Windows Analysis Report
49b35e.msi

Overview

General Information

Sample name: 49b35e.msi
Analysis ID: 1653682
MD5: ecdd7739e76adee32b9cd61f4a132963
SHA1: 14e5ec6b9c6bdaab641009284e2f41067462bf21
SHA256: 59baa105734ae018e88a3abeee22657b083d2aaddf1c73e5564bf21382e5fa16
Tags: ArechClient2msiuser-smica83
Infos:

Detection

RedLine
Score: 96
Range: 0 - 100
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Yara detected RedLine Stealer
.NET source code contains potential unpacker
Drops large PE files
Found hidden mapped module (file has been removed from disk)
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Use Short Name Path in Command Line
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

AV Detection
barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\glenpw Virustotal: Detection: 36% Perma Link
Source: C:\Users\user\AppData\Local\Temp\mebrpk Virustotal: Detection: 36% Perma Link
Joe Sandbox ML detected suspicious sample
Source: Submited Sample Neural Call Log Analysis: 99.9%
Source: C:\Windows\System32\msiexec.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D7DF4AAC-D1B0-41F5-B96D-0DCF90182CC3} Jump to behavior
Source: Binary string: barbqqikrymslznvzum.pdb\ source: GmRemote.exe, 00000004.00000000.1075173535.00000000009B0000.00000002.00000001.01000000.00000004.sdmp, GmRemote.exe, 00000004.00000002.1180553657.00000000009B0000.00000002.00000001.01000000.00000004.sdmp, GmRemote.exe, 00000004.00000002.1182210716.00000000065B9000.00000004.00000020.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000000.1500828332.00000000001B0000.00000002.00000001.01000000.0000000D.sdmp, GmRemote.exe, 00000010.00000002.1597336964.00000000001B0000.00000002.00000001.01000000.0000000D.sdmp, GmRemote.exe, 00000010.00000002.1598673015.0000000005DB9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: barbqqikrymslznvzum.pdb source: GmRemote.exe, 00000004.00000000.1075173535.00000000009B0000.00000002.00000001.01000000.00000004.sdmp, GmRemote.exe, 00000004.00000002.1180553657.00000000009B0000.00000002.00000001.01000000.00000004.sdmp, GmRemote.exe, 00000004.00000002.1182210716.00000000065B9000.00000004.00000020.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000000.1500828332.00000000001B0000.00000002.00000001.01000000.0000000D.sdmp, GmRemote.exe, 00000010.00000002.1597336964.00000000001B0000.00000002.00000001.01000000.0000000D.sdmp, GmRemote.exe, 00000010.00000002.1598673015.0000000005DB9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: MTF.pdbGCTL source: CasPol.exe, 00000005.00000002.1213367744.0000000000CB8000.00000008.00000001.01000000.00000000.sdmp, glenpw.4.dr
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: CasPol.exe, 00000005.00000002.1237884647.0000000007110000.00000004.08000000.00040000.00000000.sdmp, CasPol.exe, 00000005.00000002.1229238582.0000000004A1D000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.1229238582.0000000004952000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: GmRemote.exe, 00000004.00000002.1198687529.00000000242AB000.00000004.00000001.00020000.00000000.sdmp, GmRemote.exe, 00000004.00000002.1198245466.000000002397A000.00000004.00000020.00020000.00000000.sdmp, GmRemote.exe, 00000004.00000002.1198498080.0000000023EF0000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.1214586562.00000000029B0000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000002.1468287492.000000000467F000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000002.1468797617.0000000004C90000.00000004.00001000.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1610865305.00000000236F0000.00000004.00000800.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1610684681.0000000023171000.00000004.00000020.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1611066031.0000000023AA3000.00000004.00000001.00020000.00000000.sdmp, gpupdate.exe, 00000012.00000002.1661141449.00000000044A6000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000012.00000002.1661565366.0000000004AC0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: caspol.pdb source: GmRemote.exe, 00000004.00000002.1198856997.0000000024655000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.1215047827.0000000002D88000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000000.1140464457.00000000006C2000.00000002.00000001.01000000.00000008.sdmp, gpupdate.exe, 00000006.00000002.1468426205.0000000004A1E000.00000004.00000800.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1611215494.0000000023E52000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000012.00000002.1661304071.0000000004850000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe.4.dr
Source: Binary string: Input.pdbGCTL source: GmRemote.exe, 00000004.00000002.1181171899.0000000003196000.00000004.00000020.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1597900856.00000000029D3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: GmRemote.exe, 00000004.00000002.1198687529.00000000242AB000.00000004.00000001.00020000.00000000.sdmp, GmRemote.exe, 00000004.00000002.1198245466.000000002397A000.00000004.00000020.00020000.00000000.sdmp, GmRemote.exe, 00000004.00000002.1198498080.0000000023EF0000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.1214586562.00000000029B0000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000002.1468287492.000000000467F000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000002.1468797617.0000000004C90000.00000004.00001000.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1610865305.00000000236F0000.00000004.00000800.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1610684681.0000000023171000.00000004.00000020.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1611066031.0000000023AA3000.00000004.00000001.00020000.00000000.sdmp, gpupdate.exe, 00000012.00000002.1661141449.00000000044A6000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000012.00000002.1661565366.0000000004AC0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: CasPol.exe, 00000005.00000002.1237884647.0000000007110000.00000004.08000000.00040000.00000000.sdmp, CasPol.exe, 00000005.00000002.1229238582.0000000004A1D000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.1229238582.0000000004952000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: CasPol.exe, 00000005.00000002.1236334153.00000000068D0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: Input.pdb source: GmRemote.exe, 00000004.00000002.1181171899.0000000003196000.00000004.00000020.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1597900856.00000000029D3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: caspol.pdb|v source: GmRemote.exe, 00000004.00000002.1198856997.0000000024655000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.1215047827.0000000002D88000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000000.1140464457.00000000006C2000.00000002.00000001.01000000.00000008.sdmp, gpupdate.exe, 00000006.00000002.1468426205.0000000004A1E000.00000004.00000800.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1611215494.0000000023E52000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000012.00000002.1661304071.0000000004850000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe.4.dr
Source: Binary string: protobuf-net.pdb source: CasPol.exe, 00000005.00000002.1236334153.00000000068D0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: 49b35e.msi, MSI77EF.tmp.1.dr, MSI78BC.tmp.1.dr, 66767b.msi.1.dr, 667678.msi.1.dr
Source: Binary string: MTF.pdb source: CasPol.exe, CasPol.exe, 00000005.00000002.1213367744.0000000000CB8000.00000008.00000001.01000000.00000000.sdmp, glenpw.4.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbi source: 49b35e.msi, MSI77EF.tmp.1.dr, MSI78BC.tmp.1.dr, 66767b.msi.1.dr, 667678.msi.1.dr
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: c: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior
Creates COM task schedule object (often to register a task for autostart)
Source: C:\Windows\SysWOW64\gpupdate.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\SysWOW64\gpupdate.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\SysWOW64\gpupdate.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\gpupdate.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Windows\SysWOW64\gpupdate.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Windows\SysWOW64\gpupdate.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\SysWOW64\gpupdate.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\SysWOW64\gpupdate.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\gpupdate.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Windows\SysWOW64\gpupdate.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Windows\SysWOW64\gpupdate.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 Jump to behavior
Source: C:\Windows\SysWOW64\gpupdate.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer Jump to behavior
Source: C:\Windows\SysWOW64\gpupdate.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\SysWOW64\gpupdate.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation Jump to behavior
Source: C:\Windows\SysWOW64\gpupdate.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\SysWOW64\gpupdate.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 5_2_00B0C0CA FindFirstFileExW, 5_2_00B0C0CA
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 17_2_0085C0CA FindFirstFileExW, 17_2_0085C0CA
Source: C:\Users\user\AppData\Roaming\Aact\GmRemote.exe File opened: C:\Users\user~1\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aact\GmRemote.exe File opened: C:\Users\user~1\AppData\Local\Temp\31081\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aact\GmRemote.exe File opened: C:\Users\user~1\AppData\Local\Temp\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aact\GmRemote.exe File opened: C:\Users\user~1\AppData\Local\Temp\c7bdf61f Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aact\GmRemote.exe File opened: C:\Users\user~1\AppData\Local\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aact\GmRemote.exe File opened: C:\Users\user~1\AppData\ Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 4x nop then jmp 030377B9h 9_2_0303768B
Source: unknown TCP traffic detected without corresponding DNS query: 149.248.78.209
Source: unknown TCP traffic detected without corresponding DNS query: 149.248.78.209
Source: unknown TCP traffic detected without corresponding DNS query: 149.248.78.209
Source: unknown TCP traffic detected without corresponding DNS query: 149.248.78.209
Source: unknown TCP traffic detected without corresponding DNS query: 149.248.78.209
Source: unknown TCP traffic detected without corresponding DNS query: 149.248.78.209
Source: unknown TCP traffic detected without corresponding DNS query: 149.248.78.209
Source: unknown TCP traffic detected without corresponding DNS query: 149.248.78.209
Source: unknown TCP traffic detected without corresponding DNS query: 149.248.78.209
Source: unknown TCP traffic detected without corresponding DNS query: 149.248.78.209
Source: unknown TCP traffic detected without corresponding DNS query: 149.248.78.209
Source: unknown TCP traffic detected without corresponding DNS query: 149.248.78.209
Source: unknown TCP traffic detected without corresponding DNS query: 149.248.78.209
Source: unknown TCP traffic detected without corresponding DNS query: 149.248.78.209
Source: unknown TCP traffic detected without corresponding DNS query: 149.248.78.209
Source: unknown TCP traffic detected without corresponding DNS query: 149.248.78.209
