	1_2_0328127B
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03281A72	1_2_03281A72
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03289674	1_2_03289674
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280A5D	1_2_03280A5D
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280E5E	1_2_03280E5E
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03289A50	1_2_03289A50
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280EAA	1_2_03280EAA
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032802AC	1_2_032802AC
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032806B8	1_2_032806B8
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032872B9	1_2_032872B9
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032812B1	1_2_032812B1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03285EB7	1_2_03285EB7
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280A8B	1_2_03280A8B
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280EE5	1_2_03280EE5
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032802E6	1_2_032802E6
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032806E7	1_2_032806E7
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03281AFE	1_2_03281AFE
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03281AD8	1_2_03281AD8
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280AD6	1_2_03280AD6
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0328192B	1_2_0328192B
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280124	1_2_03280124
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0328093B	1_2_0328093B
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03289D34	1_2_03289D34
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280D08	1_2_03280D08
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03281D09	1_2_03281D09
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280506	1_2_03280506
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03281112	1_2_03281112
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0328996C	1_2_0328996C
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0328117F	1_2_0328117F
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280174	1_2_03280174
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03281975	1_2_03281975
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0328715C	1_2_0328715C
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280D52	1_2_03280D52
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280952	1_2_03280952
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032801A4	1_2_032801A4
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032811BD	1_2_032811BD
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280DBE	1_2_03280DBE
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032819B1	1_2_032819B1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280D89	1_2_03280D89
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0328099F	1_2_0328099F
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032811ED	1_2_032811ED
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032871EE	1_2_032871EE
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032805EF	1_2_032805EF
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032801E3	1_2_032801E3
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032819F6	1_2_032819F6
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032805C4	1_2_032805C4
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032809DC	1_2_032809DC
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03281020	1_2_03281020
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03290825	1_2_03290825
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0328083A	1_2_0328083A
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280C3B	1_2_03280C3B
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03281833	1_2_03281833
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280005	1_2_03280005
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03281C18	1_2_03281C18
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03293019	1_2_03293019
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03289C19	1_2_03289C19
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280013	1_2_03280013
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0328186C	1_2_0328186C
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0329246F	1_2_0329246F
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280463	1_2_03280463
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0328087E	1_2_0328087E
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03286C42	1_2_03286C42
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280054	1_2_03280054
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03281C56	1_2_03281C56
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03286C56	1_2_03286C56
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032898BD	1_2_032898BD
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280C80	1_2_03280C80
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03287485	1_2_03287485
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280098	1_2_03280098
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032860F9	1_2_032860F9
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03281CCC	1_2_03281CCC
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032898C0	1_2_032898C0
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280CC1	1_2_03280CC1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032808C4	1_2_032808C4
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032804C5	1_2_032804C5
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032810DE	1_2_032810DE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 140_2_051504B0	140_2_051504B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 140_2_05150938	140_2_05150938

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0329371A NtResumeThread,	1_2_0329371A
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03290DE4 NtAllocateVirtualMemory,	1_2_03290DE4
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03292895 NtProtectVirtualMemory,	1_2_03292895

PE file contains strange resources

Source: Original Shipment_Document.PDF.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: edgegdi.dll	Jump to behavior

PE / OLE file has an invalid certificate

Source: Original Shipment_Document.PDF.exe

Static PE information: invalid certificate

Source: Original Shipment_Document.PDF.exe	Virustotal: Detection: 32%
Source: Original Shipment_Document.PDF.exe	ReversingLabs: Detection: 22%

