Source: CasPol.exe, 00000008.00000003.167481132146.00000000071B0000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06 |
Source: CasPol.exe, 00000008.00000003.167481132146.00000000071B0000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: CasPol.exe, 00000008.00000003.167512023875.0000000039142000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://google.com |
Source: DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe, Windowss.exe.8.dr | String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError |
Source: CasPol.exe, 00000008.00000003.167744785159.0000000007194000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://doc-0c-b0-docs.googleusercontent.com/ |
Source: CasPol.exe, 00000008.00000003.167744785159.0000000007194000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://doc-0c-b0-docs.googleusercontent.com/H |
Source: CasPol.exe, 00000008.00000003.167744785159.00000000071ED000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000008.00000003.167744785159.0000000007194000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000008.00000003.167481132146.00000000071F4000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://doc-0c-b0-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/gop7ht5q |
Source: CasPol.exe, 00000008.00000003.167744785159.000000000717A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000008.00000003.167744785159.0000000007162000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://drive.google.com/ |
Source: CasPol.exe, 00000008.00000003.167744785159.0000000007162000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://drive.google.com/uc?export=download&id=1GWkPMapRdWHnFBq8NG4QBMUUzbTsJcvy |
Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe | Code function: 2_2_004054B0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageW,CreatePopupMenu,LdrInitializeThunk,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, | 2_2_004054B0 |
Source: 8.3.CasPol.exe.3914b6be.1.unpack, type: UNPACKEDPE | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems) |
Source: 8.3.CasPol.exe.3914b6be.1.unpack, type: UNPACKEDPE | Matched rule: Detects NanoCore Author: ditekSHen |
Source: 8.3.CasPol.exe.3914b6be.1.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown |
Source: 8.3.CasPol.exe.39165717.0.unpack, type: UNPACKEDPE | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems) |
Source: 8.3.CasPol.exe.39165717.0.unpack, type: UNPACKEDPE | Matched rule: Detects NanoCore Author: ditekSHen |
Source: 8.3.CasPol.exe.39165717.0.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown |
Source: 8.3.CasPol.exe.39165717.0.raw.unpack, type: UNPACKEDPE | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 8.3.CasPol.exe.39165717.0.raw.unpack, type: UNPACKEDPE | Matched rule: Detects NanoCore Author: ditekSHen |
Source: 8.3.CasPol.exe.39165717.0.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown |
Source: 8.3.CasPol.exe.3915fce9.2.raw.unpack, type: UNPACKEDPE | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 8.3.CasPol.exe.3915fce9.2.raw.unpack, type: UNPACKEDPE | Matched rule: Detects NanoCore Author: ditekSHen |
Source: 8.3.CasPol.exe.3915fce9.2.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown |
Source: 8.3.CasPol.exe.3914b6be.1.raw.unpack, type: UNPACKEDPE | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 8.3.CasPol.exe.3914b6be.1.raw.unpack, type: UNPACKEDPE | Matched rule: Detects NanoCore Author: ditekSHen |
Source: 8.3.CasPol.exe.3914b6be.1.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown |
Source: 00000008.00000003.167512023875.0000000039142000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 00000008.00000003.167512023875.0000000039142000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown |
Source: Process Memory Space: CasPol.exe PID: 7876, type: MEMORYSTR | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: Process Memory Space: CasPol.exe PID: 7876, type: MEMORYSTR | Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown |
Source: 8.3.CasPol.exe.3914b6be.1.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 8.3.CasPol.exe.3914b6be.1.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 8.3.CasPol.exe.3914b6be.1.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore |
Source: 8.3.CasPol.exe.3914b6be.1.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23 |
Source: 8.3.CasPol.exe.39165717.0.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 8.3.CasPol.exe.39165717.0.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 8.3.CasPol.exe.39165717.0.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore |
Source: 8.3.CasPol.exe.39165717.0.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23 |
Source: 8.3.CasPol.exe.39165717.0.raw.unpack, type: UNPACKEDPE | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 8.3.CasPol.exe.39165717.0.raw.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore |
Source: 8.3.CasPol.exe.39165717.0.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23 |
Source: 8.3.CasPol.exe.3915fce9.2.raw.unpack, type: UNPACKEDPE | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 8.3.CasPol.exe.3915fce9.2.raw.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore |
Source: 8.3.CasPol.exe.3915fce9.2.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23 |
Source: 8.3.CasPol.exe.3914b6be.1.raw.unpack, type: UNPACKEDPE | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 8.3.CasPol.exe.3914b6be.1.raw.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore |
Source: 8.3.CasPol.exe.3914b6be.1.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23 |
Source: 00000008.00000003.167512023875.0000000039142000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 00000008.00000003.167512023875.0000000039142000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23 |
Source: Process Memory Space: CasPol.exe PID: 7876, type: MEMORYSTR | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: Process Memory Space: CasPol.exe PID: 7876, type: MEMORYSTR | Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23 |
Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe | Code function: 2_2_0040344A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, | 2_2_0040344A |
Source: unknown | Process created: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe | |
Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe | Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe | |
Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe | Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe | |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DSL Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp673D.tmp | |
Source: C:\Windows\SysWOW64\schtasks.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: unknown | Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe 0 | |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe | Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe | Jump to behavior |
Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe | Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DSL Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp673D.tmp | Jump to behavior |
Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe | Code function: 2_2_0040344A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, | 2_2_0040344A |
Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\conhost.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\conhost.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\conhost.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe, 00000002.00000002.167633646699.0000000010059000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: Hyper-V Guest Shutdown Service |
Source: DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe, 00000002.00000002.167633646699.0000000010059000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: Hyper-V Remote Desktop Virtualization Service |
Source: DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe, 00000002.00000002.167633646699.0000000010059000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: vmicshutdown |
Source: DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe, 00000002.00000002.167633646699.0000000010059000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: Hyper-V Volume Shadow Copy Requestor |
Source: DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe, 00000002.00000002.167633646699.0000000010059000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: Hyper-V PowerShell Direct Service |
Source: DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe, 00000002.00000002.167633646699.0000000010059000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: Hyper-V Time Synchronization Service |
Source: DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe, 00000002.00000002.167633646699.0000000010059000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: vmicvss |
Source: CasPol.exe, 00000008.00000003.167744785159.0000000007194000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000008.00000003.167744785159.0000000007162000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW |
Source: DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe, 00000002.00000002.167633646699.0000000010059000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: Hyper-V Data Exchange Service |
Source: DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe, 00000002.00000002.167633646699.0000000010059000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: Hyper-V Heartbeat Service |
Source: DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe, 00000002.00000002.167633646699.0000000010059000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: Hyper-V Guest Service Interface |
Source: DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe, 00000002.00000002.167633646699.0000000010059000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: vmicheartbeat |
Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe | Code function: 2_2_0040344A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, | 2_2_0040344A |