Source: unknown TCP traffic detected without corresponding DNS query: 149.248.78.209
Source: unknown TCP traffic detected without corresponding DNS query: 149.248.78.209
Source: unknown TCP traffic detected without corresponding DNS query: 149.248.78.209
Source: unknown TCP traffic detected without corresponding DNS query: 149.248.78.209
Source: unknown TCP traffic detected without corresponding DNS query: 149.248.78.209
Source: unknown TCP traffic detected without corresponding DNS query: 149.248.78.209
Source: unknown TCP traffic detected without corresponding DNS query: 149.248.78.209
Source: unknown TCP traffic detected without corresponding DNS query: 149.248.78.209
Source: unknown TCP traffic detected without corresponding DNS query: 149.248.78.209
Source: unknown TCP traffic detected without corresponding DNS query: 149.248.78.209
Source: unknown TCP traffic detected without corresponding DNS query: 149.248.78.209
Source: unknown TCP traffic detected without corresponding DNS query: 149.248.78.209
Source: unknown TCP traffic detected without corresponding DNS query: 149.248.78.209
Source: unknown TCP traffic detected without corresponding DNS query: 149.248.78.209
Source: unknown TCP traffic detected without corresponding DNS query: 149.248.78.209
Source: unknown TCP traffic detected without corresponding DNS query: 149.248.78.209
Source: unknown TCP traffic detected without corresponding DNS query: 149.248.78.209
Source: unknown TCP traffic detected without corresponding DNS query: 149.248.78.209
Source: unknown TCP traffic detected without corresponding DNS query: 149.248.78.209
Source: unknown TCP traffic detected without corresponding DNS query: 149.248.78.209
Source: unknown TCP traffic detected without corresponding DNS query: 149.248.78.209
Source: unknown TCP traffic detected without corresponding DNS query: 149.248.78.209
Source: unknown TCP traffic detected without corresponding DNS query: 149.248.78.209
Source: unknown TCP traffic detected without corresponding DNS query: 149.248.78.209
Source: unknown TCP traffic detected without corresponding DNS query: 149.248.78.209
Source: unknown TCP traffic detected without corresponding DNS query: 149.248.78.209
Source: unknown TCP traffic detected without corresponding DNS query: 149.248.78.209
Source: unknown TCP traffic detected without corresponding DNS query: 149.248.78.209
Source: unknown TCP traffic detected without corresponding DNS query: 149.248.78.209
Source: unknown TCP traffic detected without corresponding DNS query: 149.248.78.209
Source: unknown TCP traffic detected without corresponding DNS query: 149.248.78.209
Source: unknown TCP traffic detected without corresponding DNS query: 149.248.78.209
Source: unknown TCP traffic detected without corresponding DNS query: 149.248.78.209
Source: unknown TCP traffic detected without corresponding DNS query: 149.248.78.209
Source: GmRemote.exe, 00000004.00000002.1198856997.0000000024655000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.1215047827.0000000002D88000.00000004.00000800.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000002.1468426205.0000000004A1E000.00000004.00000800.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1611215494.0000000023E52000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000012.00000002.1661304071.0000000004850000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: GmRemote.exe, 00000004.00000002.1198856997.0000000024655000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.1215047827.0000000002D88000.00000004.00000800.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000002.1468426205.0000000004A1E000.00000004.00000800.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1611215494.0000000023E52000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000012.00000002.1661304071.0000000004850000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: GmRemote.exe, 00000004.00000002.1198856997.0000000024655000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.1215047827.0000000002D88000.00000004.00000800.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000002.1468426205.0000000004A1E000.00000004.00000800.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1611215494.0000000023E52000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000012.00000002.1661304071.0000000004850000.00000004.00000800.00020000.00000000.sdmp, 49b35e.msi, MSI77EF.tmp.1.dr, MSI78BC.tmp.1.dr, 66767b.msi.1.dr, 667678.msi.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: GmRemote.exe, 00000004.00000002.1198856997.0000000024655000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.1215047827.0000000002D88000.00000004.00000800.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000002.1468426205.0000000004A1E000.00000004.00000800.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1611215494.0000000023E52000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000012.00000002.1661304071.0000000004850000.00000004.00000800.00020000.00000000.sdmp, 49b35e.msi, MSI77EF.tmp.1.dr, MSI78BC.tmp.1.dr, 66767b.msi.1.dr, 667678.msi.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: GmRemote.exe, 00000004.00000002.1182210716.000000002372E000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000003.1361213515.0000000005725000.00000004.00000001.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1598673015.0000000022F2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: GmRemote.exe, 00000004.00000002.1182210716.000000002372E000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000003.1361213515.0000000005725000.00000004.00000001.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1598673015.0000000022F2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: GmRemote.exe, 00000004.00000002.1182210716.000000002372E000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000003.1361213515.0000000005725000.00000004.00000001.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1598673015.0000000022F2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: GmRemote.exe, 00000004.00000002.1182210716.000000002372E000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000003.1361213515.0000000005725000.00000004.00000001.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1598673015.0000000022F2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: GmRemote.exe, 00000004.00000002.1182210716.000000002372E000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000003.1361213515.0000000005725000.00000004.00000001.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1598673015.0000000022F2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: GmRemote.exe, 00000004.00000002.1198856997.0000000024655000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.1215047827.0000000002D88000.00000004.00000800.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000002.1468426205.0000000004A1E000.00000004.00000800.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1611215494.0000000023E52000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000012.00000002.1661304071.0000000004850000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: GmRemote.exe, 00000004.00000002.1198856997.0000000024655000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.1215047827.0000000002D88000.00000004.00000800.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000002.1468426205.0000000004A1E000.00000004.00000800.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1611215494.0000000023E52000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000012.00000002.1661304071.0000000004850000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: GmRemote.exe, 00000004.00000002.1198856997.0000000024655000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.1215047827.0000000002D88000.00000004.00000800.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000002.1468426205.0000000004A1E000.00000004.00000800.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1611215494.0000000023E52000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000012.00000002.1661304071.0000000004850000.00000004.00000800.00020000.00000000.sdmp, 49b35e.msi, MSI77EF.tmp.1.dr, MSI78BC.tmp.1.dr, 66767b.msi.1.dr, 667678.msi.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: GmRemote.exe, 00000004.00000002.1198856997.0000000024655000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.1215047827.0000000002D88000.00000004.00000800.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000002.1468426205.0000000004A1E000.00000004.00000800.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1611215494.0000000023E52000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000012.00000002.1661304071.0000000004850000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: GmRemote.exe, 00000004.00000002.1198856997.0000000024655000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.1215047827.0000000002D88000.00000004.00000800.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000002.1468426205.0000000004A1E000.00000004.00000800.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1611215494.0000000023E52000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000012.00000002.1661304071.0000000004850000.00000004.00000800.00020000.00000000.sdmp, 49b35e.msi, MSI77EF.tmp.1.dr, MSI78BC.tmp.1.dr, 66767b.msi.1.dr, 667678.msi.1.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: GmRemote.exe, 00000004.00000002.1198856997.0000000024655000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.1215047827.0000000002D88000.00000004.00000800.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000002.1468426205.0000000004A1E000.00000004.00000800.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1611215494.0000000023E52000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000012.00000002.1661304071.0000000004850000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: GmRemote.exe, 00000004.00000002.1198856997.0000000024655000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.1215047827.0000000002D88000.00000004.00000800.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000002.1468426205.0000000004A1E000.00000004.00000800.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1611215494.0000000023E52000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000012.00000002.1661304071.0000000004850000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: GmRemote.exe, 00000004.00000002.1198856997.0000000024655000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.1215047827.0000000002D88000.00000004.00000800.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000002.1468426205.0000000004A1E000.00000004.00000800.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1611215494.0000000023E52000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000012.00000002.1661304071.0000000004850000.00000004.00000800.00020000.00000000.sdmp, 49b35e.msi, MSI77EF.tmp.1.dr, MSI78BC.tmp.1.dr, 66767b.msi.1.dr, 667678.msi.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: GmRemote.exe, 00000004.00000002.1198856997.0000000024655000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.1215047827.0000000002D88000.00000004.00000800.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000002.1468426205.0000000004A1E000.00000004.00000800.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1611215494.0000000023E52000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000012.00000002.1661304071.0000000004850000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: GmRemote.exe, 00000004.00000002.1198856997.0000000024655000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.1215047827.0000000002D88000.00000004.00000800.