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

File read: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

Jump to behavior

Source: Original Shipment_Document.PDF.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe "C:\Users\user\Desktop\Original Shipment_Document.PDF.exe"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03631637^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5C382120^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7F303920^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x78713865^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6D7569^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307575^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x41616575^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0975752C^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19697965^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x49796569^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307571^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216D75^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845"
Source: C:\Windows\System32\Conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09703C6B^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6C7578^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"
Source: C:\Windows\System32\Conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0363032C^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B2D2024^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x55183929^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x563A7D2C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09753C65^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216475^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216675^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09697965^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5079653D^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0D697C35^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x172B6478^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03630620^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4D1F3C29^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5C093A2C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x572D3037^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x11307537^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0C75752C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19686375^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09697569^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307575^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15307575^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x10307B37^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0A64721C^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03630720^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x583D132C^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x553C7D2C^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6C7965^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216475^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845"
Source: C:\Windows\System32\Conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15733C65^962155845"
Source: C:\Windows\System32\Conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0975752C^962155845"
Source: C:\Windows\System32\Conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19697C2C^962155845"
Source: C:\Windows\System32\Conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x172B6678^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0A6B6F7F^962155845"
Source: C:\Windows\System32\Conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\Original Shipment_Document.PDF.exe"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DSL Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp6DD1.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe 0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03631637^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5C382120^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7F303920^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x78713865^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6D7569^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307575^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x41616575^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0975752C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19697965^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x49796569^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307571^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216D75^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09703C6B^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6C7578^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0363032C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B2D2024^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x55183929^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x563A7D2C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09753C65^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216475^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216675^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09697965^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5079653D^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0D697C35^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x172B6478^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03630620^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4D1F3C29^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5C093A2C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x572D3037^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x11307537^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0C75752C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19686375^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09697569^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307575^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15307575^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x10307B37^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0A64721C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03630720^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x583D132C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x553C7D2C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6C7965^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4D1F3C29^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5C093A2C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216475^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15307575^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0975752C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x41616575^962155845"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DSL Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp6DD1.tmp	Jump to behavior

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

1_2_004034F7

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

File created: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB

Jump to behavior

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

File created: C:\Users\user\AppData\Local\Temp\nsiB404.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@192/15@92/3

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

Code function: 1_2_004021AA CoCreateInstance,

1_2_004021AA

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

Code function: 1_2_00404954 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

1_2_00404954

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5560:304:WilStaging_02
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2212:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5856:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5560:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2212:304:WilStaging_02
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{8a31290f-d587-43a1-8a5b-8b2e6c04b993}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5856:304:WilStaging_02

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: Original Shipment_Document.PDF.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: CasPol.exe, 00000088.00000003.185986328993.000000001ED13000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: CasPol.exe, 00000088.00000003.185986328993.000000001ED13000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: CasPol.exe, 00000088.00000003.185986328993.000000001ED13000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: CasPol.exe, 00000088.00000003.185986328993.000000001ED13000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: CasPol.exe, 00000088.00000003.185986328993.000000001ED13000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000088.00000000.185799522780.0000000000E30000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.185975230036.0000000003280000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Obfuscated command line found

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03631637^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5C382120^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7F303920^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x78713865^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6D7569^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x41616575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0975752C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19697965^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x49796569^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307571^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216D75^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09703C6B^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6C7578^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0363032C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B2D2024^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x55183929^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x563A7D2C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09753C65^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216475^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216675^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09697965^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5079653D^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0D697C35^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x172B6478^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03630620^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4D1F3C29^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5C093A2C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x572D3037^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x11307537^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0C75752C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19686375^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09697569^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15307575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x10307B37^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0A64721C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03630720^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x583D132C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x553C7D2C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6C7965^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216475^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15733C65^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0975752C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19697C2C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x172B6678^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0A6B6F7F^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03631637^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5C382120^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7F303920^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x78713865^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6D7569^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307575^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x41616575^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0975752C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19697965^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x49796569^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307571^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216D75^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09703C6B^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6C7578^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0363032C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B2D2024^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x55183929^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x563A7D2C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09753C65^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216475^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216675^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09697965^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5079653D^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0D697C35^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x172B6478^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03630620^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4D1F3C29^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5C093A2C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x572D3037^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x11307537^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0C75752C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19686375^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09697569^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307575^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15307575^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x10307B37^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0A64721C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03630720^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x583D132C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x553C7D2C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6C7965^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4D1F3C29^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5C093A2C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216475^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15307575^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0975752C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x41616575^962155845"	Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_718D30C0 push eax; ret	1_2_718D30EE
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032840A0 push ebp; retf	1_2_0328424A
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03284BB8 push esp; ret	1_2_03284BB9
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03280BF5 push esi; iretd	1_2_03280BF6
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0328B3C9 push 00000059h; iretd	1_2_0328B3D1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03284221 push ebp; retf	1_2_0328424A
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03283A13 push cs; iretd	1_2_03283A15
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03283250 push ss; ret	1_2_0328325E
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03285AE6 push 38EC4568h; retf	1_2_03285B30
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032882CD push cs; retf	1_2_032882CE
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032896D5 push 38D28568h; ret	1_2_03289708
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03287D4C push 22C116CCh; ret	1_2_03287D51
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03287D91 pushfd ; retf	1_2_03287DCE
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032879EB push FFFFFFB3h; iretd	1_2_03287A22
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0328B1CA push eax; iretd	1_2_0328B1CD
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0328ACE4 push ds; retf	1_2_0328AD09

