Source: |
Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.pdb source: CasPol.exe, 00000005.00000002.9019911661.0000000039A58000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.PDBb source: CasPol.exe, 00000005.00000002.9019911661.0000000039A58000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: caspol.pdbcaspol.pdbpdbpol.pdb\v4.0.30319\caspol.pdb source: CasPol.exe, 00000005.00000002.9012404165.0000000037637000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\exe\caspol.pdbIN source: CasPol.exe, 00000005.00000002.9019911661.0000000039A58000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: C:\Windows\caspol.pdbpdbpol.pdb source: CasPol.exe, 00000005.00000002.9019911661.0000000039A58000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: caspol.pdb source: CasPol.exe, 00000005.00000002.8995413020.0000000006F1D000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\caspol.pdb. source: CasPol.exe, 00000005.00000002.9021000119.0000000039ACD000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: vcaspol.PDB 7 source: CasPol.exe, 00000005.00000002.9012404165.0000000037637000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: m,C:\Windows\caspol.pdb source: CasPol.exe, 00000005.00000002.9012404165.0000000037637000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\caspol.pdbr^ source: CasPol.exe, 00000005.00000002.9021000119.0000000039ACD000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.pdbe089 source: CasPol.exe, 00000005.00000002.9019911661.0000000039A58000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\exe\caspol.pdbN_ source: CasPol.exe, 00000005.00000002.9019911661.0000000039A58000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: 9##.pdb source: CasPol.exe, 00000005.00000002.9012404165.0000000037637000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: mC:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.pdb source: CasPol.exe, 00000005.00000002.9012404165.0000000037637000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: m.pdb source: CasPol.exe, 00000005.00000002.9012404165.0000000037637000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: c7symbols\exe\caspol.pdb source: CasPol.exe, 00000005.00000002.9012404165.0000000037637000.00000004.00000010.00020000.00000000.sdmp |
Source: invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp |
String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0 |
Source: invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp |
String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0 |
Source: invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp |
String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0 |
Source: CasPol.exe, 00000005.00000002.9014975295.0000000037959000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://checkip.dyndns.com |
Source: CasPol.exe, 00000005.00000002.9014975295.0000000037959000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://checkip.dyndns.org |
Source: CasPol.exe, 00000005.00000002.9014975295.00000000378A1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.8995413020.0000000006E3B000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://checkip.dyndns.org/ |
Source: CasPol.exe, 00000005.00000002.8995413020.0000000006ED6000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06 |
Source: CasPol.exe, 00000005.00000003.8679430245.0000000006ED3000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.8995413020.0000000006ED2000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp |
String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O |
Source: invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp |
String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P |
Source: invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp |
String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05 |
Source: invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp |
String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02 |
Source: invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp |
String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0: |
Source: invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp |
String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L |
Source: invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp |
String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0 |
Source: invoice.exe, invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp, invoice.exe, 00000001.00000000.7326800375.000000000040A000.00000008.00000001.01000000.00000003.sdmp |
String found in binary or memory: http://nsis.sf.net/NSIS_Error |
Source: invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp, invoice.exe, 00000001.00000000.7326800375.000000000040A000.00000008.00000001.01000000.00000003.sdmp |
String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError |
Source: invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp |
String found in binary or memory: http://ocsp.digicert.com0C |
Source: invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp |
String found in binary or memory: http://ocsp.digicert.com0N |
Source: invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp |
String found in binary or memory: http://ocsp.digicert.com0O |
Source: CasPol.exe, 00000005.00000002.9014975295.00000000378A1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp |
String found in binary or memory: http://www.avast.com0/ |
Source: invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp |
String found in binary or memory: http://www.digicert.com/CPS0 |
Source: CasPol.exe, 00000005.00000003.8679430245.0000000006EFD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.8995413020.0000000006E97000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://doc-0k-a8-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/s4sbn26f |
Source: CasPol.exe, 00000005.00000002.8995413020.0000000006E3B000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com/ |
Source: CasPol.exe, 00000005.00000002.8995413020.0000000006E3B000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=1v9qH2HQVytFc1xq78jdiMix-1m6jIF0S |
Source: invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp |
String found in binary or memory: https://www.digicert.com/CPS0 |
Source: C:\Users\user\Desktop\invoice.exe |
Code function: 1_2_004051CA GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageA,CreatePopupMenu,LdrInitializeThunk,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,LdrInitializeThunk,SetClipboardData,CloseClipboard, |
1_2_004051CA |
Source: C:\Users\user\Desktop\invoice.exe |
Code function: 1_2_004031F1 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
1_2_004031F1 |
Source: unknown |