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000002.1468426205.0000000004A1E000.00000004.00000800.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1611215494.0000000023E52000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000012.00000002.1661304071.0000000004850000.00000004.00000800.00020000.00000000.sdmp, 49b35e.msi, MSI77EF.tmp.1.dr, MSI78BC.tmp.1.dr, 66767b.msi.1.dr, 667678.msi.1.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: GmRemote.exe, 00000004.00000002.1182210716.000000002372E000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000003.1361213515.0000000005725000.00000004.00000001.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1598673015.0000000022F2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: GmRemote.exe, 00000004.00000002.1182210716.000000002372E000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000003.1361213515.0000000005725000.00000004.00000001.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1598673015.0000000022F2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: GmRemote.exe, 00000004.00000002.1182210716.000000002372E000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000003.1361213515.0000000005725000.00000004.00000001.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1598673015.0000000022F2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: GmRemote.exe, 00000004.00000002.1182210716.000000002372E000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000003.1361213515.0000000005725000.00000004.00000001.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1598673015.0000000022F2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: GmRemote.exe, 00000004.00000002.1182210716.000000002372E000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000003.1361213515.0000000005725000.00000004.00000001.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1598673015.0000000022F2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: GmRemote.exe, 00000004.00000002.1198856997.0000000024655000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.1215047827.0000000002D88000.00000004.00000800.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000002.1468426205.0000000004A1E000.00000004.00000800.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1611215494.0000000023E52000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000012.00000002.1661304071.0000000004850000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: GmRemote.exe, 00000004.00000002.1198856997.0000000024655000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.1215047827.0000000002D88000.00000004.00000800.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000002.1468426205.0000000004A1E000.00000004.00000800.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1611215494.0000000023E52000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000012.00000002.1661304071.0000000004850000.00000004.00000800.00020000.00000000.sdmp, 49b35e.msi, MSI77EF.tmp.1.dr, MSI78BC.tmp.1.dr, 66767b.msi.1.dr, 667678.msi.1.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: GmRemote.exe, 00000004.00000002.1198856997.0000000024655000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.1215047827.0000000002D88000.00000004.00000800.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000002.1468426205.0000000004A1E000.00000004.00000800.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1611215494.0000000023E52000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000012.00000002.1661304071.0000000004850000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0L
Source: GmRemote.exe, 00000004.00000002.1198856997.0000000024655000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.1215047827.0000000002D88000.00000004.00000800.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000002.1468426205.0000000004A1E000.00000004.00000800.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1611215494.0000000023E52000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000012.00000002.1661304071.0000000004850000.00000004.00000800.00020000.00000000.sdmp, 49b35e.msi, MSI77EF.tmp.1.dr, MSI78BC.tmp.1.dr, 66767b.msi.1.dr, 667678.msi.1.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: GmRemote.exe, 00000004.00000002.1182210716.000000002372E000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000003.1361213515.0000000005725000.00000004.00000001.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1598673015.0000000022F2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: GmRemote.exe, 00000004.00000002.1182210716.000000002372E000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000003.1361213515.0000000005725000.00000004.00000001.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1598673015.0000000022F2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.sectigo.com0(
Source: GmRemote.exe, 00000004.00000002.1198856997.0000000024655000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.1215047827.0000000002D88000.00000004.00000800.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000002.1468426205.0000000004A1E000.00000004.00000800.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1611215494.0000000023E52000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000012.00000002.1661304071.0000000004850000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: GmRemote.exe, 00000004.00000002.1198856997.0000000024655000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.1215047827.0000000002D88000.00000004.00000800.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000002.1468426205.0000000004A1E000.00000004.00000800.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1611215494.0000000023E52000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000012.00000002.1661304071.0000000004850000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://s2.symcb.com0
Source: CasPol.exe, 00000005.00000002.1216754524.0000000003911000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000011.00000002.1630229801.00000000035BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: GmRemote.exe, 00000004.00000002.1198856997.0000000024655000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.1215047827.0000000002D88000.00000004.00000800.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000002.1468426205.0000000004A1E000.00000004.00000800.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1611215494.0000000023E52000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000012.00000002.1661304071.0000000004850000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: GmRemote.exe, 00000004.00000002.1198856997.0000000024655000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.1215047827.0000000002D88000.00000004.00000800.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000002.1468426205.0000000004A1E000.00000004.00000800.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1611215494.0000000023E52000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000012.00000002.1661304071.0000000004850000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: GmRemote.exe, 00000004.00000002.1198856997.0000000024655000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.1215047827.0000000002D88000.00000004.00000800.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000002.1468426205.0000000004A1E000.00000004.00000800.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1611215494.0000000023E52000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000012.00000002.1661304071.0000000004850000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcd.com0&
Source: 49b35e.msi, MSI77EF.tmp.1.dr, MSI78BC.tmp.1.dr, 66767b.msi.1.dr, 667678.msi.1.dr String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: 49b35e.msi, MSI77EF.tmp.1.dr, MSI78BC.tmp.1.dr, 66767b.msi.1.dr, 667678.msi.1.dr String found in binary or memory: http://t2.symcb.com0
Source: 49b35e.msi, MSI77EF.tmp.1.dr, MSI78BC.tmp.1.dr, 66767b.msi.1.dr, 667678.msi.1.dr String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: 49b35e.msi, MSI77EF.tmp.1.dr, MSI78BC.tmp.1.dr, 66767b.msi.1.dr, 667678.msi.1.dr String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: 49b35e.msi, MSI77EF.tmp.1.dr, MSI78BC.tmp.1.dr, 66767b.msi.1.dr, 667678.msi.1.dr String found in binary or memory: http://tl.symcd.com0&
Source: 49b35e.msi, MSI77EF.tmp.1.dr, MSI78BC.tmp.1.dr, 66767b.msi.1.dr, 667678.msi.1.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: GmRemote.exe, 00000004.00000002.1198856997.0000000024655000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.1215047827.0000000002D88000.00000004.00000800.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000002.1468426205.0000000004A1E000.00000004.00000800.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1611215494.0000000023E52000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000012.00000002.1661304071.0000000004850000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: GmRemote.exe, 00000004.00000002.1198856997.00000000244B5000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.1215047827.0000000002D3F000.00000004.00000800.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000002.1468426205.00000000049D5000.00000004.00000800.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1611215494.0000000023CB2000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000012.00000002.1661304071.0000000004807000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.info-zip.org/
Source: GmRemote.exe, 00000004.00000002.1198856997.0000000024655000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.1215047827.0000000002D88000.00000004.00000800.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000002.1468426205.0000000004A1E000.00000004.00000800.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1611215494.0000000023E52000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000012.00000002.1661304071.0000000004850000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.symauth.com/cps0(
Source: GmRemote.exe, 00000004.00000002.1198856997.0000000024655000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.1215047827.0000000002D88000.00000004.00000800.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000002.1468426205.0000000004A1E000.00000004.00000800.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1611215494.0000000023E52000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000012.00000002.1661304071.0000000004850000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.symauth.com/rpa00
Source: GmRemote.exe, 00000004.00000002.1198856997.0000000024655000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.1215047827.0000000002D88000.00000004.00000800.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000002.1468426205.0000000004A1E000.00000004.00000800.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1611215494.0000000023E52000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000012.00000002.1661304071.0000000004850000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.vmware.com/0
Source: GmRemote.exe, 00000004.00000002.1198856997.0000000024655000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.1215047827.0000000002D88000.00000004.00000800.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000002.1468426205.0000000004A1E000.00000004.00000800.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1611215494.0000000023E52000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000012.00000002.1661304071.0000000004850000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.vmware.com/0/