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

Code function: 1_2_718D1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

1_2_718D1BFF

Drops PE files

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	File created: C:\Users\user\AppData\Local\Temp\nsaB9E2.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	File created: C:\Users\user\AppData\Local\Temp\nsaB9E2.tmp\nsExec.dll			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.eXe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DSL Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp6DD1.tmp

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe:Zone.Identifier read attributes | delete

Jump to behavior

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.exe

Static PE information: Original Shipment_Document.PDF.exe

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Mass process execution to delay analysis

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03631637^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5C382120^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7F303920^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x78713865^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6D7569^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x41616575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845"

Tries to detect Any.run

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Original Shipment_Document.PDF.exe, 00000001.00000002.185975454741.0000000003381000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: Original Shipment_Document.PDF.exe, 00000001.00000002.185975454741.0000000003381000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: NTDLLUSER32KERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOKERNELBASE.DLLSHELL32ADVAPI32TEMP=WINDIR=\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLL

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 5052	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 5052	Thread sleep time: -31300s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 1372	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

Code function: 1_2_03281329 rdtsc

1_2_03281329

Contains long sleeps (>= 3 min)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Window / User API: threadDelayed 626	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Window / User API: threadDelayed 1018	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Window / User API: foregroundWindowGot 577	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Window / User API: foregroundWindowGot 690	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	1_2_00405C13
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0040683D FindFirstFileW,FindClose,	1_2_0040683D
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0040290B FindFirstFileW,	1_2_0040290B

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Windows\Microsoft.NET\Framework\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System\06e54f5fa1f15dd558eaf403cdcacad3\System.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\5085e86702d2182b0d9417971c65ded2\System.Drawing.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\ae952be8fa59744d6333aed90b72f162\System.Windows.Forms.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Windows\Microsoft.NET\	Jump to behavior

Source: Original Shipment_Document.PDF.exe, 00000001.00000002.185975967434.0000000004F19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: Original Shipment_Document.PDF.exe, 00000001.00000002.185975967434.0000000004F19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: Original Shipment_Document.PDF.exe, 00000001.00000002.185975967434.0000000004F19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: Original Shipment_Document.PDF.exe, 00000001.00000002.185975967434.0000000004F19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: Original Shipment_Document.PDF.exe, 00000001.00000002.185975967434.0000000004F19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: Original Shipment_Document.PDF.exe, 00000001.00000002.185975967434.0000000004F19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: Original Shipment_Document.PDF.exe, 00000001.00000002.185975967434.0000000004F19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: CasPol.exe, 00000088.00000003.186208501547.00000000011FD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Original Shipment_Document.PDF.exe, 00000001.00000002.185975454741.0000000003381000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: Original Shipment_Document.PDF.exe, 00000001.00000002.185975967434.0000000004F19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: Original Shipment_Document.PDF.exe, 00000001.00000002.185975967434.0000000004F19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: CasPol.exe, 00000088.00000003.186210437136.00000000011CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: Original Shipment_Document.PDF.exe, 00000001.00000002.185975967434.0000000004F19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: Original Shipment_Document.PDF.exe, 00000001.00000002.185975454741.0000000003381000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ntdlluser32kernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoKERNELBASE.DLLshell32advapi32TEMP=windir=\Microsoft.NET\Framework\v2.0.50727\caspol.exewindir=\syswow64\iertutil.dll
Source: Original Shipment_Document.PDF.exe, 00000001.00000002.185975967434.0000000004F19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat
Source: CasPol.exe, 00000088.00000003.186208501547.00000000011FD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW=2_