Process created: C:\Users\user\Desktop\invoice.exe C:\Users\user\Desktop\invoice.exe |
|
Source: C:\Users\user\Desktop\invoice.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\Desktop\invoice.exe |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 2544 |
|
Source: C:\Users\user\Desktop\invoice.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\Desktop\invoice.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\invoice.exe |
Code function: 1_2_004031F1 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
1_2_004031F1 |
Source: |
Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.pdb source: CasPol.exe, 00000005.00000002.9019911661.0000000039A58000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.PDBb source: CasPol.exe, 00000005.00000002.9019911661.0000000039A58000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: caspol.pdbcaspol.pdbpdbpol.pdb\v4.0.30319\caspol.pdb source: CasPol.exe, 00000005.00000002.9012404165.0000000037637000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\exe\caspol.pdbIN source: CasPol.exe, 00000005.00000002.9019911661.0000000039A58000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: C:\Windows\caspol.pdbpdbpol.pdb source: CasPol.exe, 00000005.00000002.9019911661.0000000039A58000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: caspol.pdb source: CasPol.exe, 00000005.00000002.8995413020.0000000006F1D000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\caspol.pdb. source: CasPol.exe, 00000005.00000002.9021000119.0000000039ACD000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: vcaspol.PDB 7 source: CasPol.exe, 00000005.00000002.9012404165.0000000037637000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: m,C:\Windows\caspol.pdb source: CasPol.exe, 00000005.00000002.9012404165.0000000037637000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\caspol.pdbr^ source: CasPol.exe, 00000005.00000002.9021000119.0000000039ACD000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.pdbe089 source: CasPol.exe, 00000005.00000002.9019911661.0000000039A58000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\exe\caspol.pdbN_ source: CasPol.exe, 00000005.00000002.9019911661.0000000039A58000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: 9##.pdb source: CasPol.exe, 00000005.00000002.9012404165.0000000037637000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: mC:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.pdb source: CasPol.exe, 00000005.00000002.9012404165.0000000037637000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: m.pdb source: CasPol.exe, 00000005.00000002.9012404165.0000000037637000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: c7symbols\exe\caspol.pdb source: CasPol.exe, 00000005.00000002.9012404165.0000000037637000.00000004.00000010.00020000.00000000.sdmp |
Source: C:\Users\user\Desktop\invoice.exe |
File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Ath_CoexAgent.exe |
Jump to dropped file |
Source: C:\Users\user\Desktop\invoice.exe |
File created: C:\Users\user\AppData\Local\Temp\nstA9F8.tmp\System.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\invoice.exe |
File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Inkshed\NMDllHost.exe |
Jump to dropped file |
Source: C:\Users\user\Desktop\invoice.exe |
File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Inkshed\Mss32.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\invoice.exe |
File created: C:\Users\user\AppData\Local\Temp\nstA9F8.tmp\AdvSplash.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\invoice.exe |
File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Antimodernly\trever\Hovedinteressers\lang-1059.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\invoice.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\invoice.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\invoice.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: invoice.exe, 00000001.00000002.8818311496.0000000010059000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.8999553372.0000000008B69000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V Guest Shutdown Service |
Source: invoice.exe, 00000001.00000002.8702090248.000000000069E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga |
Source: invoice.exe, 00000001.00000002.8818311496.0000000010059000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.8999553372.0000000008B69000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V Remote Desktop Virtualization Service |
Source: CasPol.exe, 00000005.00000002.8999553372.0000000008B69000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: vmicshutdown |
Source: invoice.exe, 00000001.00000002.8818311496.0000000010059000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.8999553372.0000000008B69000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V Volume Shadow Copy Requestor |
Source: invoice.exe, 00000001.00000002.8702090248.0000000000658000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exen< |
Source: invoice.exe, 00000001.00000002.8818311496.0000000010059000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.8999553372.0000000008B69000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V PowerShell Direct Service |
Source: invoice.exe, 00000001.00000002.8818311496.0000000010059000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.8999553372.0000000008B69000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V Time Synchronization Service |
Source: CasPol.exe, 00000005.00000002.8999553372.0000000008B69000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: vmicvss |
Source: CasPol.exe, 00000005.00000002.8995413020.0000000006EAC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.8995413020.0000000006E3B000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: invoice.exe, 00000001.00000002.8818311496.0000000010059000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.8999553372.0000000008B69000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V Data Exchange Service |
Source: invoice.exe, 00000001.00000002.8818311496.0000000010059000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.8999553372.0000000008B69000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V Heartbeat Service |
Source: invoice.exe, 00000001.00000002.8818311496.0000000010059000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.8999553372.0000000008B69000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V Guest Service Interface |
Source: CasPol.exe, 00000005.00000002.8999553372.0000000008B69000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: vmicheartbeat |
Source: C:\Users\user\Desktop\invoice.exe |
Code function: 1_2_004031F1 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
1_2_004031F1 |