Source: GmRemote.exe, 00000004.00000002.1198856997.0000000024655000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.1215047827.0000000002D88000.00000004.00000800.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000002.1468426205.0000000004A1E000.00000004.00000800.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1611215494.0000000023E52000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000012.00000002.1661304071.0000000004850000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/cps0%
Source: GmRemote.exe, 00000004.00000002.1198856997.0000000024655000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.1215047827.0000000002D88000.00000004.00000800.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000002.1468426205.0000000004A1E000.00000004.00000800.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1611215494.0000000023E52000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000012.00000002.1661304071.0000000004850000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/rpa0
Source: 66767a.rbs.1.dr String found in binary or memory: https://github.com/Ratbag
Source: 49b35e.msi, 66767b.msi.1.dr, 667678.msi.1.dr String found in binary or memory: https://github.com/RatbagDialogBitmapdialogARPCONTACTBegoniaWindowsTypeNT40DisplayWindows
Source: CasPol.exe, 00000005.00000002.1236334153.00000000068D0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: CasPol.exe, 00000005.00000002.1236334153.00000000068D0000.00000004.08000000.00040000.00000000.sdmp, CasPol.exe, 00000005.00000002.1229238582.0000000004952000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000011.00000002.1648777581.0000000004672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: CasPol.exe, 00000005.00000002.1236334153.00000000068D0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: CasPol.exe, 00000014.00000002.1629065214.00000000027C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/raw/m10GT1YV
Source: CasPol.exe, 00000014.00000002.1629065214.00000000027C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/raw/m10GT1YVPO
Source: GmRemote.exe, 00000004.00000002.1182210716.000000002372E000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000003.1361213515.0000000005725000.00000004.00000001.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1598673015.0000000022F2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: CasPol.exe, 00000005.00000002.1236334153.00000000068D0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: CasPol.exe, 00000005.00000002.1236334153.00000000068D0000.00000004.08000000.00040000.00000000.sdmp, CasPol.exe, 00000005.00000002.1216754524.0000000003911000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000011.00000002.1630229801.00000000035BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: CasPol.exe, 00000005.00000002.1236334153.00000000068D0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: 49b35e.msi, MSI77EF.tmp.1.dr, MSI78BC.tmp.1.dr, 66767b.msi.1.dr, 667678.msi.1.dr String found in binary or memory: https://www.advancedinstaller.com
Source: GmRemote.exe, 00000004.00000002.1198856997.0000000024655000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.1215047827.0000000002D88000.00000004.00000800.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000002.1468426205.0000000004A1E000.00000004.00000800.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1611215494.0000000023E52000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000012.00000002.1661304071.0000000004850000.00000004.00000800.00020000.00000000.sdmp, 49b35e.msi, MSI77EF.tmp.1.dr, MSI78BC.tmp.1.dr, 66767b.msi.1.dr, 667678.msi.1.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: GmRemote.exe, 00000004.00000002.1182210716.000000002372E000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000003.1361213515.0000000005725000.00000004.00000001.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1598673015.0000000022F2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.nortonlifelock.com/
Source: 49b35e.msi, MSI77EF.tmp.1.dr, MSI78BC.tmp.1.dr, 66767b.msi.1.dr, 667678.msi.1.dr String found in binary or memory: https://www.thawte.com/cps0/
Source: 49b35e.msi, MSI77EF.tmp.1.dr, MSI78BC.tmp.1.dr, 66767b.msi.1.dr, 667678.msi.1.dr String found in binary or memory: https://www.thawte.com/repository0W
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49689
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49689 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49701

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 5.2.CasPol.exe.4d68de8.7.unpack, type: UNPACKEDPE Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 5.2.CasPol.exe.4d68de8.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 20.2.CasPol.exe.820000.0.unpack, type: UNPACKEDPE Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 17.2.CasPol.exe.48ae358.1.unpack, type: UNPACKEDPE Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 17.2.CasPol.exe.48ae358.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Drops large PE files
Source: C:\Windows\System32\msiexec.exe File dump: GmRemote.exe.1.dr 488096316 Jump to dropped file
Source: C:\Windows\SysWOW64\gpupdate.exe File dump: GmRemote.exe.6.dr 488096316 Jump to dropped file
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process Stats: CPU usage > 49%
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\667678.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI77EF.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI787C.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI78BC.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI791A.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\inprogressinstallinfo.ipi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\SourceHash{D7DF4AAC-D1B0-41F5-B96D-0DCF90182CC3} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI79C7.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\66767b.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\66767b.msi Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\MSI77EF.tmp Jump to behavior
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 5_2_00B13331 5_2_00B13331
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 5_2_00CB8E8C 5_2_00CB8E8C
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 5_2_038AD8C0 5_2_038AD8C0
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 5_2_038A9500 5_2_038A9500
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 5_2_038A94F0 5_2_038A94F0
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 5_2_038A9E81 5_2_038A9E81
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 5_2_038A9E90 5_2_038A9E90
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 5_2_0718F590 5_2_0718F590
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 5_2_0718F858 5_2_0718F858
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 5_2_0718DF38 5_2_0718DF38
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 5_2_07170006 5_2_07170006
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 5_2_07170040 5_2_07170040
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 9_2_012B0040 9_2_012B0040
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 9_2_012B0AC0 9_2_012B0AC0
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 9_2_012B0006 9_2_012B0006
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 9_2_012B0A9D 9_2_012B0A9D
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 9_2_03031050 9_2_03031050
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 9_2_0303A080 9_2_0303A080
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 9_2_03037598 9_2_03037598
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 9_2_03038900 9_2_03038900
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 9_2_03031940 9_2_03031940
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 9_2_0303E33C 9_2_0303E33C
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 9_2_0303E350 9_2_0303E350
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 9_2_0303A070 9_2_0303A070
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 9_2_03031724 9_2_03031724
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 9_2_03031738 9_2_03031738
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 9_2_03034608 9_2_03034608
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 9_2_03037588 9_2_03037588
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 9_2_030345F8 9_2_030345F8
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 9_2_03031931 9_2_03031931
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 9_2_0303D938 9_2_0303D938
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 9_2_0303D948 9_2_0303D948
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 9_2_030359BB 9_2_030359BB
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 9_2_030388F0 9_2_030388F0
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 9_2_03037D08 9_2_03037D08
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 9_2_03037C4C 9_2_03037C4C
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 9_2_05988798 9_2_05988798
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 9_2_05987828 9_2_05987828
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 9_2_05986308 9_2_05986308
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 9_2_05983522 9_2_05983522
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 9_2_0598E487 9_2_0598E487
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 9_2_059834F6 9_2_059834F6
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 9_2_0598877A 9_2_0598877A
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 9_2_0598D9B0 9_2_0598D9B0
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 9_2_05987130 9_2_05987130
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 9_2_05987140 9_2_05987140
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 9_2_05987818 9_2_05987818
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 9_2_059862E3 9_2_059862E3
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 9_2_0598DA40 9_2_0598DA40
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 9_2_030359C8 9_2_030359C8
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 17_2_00863331 17_2_00863331
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 17_2_026FD8C0 17_2_026FD8C0
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 17_2_026F94F0 17_2_026F94F0
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 17_2_026F9500 17_2_026F9500
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 17_2_026F9E81 17_2_026F9E81
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 17_2_026F9E90 17_2_026F9E90
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 17_2_06CCF590 17_2_06CCF590
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 17_2_06CCF858 17_2_06CCF858
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 17_2_06CCDF38 17_2_06CCDF38
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 17_2_06CB0040 17_2_06CB0040
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 17_2_06CB0023 17_2_06CB0023
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 20_2_02671050 20_2_02671050
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 20_2_02671940 20_2_02671940
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 20_2_02677598 20_2_02677598
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 20_2_02677264 20_2_02677264
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 20_2_02671933 20_2_02671933
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 20_2_026759AB 20_2_026759AB
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 20_2_02674608 20_2_02674608