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

Code function: 1_2_718D1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

1_2_718D1BFF

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

Code function: 1_2_03281329 rdtsc

1_2_03281329

Enables debug privileges

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Process token adjusted: Debug

Jump to behavior

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03289F60 mov eax, dword ptr fs:[00000030h]	1_2_03289F60
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03291B4A mov eax, dword ptr fs:[00000030h]	1_2_03291B4A
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_03289F53 mov eax, dword ptr fs:[00000030h]	1_2_03289F53
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0328D205 mov eax, dword ptr fs:[00000030h]	1_2_0328D205
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0328FD64 mov eax, dword ptr fs:[00000030h]	1_2_0328FD64
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0328A172 mov ebx, dword ptr fs:[00000030h]	1_2_0328A172
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032909E1 mov eax, dword ptr fs:[00000030h]	1_2_032909E1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_0328A020 mov eax, dword ptr fs:[00000030h]	1_2_0328A020
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032898BD mov eax, dword ptr fs:[00000030h]	1_2_032898BD
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 1_2_032898C0 mov eax, dword ptr fs:[00000030h]	1_2_032898C0

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

Code function: 1_2_0328FD77 LdrLoadDll,

1_2_0328FD77

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe base: E30000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03631637^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5C382120^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7F303920^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x78713865^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6D7569^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307575^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x41616575^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0975752C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19697965^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x49796569^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307571^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216D75^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09703C6B^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6C7578^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0363032C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B2D2024^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x55183929^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x563A7D2C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09753C65^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216475^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216675^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09697965^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5079653D^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0D697C35^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x172B6478^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03630620^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4D1F3C29^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5C093A2C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x572D3037^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x11307537^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0C75752C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19686375^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09697569^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307575^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15307575^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x10307B37^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0A64721C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03630720^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x583D132C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x553C7D2C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6C7965^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4D1F3C29^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5C093A2C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216475^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15307575^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0975752C^962155845"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x41616575^962155845"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DSL Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp6DD1.tmp	Jump to behavior

Binary or memory string: Program Manager

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

1_2_004034F7

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\SysWOW64\cmd.eXe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Remote Access Functionality

Detected Nanocore Rat

Source: CasPol.exe, 00000088.00000003.185986328993.000000001ED13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: CasPol.exe, 00000088.00000003.185986328993.000000001ED13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: CasPol.exe, 00000088.00000003.185986328993.000000001ED13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: CasPol.exe, 00000088.00000003.185986328993.000000001ED13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: CasPol.exe, 00000088.00000003.185986328993.000000001ED13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce