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 20_2_02671733 20_2_02671733
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 20_2_026745F8 20_2_026745F8
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 20_2_026759C8 20_2_026759C8
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Windows\Installer\MSI77EF.tmp BF7F6F7E527AB8617766BB7A21C21B2895B5275C0E808756C2AADCD66EFF8A97
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: String function: 00857600 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: String function: 00B07600 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: String function: 00CC21A3 appears 48 times
Sample file is different than original file name gathered from version info
Source: 49b35e.msi Binary or memory string: OriginalFilenameAICustAct.dllF vs 49b35e.msi
Yara signature match
Source: 5.2.CasPol.exe.4d68de8.7.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 5.2.CasPol.exe.4d68de8.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 20.2.CasPol.exe.820000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 17.2.CasPol.exe.48ae358.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 17.2.CasPol.exe.48ae358.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 5.2.CasPol.exe.4a1d0f0.6.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 5.2.CasPol.exe.4a1d0f0.6.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 5.2.CasPol.exe.4a1d0f0.6.raw.unpack, Task.cs Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 5.2.CasPol.exe.4a1d0f0.6.raw.unpack, TaskService.cs Task registration methods: 'CreateFromToken'
Source: 5.2.CasPol.exe.4a1d0f0.6.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 5.2.CasPol.exe.4a1d0f0.6.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 5.2.CasPol.exe.4a1d0f0.6.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 5.2.CasPol.exe.4a1d0f0.6.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 5.2.CasPol.exe.4a1d0f0.6.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 5.2.CasPol.exe.4a1d0f0.6.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: CasPol.exe.4.dr, caspol.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: CasPol.exe.4.dr, caspol.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal96.troj.evad.winMSI@21/35@0/1
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 5_2_00B02150 CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,GetCurrentThreadId,HeapAlloc,HeapReAlloc,Thread32Next,CloseHandle, 5_2_00B02150
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Microsoft\CML7A11.tmp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Mutant created: \Sessions\1\BaseNamedObjects\ANPURYGXTTM
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\Aact\GmRemote.exe Mutant created: \Sessions\1\BaseNamedObjects\Avira.Security.Systray@abff403a-9b56-48e6-8753-10fb19692501
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4444:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Mutant created: \Sessions\1\BaseNamedObjects\Emullmqy
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Mutant created: \Sessions\1\BaseNamedObjects\617cf937816a42d9b9313f9aacca7572
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6064:120:WilError_03
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\TEMP\~DFE010206A9FD79970.TMP Jump to behavior
Source: C:\Users\user\AppData\Local\Kart\GmRemote.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\49b35e.msi"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 406DFCD208F2E3201E062204E7D36772
Source: C:\Windows\System32\msiexec.exe Process created: C:\Users\user\AppData\Local\Kart\GmRemote.exe "C:\Users\user\AppData\Local\Kart\GmRemote.exe"
Source: C:\Users\user\AppData\Local\Kart\GmRemote.exe Process created: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe C:\Users\user~1\AppData\Local\Temp\31081\CasPol.exe
Source: C:\Users\user\AppData\Local\Kart\GmRemote.exe Process created: C:\Windows\SysWOW64\gpupdate.exe C:\Windows\SysWOW64\gpupdate.exe
Source: C:\Windows\SysWOW64\gpupdate.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process created: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe "C:\Users\user~1\AppData\Local\Temp\31081\CasPol.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Aact\GmRemote.exe C:\Users\user\AppData\Roaming\Aact\GmRemote.exe
Source: C:\Users\user\AppData\Roaming\Aact\GmRemote.exe Process created: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe C:\Users\user~1\AppData\Local\Temp\31081\CasPol.exe
Source: C:\Users\user\AppData\Roaming\Aact\GmRemote.exe Process created: C:\Windows\SysWOW64\gpupdate.exe C:\Windows\SysWOW64\gpupdate.exe
Source: C:\Windows\SysWOW64\gpupdate.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process created: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe "C:\Users\user~1\AppData\Local\Temp\31081\CasPol.exe"
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 406DFCD208F2E3201E062204E7D36772 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Users\user\AppData\Local\Kart\GmRemote.exe "C:\Users\user\AppData\Local\Kart\GmRemote.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Kart\GmRemote.exe Process created: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe C:\Users\user~1\AppData\Local\Temp\31081\CasPol.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Kart\GmRemote.exe Process created: C:\Windows\SysWOW64\gpupdate.exe C:\Windows\SysWOW64\gpupdate.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process created: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe "C:\Users\user~1\AppData\Local\Temp\31081\CasPol.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aact\GmRemote.exe Process created: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe C:\Users\user~1\AppData\Local\Temp\31081\CasPol.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aact\GmRemote.exe Process created: C:\Windows\SysWOW64\gpupdate.exe C:\Windows\SysWOW64\gpupdate.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process created: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe "C:\Users\user~1\AppData\Local\Temp\31081\CasPol.exe" Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srclient.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: spp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Kart\GmRemote.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Kart\GmRemote.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Kart\GmRemote.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Kart\GmRemote.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Kart\GmRemote.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Kart\GmRemote.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Kart\GmRemote.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Kart\GmRemote.exe Section loaded: input.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Kart\GmRemote.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Kart\GmRemote.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\gpupdate.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\gpupdate.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\gpupdate.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\gpupdate.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\gpupdate.exe Section loaded: bitsproxy.dll Jump to behavior
Source: C:\Windows\SysWOW64\gpupdate.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\gpupdate.exe Section loaded: d3d9.dll Jump to behavior
Source: C:\Windows\SysWOW64\gpupdate.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\gpupdate.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\gpupdate.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\gpupdate.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\gpupdate.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\gpupdate.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aact\GmRemote.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aact\GmRemote.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aact\GmRemote.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aact\GmRemote.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aact\GmRemote.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aact\GmRemote.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aact\GmRemote.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aact\GmRemote.exe Section loaded: input.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aact\GmRemote.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\gpupdate.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\gpupdate.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\gpupdate.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D7DF4AAC-D1B0-41F5-B96D-0DCF90182CC3} Jump to behavior
Source: 49b35e.msi Static file information: File size 4930560 > 1048576
Source: Binary string: barbqqikrymslznvzum.pdb\ source: GmRemote.exe, 00000004.00000000.1075173535.00000000009B0000.00000002.00000001.01000000.00000004.sdmp, GmRemote.exe, 00000004.00000002.1180553657.00000000009B0000.00000002.00000001.01000000.00000004.sdmp, GmRemote.exe, 00000004.00000002.1182210716.00000000065B9000.00000004.00000020.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000000.1500828332.00000000001B0000.00000002.00000001.01000000.0000000D.sdmp, GmRemote.exe, 00000010.00000002.1597336964.00000000001B0000.00000002.00000001.01000000.0000000D.sdmp, GmRemote.exe, 00000010.00000002.1598673015.0000000005DB9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: barbqqikrymslznvzum.pdb source: GmRemote.exe, 00000004.00000000.1075173535.00000000009B0000.00000002.00000001.01000000.00000004.sdmp, GmRemote.exe, 00000004.00000002.1180553657.00000000009B0000.00000002.00000001.01000000.00000004.sdmp, GmRemote.exe, 00000004.00000002.1182210716.00000000065B9000.00000004.00000020.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000000.1500828332.00000000001B0000.00000002.00000001.01000000.0000000D.sdmp, GmRemote.exe, 00000010.00000002.1597336964.00000000001B0000.00000002.00000001.01000000.0000000D.sdmp, GmRemote.exe, 00000010.00000002.1598673015.0000000005DB9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: MTF.pdbGCTL source: CasPol.exe, 00000005.00000002.1213367744.0000000000CB8000.00000008.00000001.01000000.00000000.sdmp, glenpw.4.dr
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: CasPol.exe, 00000005.00000002.1237884647.0000000007110000.00000004.08000000.00040000.00000000.sdmp, CasPol.exe, 00000005.00000002.1229238582.0000000004A1D000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.1229238582.0000000004952000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: GmRemote.exe, 00000004.00000002.1198687529.00000000242AB000.00000004.00000001.00020000.00000000.sdmp, GmRemote.exe, 00000004.00000002.1198245466.000000002397A000.00000004.00000020.00020000.00000000.sdmp, GmRemote.exe, 00000004.00000002.1198498080.0000000023EF0000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.1214586562.00000000029B0000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000002.1468287492.000000000467F000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000002.1468797617.0000000004C90000.00000004.00001000.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1610865305.00000000236F0000.00000004.00000800.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1610684681.0000000023171000.00000004.00000020.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1611066031.0000000023AA3000.00000004.00000001.00020000.00000000.sdmp, gpupdate.exe, 00000012.00000002.1661141449.00000000044A6000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000012.00000002.1661565366.0000000004AC0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: caspol.pdb source: GmRemote.exe, 00000004.00000002.1198856997.0000000024655000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.1215047827.0000000002D88000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000000.1140464457.00000000006C2000.00000002.00000001.01000000.00000008.sdmp, gpupdate.exe, 00000006.00000002.1468426205.0000000004A1E000.00000004.00000800.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1611215494.0000000023E52000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000012.00000002.1661304071.0000000004850000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe.4.dr
Source: Binary string: Input.pdbGCTL source: GmRemote.exe, 00000004.00000002.1181171899.0000000003196000.00000004.00000020.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1597900856.00000000029D3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: GmRemote.exe, 00000004.00000002.1198687529.00000000242AB000.00000004.00000001.00020000.00000000.sdmp, GmRemote.exe, 00000004.00000002.1198245466.000000002397A000.00000004.00000020.00020000.00000000.sdmp, GmRemote.exe, 00000004.00000002.1198498080.0000000023EF0000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.1214586562.00000000029B0000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000002.1468287492.000000000467F000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000006.00000002.1468797617.0000000004C90000.00000004.00001000.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1610865305.00000000236F0000.00000004.00000800.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1610684681.0000000023171000.00000004.00000020.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1611066031.0000000023AA3000.00000004.00000001.00020000.00000000.sdmp, gpupdate.exe, 00000012.00000002.1661141449.00000000044A6000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000012.00000002.1661565366.0000000004AC0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: CasPol.exe, 00000005.00000002.1237884647.0000000007110000.00000004.08000000.00040000.00000000.sdmp, CasPol.exe, 00000005.00000002.1229238582.0000000004A1D000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.1229238582.0000000004952000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: CasPol.exe, 00000005.00000002.1236334153.00000000068D0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: Input.pdb source: GmRemote.exe, 00000004.00000002.1181171899.0000000003196000.00000004.00000020.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1597900856.00000000029D3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: caspol.pdb|v source: GmRemote.exe, 00000004.00000002.1198856997.0000000024655000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.1215047827.0000000002D88000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000000.1140464457.00000000006C2000.00000002.00000001.01000000.00000008.sdmp, gpupdate.exe, 00000006.00000002.1468426205.0000000004A1E000.00000004.00000800.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1611215494.0000000023E52000.00000004.00000020.00020000.00000000.sdmp, gpupdate.exe, 00000012.00000002.1661304071.0000000004850000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe.4.dr
Source: Binary string: protobuf-net.pdb source: CasPol.exe, 00000005.00000002.1236334153.00000000068D0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: 49b35e.msi, MSI77EF.tmp.1.dr, MSI78BC.tmp.1.dr, 66767b.msi.1.dr, 667678.msi.1.dr
Source: Binary string: MTF.pdb source: CasPol.exe, CasPol.exe, 00000005.00000002.1213367744.0000000000CB8000.00000008.00000001.01000000.00000000.sdmp, glenpw.4.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbi source: 49b35e.msi, MSI77EF.tmp.1.dr, MSI78BC.tmp.1.dr, 66767b.msi.1.dr, 667678.msi.1.dr

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 5.2.CasPol.exe.4a1d0f0.6.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 5.2.CasPol.exe.4a1d0f0.6.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 5.2.CasPol.exe.4a1d0f0.6.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Source: 5.2.CasPol.exe.5d30000.8.raw.unpack, Nzplunwxjs.cs .Net Code: Zkgejpil System.Reflection.Assembly.Load(byte[])
Yara detected Costura Assembly Loader
Source: Yara match File source: 5.2.CasPol.exe.71d0000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.CasPol.exe.71d0000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000002.1630229801.00000000035BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1216754524.0000000003911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1238404001.00000000071D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 508, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 3888, type: MEMORYSTR
PE file contains sections with non-standard names
Source: glenpw.4.dr Static PE information: section name: rfgjq
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Kart\GmRemote.exe Code function: 4_2_0097B9AF push ecx; ret 4_2_0097B9C2
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 5_2_00B13A73 push ecx; ret 5_2_00B13A86
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 9_2_030341AB pushfd ; ret 9_2_030341E6
Source: C:\Users\user\AppData\Roaming\Aact\GmRemote.exe Code function: 16_2_0017B9AF push ecx; ret 16_2_0017B9C2
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 17_2_00863A73 push ecx; ret 17_2_00863A86
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 20_2_026741AB pushfd ; ret 20_2_026741E6
Drops PE files
Source: C:\Windows\SysWOW64\gpupdate.exe File created: C:\Users\user\AppData\Roaming\Aact\GmRemote.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI791A.tmp Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Aact\GmRemote.exe File created: C:\Users\user\AppData\Local\Temp\mebrpk Jump to dropped file
Source: C:\Users\user\AppData\Local\Kart\GmRemote.exe File created: C:\Users\user\AppData\Local\Temp\glenpw Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Kart\GmRemote.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Kart\GmRemote.exe File created: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI77EF.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI78BC.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI787C.tmp Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI791A.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI77EF.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI78BC.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI787C.tmp Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Users\user\AppData\Local\Kart\GmRemote.exe File created: C:\Users\user\AppData\Local\Temp\glenpw Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Aact\GmRemote.exe File created: C:\Users\user\AppData\Local\Temp\mebrpk Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Found hidden mapped module (file has been removed from disk)
Source: C:\Users\user\AppData\Local\Kart\GmRemote.exe Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\GLENPW
Source: C:\Users\user\AppData\Roaming\Aact\GmRemote.exe Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\MEBRPK
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Kart\GmRemote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Kart\GmRemote.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Kart\GmRemote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Kart\GmRemote.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aact\GmRemote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aact\GmRemote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\AppData\Local\Kart\GmRemote.exe API/Special instruction interceptor: Address: 6D6090B4
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe API/Special instruction interceptor: Address: 6D363F54
Source: C:\Users\user\AppData\Local\Kart\GmRemote.exe API/Special instruction interceptor: Address: 6D608DB8
Source: C:\Windows\SysWOW64\gpupdate.exe API/Special instruction interceptor: Address: 6D604B84
Source: C:\Users\user\AppData\Roaming\Aact\GmRemote.exe API/Special instruction interceptor: Address: 6D6090B4
Source: C:\Users\user\AppData\Roaming\Aact\GmRemote.exe API/Special instruction interceptor: Address: 6D608DB8
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: CasPol.exe, 00000005.00000002.1216754524.0000000003911000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000011.00000002.1630229801.00000000035BC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Memory allocated: 3860000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Memory allocated: 3910000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Memory allocated: 5910000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Memory allocated: 2F90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Memory allocated: 3210000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Memory allocated: 2F90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Memory allocated: 2640000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Memory allocated: 3500000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Memory allocated: 2640000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Memory allocated: 2650000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Memory allocated: 27C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Memory allocated: 47C0000 memory reserve | memory write watch Jump to behavior
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 5_2_00B02150 CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,GetCurrentThreadId,HeapAlloc,HeapReAlloc,Thread32Next,CloseHandle, 5_2_00B02150
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Window / User API: threadDelayed 2175 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Window / User API: threadDelayed 7618 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI791A.tmp Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Aact\GmRemote.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mebrpk Jump to dropped file