ID:	679174
Product:	CloudBasic
Start time:	11:30:23
Start date:	05.08.2022
Sample:	Original Shipment_Document.PDF.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Architecture:	WINDOWS
MD5:	626cdeaa4696c819fd07921073f6c740
SHA1:	b094f5e4c3792a05b7f307ad78d2e52cfcbf87b4
SHA256:	d8519cee2bbf5c257375b339d530b33f275db40c06de0f96911eb5b4f207f2c5
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
Original Shipment_Document.PDF.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\caspol.exe.log	ASCII text, with CRLF line terminators	B3AC9D09E3A47D5FD00C37E075A70ECB	AD14E6D0E07B00BD10D77A06D68841B20675680B	7A23C6E7CCD8811ECDF038D3A89D5C7D68ED37324BAE2D4954125D9128FA9432
C:\Users\user\AppData\Local\Temp\nsaB9E2.tmp\System.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	CFF85C549D536F651D4FB8387F1976F2	D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E	8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
C:\Users\user\AppData\Local\Temp\nsaB9E2.tmp\nsExec.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	675C4948E1EFC929EDCABFE67148EDDD	F5BDD2C4329ED2732ECFE3423C3CC482606EB28E	1076CA39C449ED1A968021B76EF31F22A5692DFAFEEA29460E8D970A63C59906
C:\Users\user\AppData\Local\Temp\subfolder1\windows.exe	data	458455444C46D7E13BABA6869E0E8330	D62FF8C988EB65A078440FD186A65822CA7BCA2F	5556540A27FC7046591CF885CB8240739F69F1651CC6823F9EB2B12AD094921B
C:\Users\user\AppData\Local\Temp\tmp6DD1.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	497F298FC157762F192A7C42854C6FB6	04BEC630F5CC64EA17C0E3E780B3CCF15A35C6E0	3462CBE62FBB64FC53A0FCF97E43BAAFE9DD9929204F586A86AFE4B89D8048A6
C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\catalog.dat	data	9E7D0351E4DF94A9B0BADCEB6A9DB963	76C6A69B1C31CEA2014D1FD1E222A3DD1E433005	AAFC7B40C5FE680A2BB549C3B90AABAAC63163F74FFFC0B00277C6BBFF88B757
C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\run.dat	Non-ISO extended-ASCII text, with no line terminators	9817B1B163B64F70946CBDB1318DA30F	7491F8C50AA2E73D37B8C80EA0E11507F8F9A7F6	14E0030F69EE0F50E4A910B02EA095BAACAC38E83ED955B3AD5E482A5CF33641
C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\settings.bin	data	4E5E92E2369688041CC82EF9650EDED2	15E44F2F3194EE232B44E9684163B6F66472C862	F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\storage.dat	data	653DDDCB6C89F6EC51F3DDC0053C5914	4CF7E7D42495CE01C261E4C5C4B8BF6CD76CCEE5	83B9CAE66800C768887FB270728F6806CBEBDEAD9946FA730F01723847F17FF9
C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\task.dat	ASCII text, with no line terminators	F781103B538E4159A8F01E3BE09B1F8D	27992585DE22A095BABCFD75E8F96710DD921C37	BEA91983791C26C19AA411B2870E89AFC250EAF9855B6E1CE7BEA02B74E7F368
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\timelrer\Tdlen\Integrationsprvens.Adg72	ASCII text, with very long lines, with no line terminators	7C22C978F9497BB753456B3AA833F7DE	5566F37ED12035AD659E8E71B09A46FC3A907D27	8126292C7A2EE04C5D5286BCD0584CF8FF39745F17E28DE70A72CBF1EBCA900B
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\timelrer\Tdlen\format-text-bold-symbolic.svg	SVG Scalable Vector Graphics image	B0BE3814C6303C5B8C080D654FDF2EA7	8231CACDA98442D068D80EC063CE75DC05AE7A2E	4A71E8903E3673A98AB8D8BAC7579F7EA2D8C016ADC7ABC6EA23F5565D8643DA
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\timelrer\Tdlen\location-services-disabled-symbolic.symbolic.png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	91B30844C5145188A9DCE697271B8BCF	69C3F0AFA91A3E725A26017EC282499152500DC9	3B79DEE63724F1BAFFB1E51D55CB96CEB2849C0536000BE3A6C848CE36230049
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\timelrer\Tdlen\uforfrdetheden.Rid	data	251EE827C992B4E481634030C2E681F3	88065FA2EDAE7B94B6891675DF8A9028DC5F28E6	E9DD8E6A46B89E22E83743D0578339458E7C2CE719BFF5FDD9FDC66652DB161A
\Device\ConDrv	ASCII text, with CRLF line terminators	B08826036A3E81B44E7D8C1284381013	96CF7E6BC1B55C69CE33BEC3B78FFF4EB8839B87	E7AD5092F56BB2ACA26262C361FE5F83171D21AB134D4E5D2EF47E9BF641B549

Windows Analysis Report Original Shipment_Document.PDF.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Original Shipment_Document.PDF.exe