Source: C:\Users\user\AppData\Local\Kart\GmRemote.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\glenpw Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI77EF.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI78BC.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI787C.tmp Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 7064 Thread sleep count: 180 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 424 Thread sleep count: 39 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 424 Thread sleep time: -35971150943733603s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 424 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 6076 Thread sleep time: -33357s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 5544 Thread sleep count: 2175 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 424 Thread sleep time: -59875s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 5544 Thread sleep count: 7618 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 6076 Thread sleep time: -41384s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 424 Thread sleep time: -59766s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 6076 Thread sleep time: -35184s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 424 Thread sleep time: -59656s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 6076 Thread sleep time: -33291s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 424 Thread sleep time: -59547s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 424 Thread sleep time: -59422s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 6076 Thread sleep time: -58883s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 424 Thread sleep time: -59313s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 424 Thread sleep time: -59203s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 424 Thread sleep time: -59094s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 6076 Thread sleep time: -58848s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 424 Thread sleep time: -58985s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 424 Thread sleep time: -58875s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 6076 Thread sleep time: -38724s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 424 Thread sleep time: -58766s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 6076 Thread sleep time: -39273s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 424 Thread sleep time: -58641s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 6076 Thread sleep time: -58712s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 424 Thread sleep time: -58531s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 6076 Thread sleep time: -45056s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 424 Thread sleep time: -58412s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 424 Thread sleep time: -58297s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 6076 Thread sleep time: -48941s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 424 Thread sleep time: -58188s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 424 Thread sleep time: -58078s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 6076 Thread sleep time: -51943s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 424 Thread sleep time: -57969s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 424 Thread sleep time: -57859s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 424 Thread sleep time: -57749s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 424 Thread sleep time: -57638s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 424 Thread sleep time: -57530s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 6076 Thread sleep time: -51792s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 6076 Thread sleep time: -54992s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 424 Thread sleep time: -57422s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 424 Thread sleep time: -57313s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 424 Thread sleep time: -57203s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 424 Thread sleep time: -57094s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 6076 Thread sleep time: -36800s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 424 Thread sleep time: -56985s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 424 Thread sleep time: -56875s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 6076 Thread sleep time: -51749s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 424 Thread sleep time: -56766s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 424 Thread sleep time: -56656s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 424 Thread sleep time: -56547s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 6076 Thread sleep time: -43817s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 6076 Thread sleep time: -50705s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 424 Thread sleep time: -56438s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 6076 Thread sleep time: -35895s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 424 Thread sleep time: -56328s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 424 Thread sleep time: -56219s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 6076 Thread sleep time: -39558s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 424 Thread sleep time: -56110s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 6076 Thread sleep time: -47761s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 424 Thread sleep time: -56000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 424 Thread sleep time: -55891s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 424 Thread sleep time: -55781s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 6076 Thread sleep time: -38874s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 424 Thread sleep time: -55660s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 6076 Thread sleep time: -40469s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 424 Thread sleep time: -55532s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 6076 Thread sleep time: -41971s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 424 Thread sleep time: -55422s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 424 Thread sleep time: -55313s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 6076 Thread sleep time: -35480s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 424 Thread sleep time: -55188s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 424 Thread sleep time: -55078s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 6076 Thread sleep time: -48264s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 424 Thread sleep time: -54966s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 424 Thread sleep time: -54860s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 6076 Thread sleep time: -52978s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 424 Thread sleep time: -54750s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 6076 Thread sleep time: -37298s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 424 Thread sleep time: -54623s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 5740 Thread sleep count: 184 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe TID: 6868 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 5_2_00B0C0CA FindFirstFileExW, 5_2_00B0C0CA
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 17_2_0085C0CA FindFirstFileExW, 17_2_0085C0CA
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 60000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 33357 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 59875 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 41384 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 59766 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 35184 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 59656 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 33291 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 59547 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 59422 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 58883 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 59313 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 59203 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 59094 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 58848 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 58985 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 58875 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 38724 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 58766 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 39273 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 58641 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 58712 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 58531 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 45056 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 58412 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 58297 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 48941 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 58188 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 58078 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 51943 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 57969 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 57859 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 57749 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 57638 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 57530 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 51792 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 54992 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 57422 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 57313 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 57203 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 57094 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 36800 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 56985 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 56875 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 51749 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 56766 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 56656 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 56547 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 43817 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 50705 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 56438 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 35895 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 56328 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 56219 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 39558 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 56110 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 47761 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 56000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 55891 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 55781 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 38874 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 55660 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 40469 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 55532 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 41971 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 55422 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 55313 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 35480 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 55188 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 55078 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 48264 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 54966 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 54860 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 52978 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 54750 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 37298 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 54623 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aact\GmRemote.exe File opened: C:\Users\user~1\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aact\GmRemote.exe File opened: C:\Users\user~1\AppData\Local\Temp\31081\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aact\GmRemote.exe File opened: C:\Users\user~1\AppData\Local\Temp\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aact\GmRemote.exe File opened: C:\Users\user~1\AppData\Local\Temp\c7bdf61f Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aact\GmRemote.exe File opened: C:\Users\user~1\AppData\Local\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aact\GmRemote.exe File opened: C:\Users\user~1\AppData\ Jump to behavior
Source: gpupdate.exe, 00000012.00000002.1661304071.0000000004850000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: noreply@vmware.com0
Source: gpupdate.exe, 00000012.00000002.1661304071.0000000004850000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: http://www.vmware.com/0
Source: gpupdate.exe, 00000012.00000002.1661304071.0000000004850000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.1!0
Source: CasPol.exe, 00000011.00000002.1630229801.00000000035BC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware|VIRTUAL|A M I|Xen
Source: gpupdate.exe, 00000012.00000002.1661304071.0000000004850000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: http://www.vmware.com/0/
Source: gpupdate.exe, 00000012.00000002.1661304071.0000000004850000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.1
Source: gpupdate.exe, 00000012.00000002.1661304071.0000000004850000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.0
Source: CasPol.exe, 00000011.00000002.1630229801.00000000035BC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Microsoft|VMWare|Virtual
Source: CasPol.exe, 00000009.00000002.3362486965.00000000013E3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\msiexec.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Kart\GmRemote.exe Code function: 4_2_009800C3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_009800C3
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 5_2_00B02150 CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,GetCurrentThreadId,HeapAlloc,HeapReAlloc,Thread32Next,CloseHandle, 5_2_00B02150
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 5_2_00B0E7E3 GetProcessHeap, 5_2_00B0E7E3
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process token adjusted: Debug Jump to behavior
Launches processes in debugging mode, may be used to hinder debugging
Source: C:\Windows\System32\msiexec.exe Process created: C:\Users\user\AppData\Local\Kart\GmRemote.exe "C:\Users\user\AppData\Local\Kart\GmRemote.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Kart\GmRemote.exe Code function: 4_2_009800C3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_009800C3
Source: C:\Users\user\AppData\Local\Kart\GmRemote.exe Code function: 4_2_0097BD65 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_0097BD65
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 5_2_00B073D5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_00B073D5
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 5_2_00B07538 SetUnhandledExceptionFilter, 5_2_00B07538
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 5_2_00B06EF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_00B06EF0
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 5_2_00B09E30 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_00B09E30
Source: C:\Users\user\AppData\Roaming\Aact\GmRemote.exe Code function: 16_2_0017BD65 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 16_2_0017BD65
Source: C:\Users\user\AppData\Roaming\Aact\GmRemote.exe Code function: 16_2_001800C3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 16_2_001800C3
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 17_2_008573D5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 17_2_008573D5
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 17_2_00857538 SetUnhandledExceptionFilter, 17_2_00857538
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 17_2_00856EF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 17_2_00856EF0
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 17_2_00859E30 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 17_2_00859E30
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Kart\GmRemote.exe Section loaded: NULL target: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Local\Kart\GmRemote.exe Section loaded: NULL target: C:\Windows\SysWOW64\gpupdate.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aact\GmRemote.exe Section loaded: NULL target: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aact\GmRemote.exe Section loaded: NULL target: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aact\GmRemote.exe Section loaded: NULL target: C:\Windows\SysWOW64\gpupdate.exe protection: read write Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Kart\GmRemote.exe Process created: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe C:\Users\user~1\AppData\Local\Temp\31081\CasPol.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Kart\GmRemote.exe Process created: C:\Windows\SysWOW64\gpupdate.exe C:\Windows\SysWOW64\gpupdate.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process created: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe "C:\Users\user~1\AppData\Local\Temp\31081\CasPol.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aact\GmRemote.exe Process created: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe C:\Users\user~1\AppData\Local\Temp\31081\CasPol.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aact\GmRemote.exe Process created: C:\Windows\SysWOW64\gpupdate.exe C:\Windows\SysWOW64\gpupdate.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Process created: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe "C:\Users\user~1\AppData\Local\Temp\31081\CasPol.exe" Jump to behavior
Source: GmRemote.exe, 00000004.00000002.1181171899.00000000031D1000.00000004.00000020.00020000.00000000.sdmp, GmRemote.exe, 00000004.00000002.1181171899.0000000003196000.00000004.00000020.00020000.00000000.sdmp, GmRemote.exe, 00000010.00000002.1597900856.0000000002A0F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %s\%08xWinStationGetConnectionPropertywinsta.dllWinStationQueryInformationWWinStationFreePropertyValue\System32SYSTEM\CurrentControlSet\Control\Keyboard Layouts\%08xIME fileSOFTWARE\Classes\CLSID\%s\InprocServer32ThreadingModelApartmentSOFTWARE\Classes\CLSID\%s\LocalServer32Shell_TrayWndAttributesKeyboard Layout
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Code function: 5_2_00B07645 cpuid 5_2_00B07645
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Kart\GmRemote.exe Queries volume information: C:\Users\user\AppData\Local\Temp\ad77a551 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Queries volume information: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aact\GmRemote.exe Queries volume information: C:\Users\user\AppData\Local\Temp\c6e5b386 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Queries volume information: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Kart\GmRemote.exe Code function: 4_2_0097C1CE GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 4_2_0097C1CE
Source: C:\Users\user\AppData\Local\Temp\31081\CasPol.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected RedLine Stealer
Source: Yara match File source: 5.2.CasPol.exe.4d68de8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.CasPol.exe.4d68de8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.CasPol.exe.820000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.CasPol.exe.48ae358.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.CasPol.exe.48ae358.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.1229238582.0000000004A82000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.1626970669.0000000000822000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.1648777581.0000000004672000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1229238582.0000000004D68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 508, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 3888, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 5640, type: MEMORYSTR
Yara detected Credential Stealer
Source: Yara match File source: 5.2.CasPol.exe.4d68de8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.CasPol.exe.4d68de8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.CasPol.exe.820000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.CasPol.exe.48ae358.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.CasPol.exe.48ae358.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.1229238582.0000000004A82000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.1626970669.0000000000822000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.1648777581.0000000004672000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1229238582.0000000004D68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 508, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 3888, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 5640, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RedLine Stealer
Source: Yara match File source: 5.2.CasPol.exe.4d68de8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.CasPol.exe.4d68de8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.CasPol.exe.820000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.CasPol.exe.48ae358.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.CasPol.exe.48ae358.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.1229238582.0000000004A82000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.1626970669.0000000000822000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.1648777581.0000000004672000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1229238582.0000000004D68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 508, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 3888, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 5640, type: MEMORYSTR
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1653682 Sample: 49b35e.msi Startdate: 01/04/2025 Architecture: WINDOWS Score: 96 65 Malicious sample detected (through community Yara rule) 2->65 67 Multi AV Scanner detection for dropped file 2->67 69 Yara detected RedLine Stealer 2->69 71 3 other signatures 2->71 8 msiexec.exe 93 47 2->8         started        11 GmRemote.exe 4 2->11         started        14 msiexec.exe 2 2->14         started        process3 file4 45 C:\Windows\Installer\MSI791A.tmp, PE32 8->45 dropped 47 C:\Windows\Installer\MSI78BC.tmp, PE32 8->47 dropped 49 C:\Windows\Installer\MSI787C.tmp, PE32 8->49 dropped 53 2 other malicious files 8->53 dropped 16 GmRemote.exe 10 8->16         started        20 msiexec.exe 8->20         started        51 C:\Users\user\AppData\Local\Temp\mebrpk, PE32 11->51 dropped 73 Found hidden mapped module (file has been removed from disk) 11->73 75 Maps a DLL or memory area into another process 11->75 77 Switches to a custom stack to bypass stack traces 11->77 22 CasPol.exe 2 11->22         started        24 gpupdate.exe 1 11->24         started        79 Drops large PE files 14->79 signatures5 process6 file7 41 C:\Users\user\AppData\Local\Temp\glenpw, PE32 16->41 dropped 43 C:\Users\user\AppData\Local\...\CasPol.exe, PE32 16->43 dropped 59 Found hidden mapped module (file has been removed from disk) 16->59 61 Maps a DLL or memory area into another process 16->61 63 Switches to a custom stack to bypass stack traces 16->63 26 gpupdate.exe 3 16->26         started        30 CasPol.exe 2 16->30         started        32 CasPol.exe 1 22->32         started        34 conhost.exe 24->34         started        signatures8 process9 file10 55 C:\Users\user\AppData\...behaviorgraphmRemote.exe, PE32 26->55 dropped 81 Drops large PE files 26->81 83 Switches to a custom stack to bypass stack traces 26->83 36 conhost.exe 26->36         started        85 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 30->85 38 CasPol.exe 2 30->38         started        signatures11 process12 dnsIp13 57 149.248.78.209, 443, 49689, 49694 COEXTRO-01CA Canada 38->57
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.248.78.209
 unknown Canada
36445 COEXTRO-01CA false